Skip to content

Case Notes

Case Notes

This case related to DPP3 - Use of personal data , exemptions , Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users

Case No.:2014A03

(AAB APPEAL NO.55/2014)

When the 40-day period under section 19(1) should start to run – whether a doctor passing his patient’s personal data to his solicitors for seeking legal advice can invoke the exemption under section 60B(c)

Coram:
Mr Alan Ng Man-sang (Presiding Chairman)
Mr Philip Chan Kai-shing (Member)
Mr Nelson Cheng Wai-hung (Member)

Date of Decision: 30 June 2016

The Complaint

The Appellant was a patient of a doctor from December 2008 to December 2011 for treatment of her knee pain and other problems. On 2 June 2012, the doctor through his solicitors issued a letter to the Appellant informing her the termination of their doctor-and-patient relationship. Dissatisfied with the doctor’s decision, the Appellant made a number of data access requests to the doctor. Subsequently, she complained to the Commissioner against the doctor for his failure to comply with her data access request (DAR) made on 24 February 2013 and the disclosure of her medical information to his solicitors.

The Commissioner’s Decision

With respect to the compliance with the DAR, the Commissioner was of the view that apart from the Appellant’s mere allegation, there was no evidence to support that the doctor was withholding any documents from the Appellant. As for the disclosure of the Appellant’s medical information by the doctor to his solicitors, the Commissioner found that the purpose of the disclosure was for handling the Appellant’s DAR which sought to obtain copies of her medical information. The Commissioner considered that such use was directly related to the original purpose of collection which was for handling matters relating to her medical condition and treatment. In addition, such disclosure fell squarely within section 60B(c) of the Ordinance which exempted liability from the provisions of DPP3 where the use of the data was required for establishing, exercising or defending legal rights in Hong Kong.

The Appeal

At the hearing, the Appellant agreed that there was sufficient compliance with the DAR. The remaining question was whether the doctor had failed to comply with the DAR within 40 days after receiving it.

The AAB took the view that the DAR lacked clarity. The description of the requested data was open to an interpretation that the Appellant requested first from the doctor an index of all the documents contained in the several inches thick multiple medical files, then from the index supplied, worked out what documents she did not have, and thereafter requested from the doctor for those documents she did not have. However, the DAR might also mean that the Appellant requested from the doctor all medical records which she did not have, so that she could have a complete set of all records. It was incumbent on the Appellant to clarify the scope of the documents requested in the DAR before the 40-day period started to run. Hence, it was only until the receipt of the amended DAR on 27 April 2013 that the 40-day period commenced. Given that the Appellant eventually received 281 pages of copy medical records from the doctor’s solicitors and the Appellant’s concession at the appeal hearing that there was no dispute as to the sufficiency of compliance with the amended DAR, the AAB held that there was no prima facie non-compliance under section 19(1) 1 of the Ordinance or DPP6(b)(i).

The doctor’s purpose of collecting the Appellant’s personal data was to handle matters relating to her medical condition and treatment. It was plain that the purpose for which the doctor disclosed the 281 pages of copy medical records to his solicitors was in relation to the DAR, which in turn related to the doctor’s purpose of collecting the Appellant’s personal data. The AAB therefore agreed with the Commissioner that there was no prima facie case of contravention of DPP3.

Even if there was a breach of DPP3, the AAB took the view that the exemption provided under section 60B(c) of the Ordinance would be applicable in this case. It would be artificial to suggest that section 60B(c) should be restricted to situations where legal proceedings, legal claims, or complaints have been commenced or lodged against the relevant data user. There might be cases where the relevant data user would like to obtain legal advice on the appropriate prophylactic actions to be taken in a bid to prevent the situation from ballooning into a formal dispute, or for the purpose of defending his legal rights in the future potential dispute. Therefore the AAB concluded that the Commissioner’s decision in this aspect could not be faulted.

The AAB’s Decision

The AAB dismissed the appeal.

1 Section 19(1) : A data user must comply with a data access request within 40 days after receiving the request.

(Uploaded in March 2019)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :