Date: 23 June 2019
Privacy: Not a Door for Bullying and Intimidation, Nor a Sword for Arbitrary Law Enforcement; Not a Shield for Unlawful Acts
As at 4 pm on 21 June
*, the office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) received 68 complaints and enquiries relating to doxxing of police officers, their friends and relatives, and 32 complaints and enquiries relating to suspected unauthorised transfer of patients’ data to the Police by medical staff. The Privacy Commissioner for Personal Data, Hong Kong (Privacy Commissioner) Mr Stephen Kai-yi WONG noted that the issues have caused extensive concerns in the community. From the privacy perspective, the Privacy Commissioner made the following observations and gave an explanation of the relevant laws:
-
Freedom of speech, free flow of information and personal data privacy, which are unique and plays an irreplaceable role in this country, have been protected by the laws of Hong Kong (including the Basic Law). However, these fundamental rights are not absolute rights; they are subject to legal restrictions, including others’ reputation and privacy, public order and national security.
-
When posting others’ personal data on social media platforms, one must consider if the manner of collection and use is legal and fair, regardless whether the data was obtained from the public domain. Collection and disclosure of personal data for bullying, inciting and intimidation is definitely illegal, unfair and contravenes the Personal Data (Privacy) Ordinance (the Ordinance) and other relevant law.
-
The Privacy Commissioner reiterated that netizens must respect others’ personal data privacy; operators of social media platforms and online discussion forums have to perform their statutory duties and corporate ethical responsibilities by not providing their platforms for acts that are illegal and would cause harm to personal data privacy. Similar cyber-bullying acts may also incur civil and criminal liabilities.
-
The Privacy Commissioner has taken the initiative to contact the operators of the relevant social media platforms and online discussion forums. The operators were requested to ask the netizens to delete the posts and stop posting such contents. Follow-up work has been done together with other enforcement authorities (including the Police).
-
The Privacy Commissioner received Hospital Authority (HA)’s notification on suspected data leak of its Accident and Emergency Information System. He has contacted HA and commenced a compliance check to obtain the facts and details of the case.
-
Under the Data Security Principle of the Ordinance, organisations shall take practicable steps to ensure that personal data is protected against unauthorised or accidental access, processing, erasure, loss or use. They shall also comply with the Data Use Principle of the Ordinance, which requires that personal data should only be used for the purpose for which they were collected; otherwise voluntary and explicit consent of the patient must be obtained.
-
The Privacy Commissioner states that the Ordinance aims to prevent personal data from being misused or abused. The Data Protection Principles under the Ordinance regulate the collection, storage, retention, use, security, transparency, access and correction of personal data. Patients’ personal data must be used for the purpose stated at the time of collection and for any other use, patients’ consent must be obtained (Principle 3 – Data Use).
-
Under the Ordinance, there are exemption provisions for certain circumstances, one of which is about emergency life saving - personal data is disclosed to prevent patients or others from suffering serious harm. For example, disclosing a patient’s identity and location to a third party so that the third party can provide immediate rescue service to prevent causing serious harm to the physical or mental health of the patient or others (Section 59 of the Ordinance).
-
Disclosure of personal data for detection or prevention of crime; apprehension, prosecution or detention of offenders is another condition for exemption. However, the hospital has no responsibility to provide data by relying on this exemption. The hospital should determine if the criteria are met before relying on this exemption. The hospital should first ask the enforcement authority requesting personal data to provide sufficient information, including the purpose of data collection, the nature of the case being investigated, the relevance of the requested data to the investigation, the reason why the investigation will be hindered if the data is not provided, etc. Moreover, this exemption provision does not empower the enforcement authority to collect data arbitrarily. When the enforcement authority requests the data, it has the duty to inform the hospital whether the supply of the data is obligatory, or the enforcement authority may contravene the Ordinance due to misleading the hospital or abuse of power (Section 58 of the Ordinance). If there is a dispute between them, the requestor may apply for a search warrant from the court.
-
It is not difficult to understand the logic of this exemption provision. If the enforcement authority is investigating a criminal case and possesses information of the suspects, when it requests personal data from an organisation or a person by proving that there is reasonable ground to believe that non-disclosure of the data may prejudice the detection of crime, the organisation or the person may not use privacy as a “shield” for not providing the data.
-
All organisations must put in place policies and procedures to regulate the collection, processing and use of personal data; safeguard the personal data; and handle the exemption issues. Any organisation which inadvertently or excessively collects data or requests or misleads other organisation to provide data without any legal basis may contravene the requirements of the Ordinance.
-End-
* Update:
As at 4 pm on 25 June 2019, the PCPD received 130 complaints and enquiries relating to doxxing of police officers, their friends and relatives, and 36 complaints and enquiries relating to suspected unauthorised transfer of patients’ data to the Police by medical staff.