An organisation is required by the law to ensure personal data security even when using CCTV for collection of evidence
The Complaint
A banner with offensive message was posted on the “Democracy Wall” of a university. The accident aroused widespread public concern and media coverage. One of the local newspapers published two screenshots captured from the campus CCTV footage showing two men posting the banner.
Some members of the public suspected that the university had provided the screenshots to the media, intruding on the privacy of those two men. They complained to the PCPD against the university. The PCPD therefore initiated a compliance check against the university.
Outcome
As revealed in the compliance check, the university noted that if the banner was posted by its students, those students might experience great pressure and might not know how to deal with the situation. It was therefore necessary for the university to ascertain the identity of the persons involved to provide them with counselling. On the other hand, as the act of posting such a banner appeared to have violated the General Code of Student Conduct, and it damaged the university’s reputation, the university needed to identify the persons involved in order to conduct further investigation, and to consider disciplinary action.
Accordingly, the security centre of the university ascertained from campus CCTV footage that the banner had been posted by two men. Two screenshots were made and sent to the university’s senior management via an instant messaging social network group for the purpose of timely identification of the persons involved. For the same purpose, some members of the social network group forwarded the two screenshots to more than 10 other staff members and one student.
The PCPD noted that there might be a prima facie contravention of DPP3 of the Ordinance by the university, given that the purpose of circulating the two screenshots through the instant messaging application for disciplinary investigation was different from the original purpose of installing the CCTV, which was for security. However, if the personal data was used for investigation and punishment of seriously improper conduct (not limited to crimes), such data was exempt from the provisions of DPP3 by virtue of section 58 of the Ordinance.
Given that the incident might damage the university’s reputation and the act of posting such a banner appeared to have violated the General Code of Student Conduct (if it was done by the university students), the PCPD took the view that section 58 of the Ordinance would apply such that the circulation of the two screenshots by the university through the instant messaging application did not contravene DPP3.
However, the PCPD considered that even though the university needed to circulate the two screenshots within the social network group in a timely manner, it should have reminded the members of the group that the screenshots were confidential information not to be shared with others and they had to be deleted immediately after use.
All in all, the university failed to take all reasonably practicable steps to safeguard the two persons’ personal data, thereby contravening DPP4 of the Ordinance. The university took the PCPD’s advice and has taken the following actions to enhance the protection of the CCTV images:
(i) stating in the social network group that members were required to maintain confidentiality;
(ii) devising CCTV monitoring policies and procedures to ensure that matters relating to the types of personal data held and the main purposes for which the data collected was to be used, as well as the retention policies were clearly set out; and
(iii) devising detailed operational guidelines for the CCTV operating staff, including procedures on retrieval and capturing of CCTV footage and security measures.
(Uploaded in March 2019)