Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2017A01

(AAB Appeal No.12/2017)

Identity of whistleblower circulated among colleagues –interviewees and division heads were required to observe confidentiality – DPP4(1) – failed to take all practicable steps to safeguard identity of whistleblower – remedial actions taken –whether the Privacy Commissioner had exercised his discretion lawfully and reasonably in deciding not to investigate

Coram:
Mr Erik Ignatius SHUM Sze-man (Presiding Chairman)
Professor Horace IP Ho-shing (Member)
Miss Catherine YEN Kai-shun (Member)

Date of Decision: 27 November 2017

The Complaint

The Appellant was a senior technician working in an electricity company. The Appellant complained to the company’s internal audit department that Colleague 1 showed favouritism towards an underperforming contractor.

The Appellant realised the fact that he was the whistleblower had been circulated among the colleagues. Colleague 3 told the Appellant that he learned about this from another female colleague in the operation and maintenance team located in Shenzhen, whom in turn was informed by her supervisor Colleague 2.

The Appellant lodged his complaint with the company claiming the internal audit department had leaked the information. An independent team was formed to investigate the complaint and came to the conclusion that no evidence of wrongdoing was discovered on the part of the internal audit department. Dissatisfied with the result, the Appellant lodged his complaint with the Privacy Commissioner against the company for failing to safeguard the security of information provided by him, and as a result revealed his identity as a whistleblower in the complaint against Colleague 1.

The Privacy Commissioner’s Decision

The Privacy Commissioner decided not to proceed with the Appellant’s complaint on the following grounds:–

(1) The Privacy Commissioner found the statements given by the female colleague and Colleague 2 to be contradictory. Colleague 2 claimed that he only learned of the Appellant as the whistleblower after being interviewed by the investigation team. He had no recollection of so informing the female colleague. The Privacy Commissioner was unable to conclude from the evidence the circumstances leading to the leakage. Nor could the Privacy Commissioner rule out the possibility that in the course of investigation, the person(s) interviewed by the internal audit department might deduce from the circumstances that the Appellant was the whistleblower.

(2) Given that the company had only orally requested or reminded the interviewee(s) and the division heads to maintain confidentiality, it appeared that the company had failed to take all practicable steps prescribed by DPP4(1) to protect the identity of the whistleblower.

(3) In light of the following remedial measures taken by the company, the Privacy Commissioner considered that the matter complained of had been resolved. In other words, further investigation of the case could not reasonably be expected to bring about a more satisfactory result:–
(a) With effect from February 2016, the internal audit department had deleted the name of the whistleblower from its investigation report, and added in its opening a warning note reminding the recipient(s) to keep the report confidential; and
(b) With effect from April 2017, the internal audit department had requested each interviewee and the division head of the whistleblower to sign a confidentiality agreement, which warned that breach of the agreement might lead to disciplinary proceedings.

(4) The Privacy Commissioner issued a letter to the company reminding it to comply with DPP4(1) by safeguarding the identity of the whistleblower.

Dissatisfied with the Privacy Commissioner’s decision not to proceed with his complaint, the Complainant appealed to the AAB.

The Appeal

The AAB took the view that the key issue of this appeal was whether the Privacy Commissioner had lawfully and reasonably exercised his discretion not to investigate, in light of the measures taken by the company to remedy the inadequacy arising from its existing practice or policy.

The AAB considered that the end result of carrying an investigation in this case was to issue an enforcement notice under section 50(1) of the Ordinance. It was not disputed among the parties that the company had already adopted appropriate and adequate measures to remedy the situation. Any enforcement notice subsequently issued would by then be obsolete or even superfluous. The Privacy Commissioner had lawfully and reasonably exercised his discretion in light of all the relevant circumstances of the case. Hence, the AAB affirmed the Privacy Commissioner’s decision not to proceed with the Appellant’s complaint as this could not reasonably be expected to bring about a more satisfactory result and had no practical effect at all.

The above discussion should be sufficient to dispose of and dismiss this appeal. However, the AAB appreciated that whether the company had contravened DPP4(1) meant a lot to the Appellant. Having considered the wording of DPP4(1) (in particular the word “practicable”), the AAB opined that the previous practice/policy of the company (i.e. not requiring the interviewee(s) and relevant division head to sign a confidentiality agreement) was undesirable and constituted a prima facie contravention of DPP4(1).

(Uploaded in March 2019)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :