Skip to content

Response to Media Enquiry or Report

Response to Media Enquiry or Report

Date: 31 January 2020

PCPD's Response to Personal Data Privacy Issues Arising from Novel Coronaviurs Infection  


Regarding the use of suspected patients’ personal data for doxxing
  • The office of the Privacy Commissioner for Personal Data (PCPD) would not comment on individual cases, but would make general observations from the perspectives of the Personal Data (Privacy) Ordinance (PDPO).
     
  • Under the PDPO, “personal data” is defined as data which relates to a living person and can be used to identify that person, and exists in a form in which access to or processing is practicable.
     
  • The PCPD condemns doxxing and cyberbullying, and emphasises that under the Data Protection Principle on the use of personal data (Data Protection Principle 3) in the current PDPO, the use of personal data must be consistent with or directly related to the original purpose when collecting the data. Otherwise, the data subject’s express and voluntary consent is required.
     
  • Section 64(2) of PDPO stipulates that a person commits an offence if he discloses, irrespective of his intent, any personal data of a data subject obtained from a data user without the data user’s (data source) consent and the disclosure causes psychological harm to the data subject. Contravention of section 64 of the PDPO attracts a maximum fine of HK$1,000,000 and a maximum imprisonment for 5 years. Doxxing and cyberbullying may also involve other criminal offences, including criminal intimidation. Affected persons are entitled to claim compensation from the persons involved in respect of the damage suffered.
     
  • As of 5:00 pm on 30 January, the PCPD received one related complaint.
     
  • The PCPD will closely monitor the development of the situation and will take follow-up actions in accordance with law as appropriate.
 
Regarding the disclosure of information about suspected patients to third parties including health authorities
  • The PCPD would not comment on individual cases, but would make general observations from the perspectives of the PDPO.
     
  • Under the PDPO, “personal data” is defined as data which relates to a living person and can be used to identify that person, and exists in a form in which access to or processing is practicable.
     
  • Generally speaking, the Data Protection Principle on the use of personal data (Data Protection Principle 3) in the PDPO provides that the use of personal data must be consistent with or directly related to the original purpose when collecting the data. Otherwise, the data subject’s express and voluntary consent is required. However, section 59 of the PDPO provides that situations involving health concern relating to interests of the public may be exempt from the restrictions on the use of data.
     
  • Section 59(1) of the PDPO states that in circumstances where the application of the restrictions on the use of data would be likely to cause serious harm to the physical or mental health of the data subject or any other individual, the data user may disclose personal data relating to the physical or mental health of the data subject to a third party without the consent of the data subject (exemption for Data Protection Principle 3).
     
  • Section 59(2) also states that under the same circumstances mentioned above, the data user can also disclose the identity or location of a data subject to a third party without the consent of the data subject. The legislative intent of section 59(2) of the PDPO is to provide timely access to personal data such as someone’s identity and location where necessary, so that relevant parties can take immediate action to prevent serious harm to the physical or mental health of the data subject or any other individual.
     
  • The PCPD emphasises that if members of the public intend to rely on the relevant exemption provisions, they must ensure that the sole purpose of using the personal data of the data subject is to protect public health and is in the public interest. At the same time, they must also respect the privacy of the data subject and adopt less privacy intrusive means to achieve the purpose, such as seeking assistance from relevant medical practitioners or the Department of Health.
     
  • Under section 60B of the PDPO, if personal data is (a) required or authorised by or under any enactment, by any rule of law or by an order of a court in Hong Kong; (b) required in connection with any legal proceedings in Hong Kong; or (c) required for establishing, exercising or defending legal rights in Hong Kong, the personal data is exempt from the provisions of Data Protection Principle 3. On 8 January 2020, the Government had included “Severe respiratory disease associated with a novel infectious agent” into the statutorily notifiable infectious diseases in Schedule 1 to the Prevention and Control of Disease Ordinance (Cap 599 of the Laws of Hong Kong), and amended its subsidiary legislation, the Prevention and Control of Disease Regulation (Cap 599A of the Laws of Hong Kong). According to section 4 of the Prevention and Control of Disease Regulation, if any medical practitioner has reason to suspect a case of a scheduled infectious disease, whether or not the affected individual has died, he must immediately notify the Director of Health. Therefore, relevant medical practitioners may rely on section 60B of the PDPO to disclose the personal data of a data subject to the Director of Health without the consent of the data subject, in order to comply with the requirements of the Prevention and Control of Disease Regulation as well as for the purpose of protecting public health and public interest.
 
Regarding merchants’ requirement of “real name” registration
  • The PCPD would not comment on individual cases, but would make general observations from the perspectives of the PDPO.
     
  • Under the PDPO, “personal data” is defined as data which relates to a living person and can be used to identify that person, and exists in a form in which access to or processing is practicable.
     
  • It is a commercial decision of merchants as to what types of customers to whom they provide goods or services.   That is not regulated by the PDPO. That said, merchants who collect and use customers’ personal data in the course of providing goods or services must comply with the provisions of the PDPO.
     
  • Regarding collection of personal data, merchants should collect customers' personal data in a lawful and fair manner, and should not collect excessive personal data. The purpose of the collection should be directly related to their business. Personal Information Collection Statement should also be provided when/before collecting customers’ personal data to inform customers of the data collected/used/processed and the purposes, and the classes of person to whom their data may be transferred.
     
  • With regard to the use of personal data, the merchant's use of the customer's personal data is limited to the purpose stated at the time of collection or directly related purposes. To use the data for a new purpose, voluntary and explicit consent of the data subject must be obtained in advance. Otherwise, it will constitute a contravention of the Data Protection Principle 3.
     
  • In addition, the Data Retention Principle in the PDPO stipulates that data users must not retain personal data for longer than necessary to achieve the original purpose. Also, the Data Security Principle of the PDPO stipulates that data users must take all practicable steps to safeguard personal data from unauthorised or accidental access, processing, erasure, loss or use. Therefore, merchants should erase the personal data collected as soon as practicable after selling the goods or providing services (that is, once the purpose of collection is fulfilled). If there is a real need to retain such personal data, merchants should take appropriate measures to ensure the security of the personal data being held.