Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2022C04

Staff of a property management company disclosed the personal data of residents when using recycled paper – DPP 4 – security of personal data

The Complaint

The Complainant was a resident of an estate managed by a property management company. One day, the Complainant found dozens of notices displaying the words “Wet Paint” hung or posted on both sides of the pedestrian walkway in the estate. The Complainant noticed that on the back of these notices were email exchanges between residents and the company. In particular, a printout of a complaint email from the Complainant to the company was on the back of one of the notices. It clearly showed her English name, email address and the content of the complaint. The Complainant thus lodged a complaint against the company with the PCPD.

Outcome

The company said that according to its established guidelines, recycled paper was for internal use only. The incident was caused by human negligence on the part of individual staff members, who were given verbal reprimands and warnings. In the light of the incident, the company revised its guidelines on the use of recycled paper, requiring its staff to stop using documents or correspondences involving personal data as recycled paper in future, failing which they would be subject to disciplinary action.

The PCPD considered that the company had failed to take all practicable steps to ensure a degree of awareness of or sensitivity to the security risks associated with personal data among staff. The company therefore failed to properly protect the personal data held by it in contravention of DPP 4. The PCPD warned the company that it needed to formulate a comprehensive internal policy and guidelines on the destruction or disposal of documents containing personal data for its staff to follow (e.g. destroying in a timely manner the documents that contain personal data but need not be retained; and requiring staff to regularly check whether the paper in recycling bins include documents containing personal data). The company should also assign designated staff to effectively monitor and communicate with other staff to ensure that they are aware of and follow its internal policy and guidelines.

Lesson learnt

The incident occurred despite the company’s guidelines stipulating that recycled paper was for internal use only. Moreover, neither the staff responsible for printing the “Wet Paint” notices nor the staff responsible for posting the notices had come to realise that there was personal data printed on the back of the notices, proving a lack of awareness of personal data privacy protection among staff. The company should learn from this experience that it is pivotal not only to formulate the relevant policy, but also to adopt measures to enhance the awareness of such policy and foster a strong sense of compliance among staff. The company should also provide comprehensive training to its staff to strengthen their appreciation for personal data privacy protection.

(Uploaded in September 2022)


Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :