Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

the password protected zone of the USB flash drive was defective and she could not

access the data kept in that zone. Instead of reporting the incident to the relevant

supervisor, she chose to copy the data again from the master computer file and stored

it in the non-password protected zone of the USB flash drive, which was later lost. The

Commissioner found that HA, as the employer of the nurse, had breached DPP4 in failing

to take all practicable steps to protect patients’ personal data in view of the deficiency

of policies and practices regulating the use of mobile electronic storage devices and

the lack of training provided to its staff. The series of reported data breach incidents in

2008 concerning the loss of patients’ personal data revealed the inadequacies of the

patients’ data security system operated by HA. This prompted the Commissioner to carry

out a self-initiated inspection under section 36 of the Ordinance resulting in a number of

recommendations for HA to improve its data security system for patients’ data.

8.27

More recently, an investigation

was carried out by the Commissioner against HA which

resulted in an enforcement notice being served to HA for contravention of DPP4. The

investigation stemmed from two data leakage incidents in which hospital waste

containing patients’ personal data and shredded strips of medical appointment slips

were found abandoned outside the shredding factory of a waste disposal service

provider engaged by HA. The Commissioner concluded that the precise cause of

abandonment of the hospital waste was unknown but the leakage of the personal data

in question was clearly an outcome of incomplete or improper shredding of the hospital

waste. By virtue of section 65(2) of the Ordinance, even though HA had entrusted its

service provider with the task of hospital waste collection, destruction and disposal, HA

remained accountable as data user for any unauthorised or accidental access of the

personal data in question. Furthermore, the contract between HA and its service

provider was found by the Commissioner to be inadequate to ensure proper and

complete shredding of hospital waste, and HA failed to competently manage the

contract. The Commissioner therefore concluded that HA had contravened DPP4 as it

had failed to take all reasonably practicable steps to ensure that patients’ personal

data were protected against unauthorised or accidental access. HA was directed

under the enforcement notice to exercise its reasonable endeavors to retrieve and

destroy the abandoned hospital waste identified in the two incidents, review and revise

the hospital waste disposal procedures and implement a series of improvement

measures, etc., within a specified period.

8.28

In another case, a patient visited a clinic and discovered that his file containing his

medical records had been lost. The clinic tried to track and trace the records but to no

avail and it was unable to ascertain when the loss had occurred and who had caused

the data loss. The Commissioner found that the clinic had no system in place to monitor

the movement of the files containing medical records and, owing to the busy

movement of these files during consultation periods, any loss would easily escape the

See Inspection Report No. R8-4232, available on the Website:

pdf

See Investigation Report No. R13-6740, available on the Website: