Skip to content

Case Notes

Case Notes

This case related to DPP3 - Use of personal data

Case No.:2009A14

In construing the wordings in section 50 of the Ordinance as to the circumstances whether the contravention is likely to repeat or continue in future, a purposive approach should be adopted.

In construing the wordings in section 50 of the Ordinance as to the circumstances whether the contravention is likely to repeat or continue in future, a purposive approach should be adopted. The legislative intent is to empower the Privacy Commissioner to provide effective remedy to reduce the likelihood of repetition of the contravention.

An insurance company’s agent disclosed the details of the complainant’s insurance policy during an internal training session – the insurance agent’s act contravened Data Protection Principle 3 – the Privacy Commissioner found that the contravention is likely to repeat and therefore issued an Enforcement Notice against the insurance company – the insurance company argued whether the contravention is an isolated incident or is likely to repeat – Section 50(1)(b) of the Ordinance and Data Protection Principle 3

The Complaint
The complainant was an ex-agent of an insurance company. She complained that her senior was in breach of Data Protection Principle 3 (“DPP3”) by disclosing the personal data of hers and her family members (being details of their respective insurance policies) when discussing malpractice with the other insurance agents during an internal training session. Throughout the Privacy Commissioner’s investigation, the insurance company denied its liability and contravention.

Findings by Privacy Commissioner

After investigation, the Privacy Commissioner found that the insurance company has contravened DPP3 and that such contravention is likely to repeat or continue in future. The Privacy Commissioner therefore issued an Enforcement Notice against the insurance company under section 50 of the Ordinance. The insurance company was directed to revise its internal rules and guidelines to give specific guidance to its agents in handling personal data for training purpose. The insurance company was dissatisfied with the Privacy Commissioner’s decision and appealed to the Administrative Appeals Board (“AAB”).

The Appeal

The insurance company argued that the contravention was merely an isolated incident and that its existing guidelines, training materials designed in general terms and the disciplinary sanction in place would be reasonably sufficient to prevent similar contravention from occurring.

As to the likelihood of repetition of contravention, the AAB pointed out that in construing section 50(1)(b) of the Ordinance, a purposive approach should be adopted and that the legislative intent was to empower the Privacy Commissioner to provide effective remedy to reduce the likelihood of repetition of the contravention. The Privacy Commissioner was therefore entitled to consider all the circumstances to see if there was any deficiency in the data user’s practice and procedure of handling personal data. If there was such deficiency and which had contributed to the contravention, the Privacy Commissioner had to consider if there was any effective remedy to reduce the likelihood of repetition. If there was such remedy, the Privacy Commissioner was entitled to find that the contravention be likely to repeat without the steps he directed to take. Furthermore, the AAB took the view that the steps directed by the Privacy Commissioner in the Enforcement Notice could provide a simple and ready remedy to reduce the likelihood of repeating the contravention in training sessions and thus the Privacy Commissioner was entitled to issue the same.

AAB's decision

The appeal was dismissed.

uploaded on web in February 2012


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :