Date: 21 March 2020
Response to media enquiry on privacy issues arising from COVID-19
Thank you very much for your enquiry about the privacy issues arising from COVID-19. The response from the office of the Privacy Commissioner for Personal Data (PCPD) is as follows:
-
Complaints arising from COVID-19
-
The PCPD received the first complaint in relation to COVID-19 on 25 January 2020. As of 19 March 2020 the PCPD has received 127 complaints in relation to COVID-19. The breakdown of the nature and number of complaints is as follows:
Nature |
Number of Complaints |
Doxxing of medical personnel |
78 |
Collection of personal data for distributing/selling masks and toilet rolls |
46 |
Employees requested by employers to provide location data / body temperature measurements |
3 |
Total |
127 |
-
What data users should be mindful of in collection and retention of data
-
In times of public health emergency, it is entirely justifiable for organisations, particularly public health authorities, to collect, use, process and retain additional personal data to protect the community from serious threats to public health. The outbreak of COVID-19 was declared a Public Health Emergency of International Concern by the World Health Organisation on 30 January 2020, and characterised as a pandemic on 11 March 2020. There is now a pressing need for the local and international communities to contain the spread of the virus. The compelling interests of public health and safety should be the primary concern for all, including data users.
-
Data protection principles should not hinder measures taken to combat COVID-19. However, organisations should not derogate their responsibilities in handling personal data. Under Data Protection Principle (DPP) 1, organisations should not collect personal data, especially health data, more than is necessary. In other words, only minimum, necessary, non-excessive personal data should be collected, and the purpose of their collection should be directly related to their functions or activities (e.g. ascertaining the health condition of the data subjects). The means of collecting personal data should also be lawful and fair in the circumstances of the case.
-
If employers need to collect employees’ health data to protect their employees and the wider community, a self-reporting system is preferred to an across-the-board mandatory system where health data is collected indiscriminately. Personal Information Collection Statement (PICS) should be provided when/before collecting data subjects’ personal data to inform them of the data collected and the purposes, and the classes of persons to whom their data may be transferred.
-
Data collected must, as required under DPP3, only be used for the purpose for which the data was to be used at the time of collection or for a directly related purpose unless with consent of the data subjects or unless exemptions provided by Part 8 of the PDPO apply (e.g. exemption arising from public health considerations). Personal data collected must be protected with appropriate safeguards and security measures to prevent unauthorised or accidental access, processing, erasure, loss or use of the data under DPP4. As regards data retention, organisations should not retain personal data for longer than is necessary to achieve the original purpose as required under DPP2. Therefore, data users should erase the personal data collected as soon as practicable once the purpose of collection is fulfilled (e.g. ascertaining the health condition of the data subjects).
-
Exemptions provided in the PDPO in relation to public health emergency
-
The PDPO and the Data Protection Principles (DPP) apply to the entire data life cycle from data collection to data destruction.
-
Section 59(1) of the PDPO provides for the situations where the use of personal data relating to the health of the data subjects may be exempted from the application of DPP 3 (use of data) if the application of such rule would cause serious harm to the health of the data subjects or any other individuals. In other words, any breach of the general rule on the use of data without consent may be defended by demonstrating that the use of the data is for protecting the health of individuals and public health at large. In particular, section 59(2) of the PDPO states that in circumstances where the application of the restrictions on the use of data would be likely to cause serious harm to the physical or mental health of the data subject or any other individual, personal data relating to the identity or location of the data subject may be disclosed to a third party without the consent of the data subject.
-
Section 60B of the PDPO states that if personal data is:
(a) required or authorised by or under any enactment, by any rule of law or by an order of a court in Hong Kong;
(b) required in connection with any legal proceedings in Hong Kong; or
(c) required for establishing, exercising or defending legal rights in Hong Kong,
the personal data is exempt from DPP3.
-
On 8 January 2020, the Government included “Severe respiratory disease associated with a novel infectious agent” into the statutorily notifiable infectious diseases in Schedule 1 to the Prevention and Control of Disease Ordinance (Cap 599 of the Laws of Hong Kong), and amended its subsidiary legislation, the Prevention and Control of Disease Regulation (Cap 599A of the Laws of Hong Kong). According to section 4 of the Prevention and Control of Disease Regulation, if any medical practitioner has reason to suspect a case of a scheduled infectious disease, whether or not the affected individual has died, he must immediately notify the Director of Health. Therefore, relevant medical practitioners may rely on section 60B of the PDPO to disclose the personal data of a data subject to the Director of Health without the consent of the data subject, in order to comply with the requirements of the Prevention and Control of Disease Regulation.
-
Balance between privacy rights and public health
-
Personal data privacy right is not an absolute right. What it practically means is that it may be subject to other competing rights or interests, such as the absolute right to life and the interests of the public, including public health.
-
“Right to life” of individuals under i) Article 2 of Part II of the Hong Kong Bill of Rights Ordinance and ii) Article 6 of the International Covenant on Civil and Political Rights (ICCPR) means that every human being has the inherent right to life. The Human Rights Committee (HRC) of United Nations also stated in November 2018 that “The right to life is the prerequisite for the enjoyment of all other human rights” and defined the “right to life” as “the supreme right”. This right is absolute and precedes other countervailing interests, including privacy right. The right to life refers not only to the right of life of the data subject, such as the potential carrier of COVID-19, but also that of others in society.
-
That said, organisations as data users should still take all practicable steps to ensure the protection of the personal data privacy of the data subjects. Authorities as data users or controllers should first seek to process the relevant data in an anonymised or de-identified way. Least privacy intrusive measures should be preferred.
If it is unavoidable to process data capable of identifying a person, the Data Specification Principle when collecting personal data; and the Use Limitation Principle when using the personal data must be complied with. The anti-virus measures that may encroach the privacy right of the individuals concerned, albeit a qualified right, shall be no more than necessary and proportionate to achieving the pressing and legitimate purpose of combating the pandemic in the interest of both the individuals concerned and the public. There shall also be other adequate safeguards in relation to data retention and data security in place.
-
As an independent statutory body, the PCPD promotes, monitors and supervises data users’ compliance with the requirements of the PDPO, with a view to protecting the personal data privacy rights of individuals. On the other hand, we are mindful of the compelling public interest in the current public health emergency when considering compliance with data protection laws, which should not be seen as hindering the measures taken in fighting or combating the pandemic especially when the collection and use of personal data is in the public interest and/or in the interest of public health.