Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2013C06

A solicitor and a law firm had failed to take adequate measures to safeguard the personal data contained in legal documents against unauthorised access when sending the legal documents by fax

The Complaint

Summary of Facts

The Complainant worked in an insurance company (the “Insurance Company”) and he set up his private business (the “Private Company”) with his friend (the “Solicitor”) who was a consultant of a law firm (the “Firm”). Later on, shareholders’ disputes aroused between the Complainant and the Solicitor. The Solicitor instructed the Firm to act as her legal representative in her disputes with the Complainant (the “Dispute Case”). One day, the Firm had faxed to the Complainant a set of legal documents (the “Documents”) which contained his appointment date as the Private Company’s director and his shareholdings of the Private Company (collectively, the “Data”) via a fax number (the “Fax Number”) of the Insurance Company.

The Complainant alleged that the Fax Number was a private fax number of the Chief Executive Officer (the “CEO”) of the Insurance Company and he later learnt that the Documents were delivered to the CEO. He therefore lodged a complaint to this Office against the Firm and the Solicitor for disclosing the Data without his consent.

Information provided by the Firm

The Firm confirmed that sending legal documents containing personal data to a fax number, which would enable persons other than the intended recipient to have sight or easy access to the documents, contravened its policy. It had reminded its solicitors of such policy during internal meetings but it did not issue any written policy.

The Firm claimed that the Solicitor was not its employee. The Solicitor was a consultant of the Firm who handled the Dispute Case single-handedly including drafting, signing, sending and faxing the Documents to the Complainant. The Firm claimed ignorance of the incident before receipt of the inquiry letter of this Office. It denied any wrongdoings by its staff members.

Information provided by the Solicitor

The Solicitor claimed that she had attempted to send the Documents personally on the Complainant at the Insurance Company’ address and the Private Company’s office address. However, the Complainant had refused to accept service at both addresses. She had no alternative but to instruct the Firm to fax the Documents to the Complainant in the circumstances. The Solicitor added that there subsisted a solicitor-client relationship between the Firm and herself, and the Documents were issued and sent by the Firm on her behalf.

The Solicitor also stated that she obtained the Fax Number by searching through the Internet and it was the general fax number of the Insurance Company.

Outcome

The data user

The Commissioner considered that the Solicitor did play a vital part in the handling of the Dispute Case in the capacity of the consultant of the Firm. Moreover, since the Solicitor was the client of the Firm in the Dispute Case, she had a personal interest when collecting the Fax Number from the Internet and sending the Documents through the Fax Number. In the circumstances, the Solicitor had control in the handling of the Complainant’s personal data contained in the Documents and the service thereof. Accordingly, she qualifies as a “data user” under the Ordinance.

The Firm confirmed that it had acted for the Solicitor in respect of the Private Company which had its own business purpose to send in the conduct of the Dispute Case. The Firm had control over the handling of the Complainant’s personal data and the service of the Documents through its consultant, the Solicitor. Accordingly, the Firm is also a “data user” in relation to the Data.

Contravention of DPP 4

Service by fax is not an acceptable mode of service in legal proceedings, whereas sending the Documents by ordinary post or registered post is acceptable.

The Commissioner has found no information to suggest that the Solicitor had taken any measure to ensure a secure transmission of the Documents to the Complainant. Although the Solicitor claimed that the Fax Number was a general fax number of the Insurance Company instead of the private fax number of the CEO, it is obvious that the Fax Number was neither a secured or private fax line for communication between the Complainant and the Solicitor, nor had the Complainant requested her to fax the Documents to the Fax Number. Additionally, the Documents were not marked “private and confidential”. In the circumstances, the Solicitor should reasonably foresee that the mode of service would enable persons in the Insurance Company other than the Complainant to have unrestricted access of the Documents.

The aforesaid act of the Solicitor was done in the capacity of the Firm’s consultant in handling the Dispute Case. Pursuant to section 65(2) of the Ordinance, the act done by the Solicitor was treated as done by the Firm. Accordingly, the Firm is liable for the act done by the Solicitor in the present complaint.

Additionally, the Firm admitted that it has no written policy on sending legal documents containing personal data but merely adopts a verbal reminder to its solicitors for compliance during internal meetings. In the circumstances, the Firm as the data user had not taken adequate measures to ensure its staff and consultants take care of security in using facsimile to dispatch documents containing personal data.

Action by the PDPD

The Commissioner decided to issue an Enforcement Notice directing (i) the Solicitor and the Firm to cease sending any document containing the Complainant’s personal data to him for the purpose of dealing with the dispute between the Complainant and the Solicitor in relation to the Private Company via the Fax Number unless it is pursuant to the Complainant’s consent or the Court’s direction; and (ii) the Firm to prepare a written policy to prohibit sending legal documents which contain personal data to an insecure fax number (i.e. without encryption or accessible to other users) unless it is pursuant to the data subject’s consent or the Court’s direction.

(Uploaded in October 2015)


Category : Provisions/DPPs/COPs/Guidelines :