Date: 8 October 2019
Response to the media enquiry on data protection of patient information
Thank you very much for your email enquiry. Our consolidated response from the perspective of personal data privacy follows:
-
Personal Data (Privacy) Ordinance (the Ordinance) was enacted to protect living individuals’ privacy in relation to personal data.
-
The Data Protection Principles under the Ordinance regulate the collection, storage, retention, use, transfer, security, transparency, access, correction and destruction of personal data. The Ordinance aims to prevent personal data from being misused or abused. Patients’ personal data must be used for the purpose stated at the time of collection. For any other use, patients’ consent must be obtained (Principle 3 – Data Use) unless the data users (e.g. the hospitals) invoke statutory exemptions provided in the Ordinance.
-
Under the Ordinance, there are exemption provisions for certain circumstances, for instance, disclosure of personal data for detection or prevention of crime and disclosure of personal data for apprehension, prosecution or detention of offenders. However, the hospital has no responsibility to provide data by relying on this exemption. The hospital should determine if the criteria are met before relying on this exemption. The hospital should first ask the enforcement authority requesting personal data to provide sufficient information, including the purpose of data collection, the nature of the case being investigated, the relevance of the requested data to the investigation, the reason why the investigation will be hindered if the data is not provided, etc. Moreover, this exemption provision does not empower the enforcement authority to collect data arbitrarily. When the enforcement authority requests the data, it has the duty to inform the hospital whether the supply of the data is obligatory, or the enforcement authority may contravene the Ordinance due to misleading the hospital or abuse of power (Section 58 of the Ordinance). If there is a dispute between them, the requestor may apply for a search warrant from the court.
-
It is not difficult to understand the logic of this exemption provision. If the enforcement authority is investigating a criminal case, when it requests personal data from an organisation or a person by proving that there is reasonable ground to believe that non-disclosure of the data may prejudice the detection of crime, the organisation or the person may not use privacy as a “shield” for not providing the data.
-
It must be stressed that personal data belongs to the patients and hospitals have an obligation to protect their data, whether under the Ordinance in any other relevant laws and codes of conduct.
-
All organisations must put in place policies and procedures to regulate the collection, processing and use of personal data; safeguard the personal data; and handle the exemption issues. Any organisation which inadvertently or excessively collects data or requests or misleads other organisation to provide data without any legal basis may contravene the requirements of the Ordinance.
-
Any person who suspects that his personal data privacy has been infringed and can provide prima facie evidence (including the contact details of the infringer and details about misuse of the data) may complain to the office of the Privacy Commissioner for Personal Data (PCPD). Upon receipt of the complaint, the PCPD will handle and follow up the case according to the PDPO and its Complaints Handling Policy with strict confidence.
-
Between 1 June 2019 and 8 October 2019, the PCPD received 37 complaints relating to suspected unauthorised disclosure of patients’ data by medical staff of the Hospital Authority to the Police. The PCPD is conducting a compliance investigation on the improper disclosure of patients’ personal data by the Hospital Authority.