Case Notes

(AAB Appeal No. 17 of 2020)

Leakage of medical reports – failure to provide evidence to substantiate the complaint– remedial measures taken – discretion not to investigate the complaint duly exercised – further investigation cannot reasonably expect to bring about a more satisfactory result

Coram:
Mr Erik Ignatius SHUM Sze-man (Presiding Chairman)
Mr LAM Tak-hing (Member)
Mr Ellis LAU Ying-tung (Member)

Date of Decision: 4 February 2021

The Complaint

The Appellant suffered a work-related injury and submitted his medical reports in respect of the said injury to his former employer (“Former Employer”). An anonymous person obtained a copy of the Appellant’s medical reports and sent the same to the staff union which the Appellant belonged to. The Appellant lodged a complaint with the Privacy Commissioner alleging that the Former Employer had failed to adopt sufficient security measures in protecting his personal data resulting in leakage of his medical reports.

The Privacy Commissioner’s Decision

Upon preliminary enquiry, the Privacy Commissioner could not find any evidence indicating that the Former Employer had failed to take appropriate measures to protect the personal data of its employees, thereby resulting in the leakage of the Appellant’s medical reports. The Former Employer had also taken remedial measures. The Privacy Commissioner exercised the discretion under section 39(2)(d) of the PDPO not to carry out an investigation into the Appellant’s complaint. Being dissatisfied with the Privacy Commissioner’s decision, the Appellant lodged an appeal to the AAB.

The Appeal

The AAB confirmed the Privacy Commissioner’s decision and agreed that:-

1. The Appellant’s medical reports were once possessed by various entities, including the doctors, insurance companies and the related entities, etc. There was no evidence suggesting that the Appellant’s medical reports were in fact leaked by the Former Employer. In any event, the Former Employer had taken a series of remedial measures, including the engagement of an independent consultant to review and strengthen its data management system; and also the implementation of measures as recommended to enhance data security and provision of training to its employees in order to enhance their awareness of protection of personal data privacy.
2. Further, even assuming that the Privacy Commissioner continued to investigate into the complaint and found the Appellant’s complaint substantiated, in view of the aforesaid remedial measures taken by the Former Employer, the Privacy Commissioner’s investigation could not bring about any other substantive results.

The AAB’s Decision

The appeal was dismissed.

(Uploaded in March 2024)