Under s.37(1)(b)(iii) of the Ordinance, complainant has a duty to submit prima facie evidence to show that the party complained against could have contravened a requirement under the Ordinance. The Privacy Commissioner is not under an absolute duty to enquire the party complained against in all cases.
Alleged breach of DPP4 - complainant's duty to establish a valid complaint - Privacy Commissioner may or may not make enquiry with the party complained against - section 37(1)(b)(iii)
The complaint
The complainant enrolled on a course jointly organized by an institute "A" in Hong Kong and a university "B" in the mainland and was registered as a student of A and B separately. Upon graduation, the complainant found a list of graduates of the course, including the complainant's name and address disclosed by an anonymous user in an Internet discussion board. The complainant complained against A for breach of Data Protection Principle 4.
Findings by the Privacy Commissioner
Upon enquiry with the complainant, the Privacy Commissioner found that: (i) the website in which the list of graduates was disclosed was registered in the mainland; (ii) the list disclosed contained not only graduates of the course jointly organized by A and B, but also graduates of other courses organized by B; (iii) there was no evidence suggesting that A would keep personal data of B's graduates; (iv) while A denied that the leakage was originated from its database, B made apology to the complainant for the leakage; and (v) the relationship between the anonymous user and A, if any, was unknown. The Privacy Commissioner did not make enquiry with A or B.
Having considered all the evidence supplied by the complainant and all the circumstances, the Privacy Commissioner decided that there was no prima facie evidence that A was in breach of DPP4 by failing to take all practicable steps to ensure that the complainant's personal data held by A were protected against unauthorized or accidental access, processing, erasure or other use. The Privacy Commissioner, therefore, decided not to carry out an investigation pursuant to s.39(2)(d) of the Ordinance. The complainant appealed.
The appeal
The Board confirmed that, under s.37(1)(b)(iii) of the Ordinance, a complainant has a duty to submit sufficient prima facie evidence to show that there may be a contravention of a requirement under the Ordinance, and the Privacy Commissioner is not under an absolute duty to enquire the party complained against in all cases.
The Board agreed with the Privacy Commissioner that there was no evidence which may suggest that the complainant's personal data disclosed in the Internet was originated from A's database. In the circumstances, the complainant has failed to establish that A could have contravened the requirement under the Ordinance.
AAB's decision
The appeal was dismissed.