A government department disclosed complaint details to the Police without the complainant’s consent – DPP3
The Complaint
The complainant made a complaint to a government department against an obstruction to an emergency vehicle access by a lion dance performance. After he made the complaint, he received a follow-up telephone call from the Police. As the matter he complained against was not under the Police’s purview, the complainant was dissatisfied that the government department had disclosed his complaint details to the Police. He hence made a complaint to the PCPD.
According to the government department, having considered that a permit from the Police was required for holding a lion dance performance, the handling officer decided to refer the case to the Police. The government department also revealed that its standing policy did not mandate officers to obtain consent from the complainant before making a referral. After this incident, the government department had revised its policy so that no referral would be made unless the complainant’s consent has been obtained.
Outcome
It was obvious that the complainant’s concern was about the obstruction caused by the lion dance performance, not about whether the performance organiser had obtained a permit from the Police. In such case, the PCPD considered that the government department had contravened DPP3 by disclosing the complainant’s personal data to the Police without his consent.
The PCPD served a written warning on the government department after the investigation of this case. It was requested to closely monitor staff compliance with its policy in handling personal data, so as to protect the personal data privacy of citizens.
Lesson learnt
When handling complaints, if government departments note any suspected breach of legal requirements which are beyond their purview, they have an obligation to report the matters to the appropriate authority. In doing so, the officer concerned should ascertain the need to disclose the complainant’s identity to the other party by taking into account the actual circumstances, instead of making indiscriminate disclosure of the information to the latter.
Private and public organisations alike, it is insufficient to merely establish a privacy policy without supplementing it with an execution plan. It is equally important to clearly define the role and responsibilities of relevant officers for their compliance in the privacy policy. Otherwise, the privacy policy will only be empty talk.
(Uploaded in August 2020)