Obligation Not Absolute— “All Practicable Steps”

5.69

DPP1(3) requires “all practicable steps” to be taken by the data user to ensure that the

data subject is informed of the matters mentioned therein on or before the collection of

the data. “Practicable”, as provided under section 2(1), means “reasonably

practicable”.

5.70

Accordingly, the requirement under DPP1(3) does not apply in those situations where it is

not reasonably practicable to inform the data subject, examples of which include:

• law enforcement —where it is necessary in the course of law enforcement to collect

the personal data of an individual without prior notification;

• employment —where personal data is collected as evidence of an employee’s

dereliction of his duty or misconduct, e.g. video images showing that an employee

was sleeping while on duty (AAB No. 23/2008 and AAB No. 7/2011) or photographs

taken of a uniformed security guard who was found behaving in an objectionable

manner in a public place (AAB No.29/2008); and

• receiving unsolicited data from the data subject —where personal data is received

without having been requested. In relation to such data, it is impractical in most

cases to expect the recipient to give notice pursuant to DPP1(3) to the sender, for

example, the voluntary sending of a job resume or name card to a company to seek

employment or solicit business.

5.71

In situations where a data user is required to inform the data subject from whom

personal data is collected about the matters mentioned in DPP1(3), the next question to

ask is whether the effort made to inform the data subject sufficiently constitutes “all

reasonably practicable steps” as required under DPP1(3). For example, where a notice

has been posted up, matters such as the prominence of the notice, whether and how

the data subject has been told about the existence of the notice are relevant factors to

consider. Where direct communication with the data subject is not possible, the

adoption of practical alternatives to bring the notice to the attention of the data

subject is also a matter that needs to be taken into account in deciding whether “all

reasonably practicable steps” have been taken in compliance with DPP1(3). In AAB No.

25/1999, the AAB found a hospital in breach of DPP1(3) for failing to take all reasonably

practicable steps to draw the attention of its private patients to the PICS as the notice

displayed in the waiting room was not prominent enough.

5.72

The manner in which the terms and conditions contained in a credit card application

form were presented by a bank was scrutinized by the AAB in AAB No.38/2009. By

signing the application form, the customer agreed to the use of his personal data by the

bank to market the services or products of the bank and their selected companies. One

of the observations made by the AAB concerning the application form was that “… the

print was so small that no one could reasonably be expected to be able to read the

content without the aid of some form of magnifying glass …, the very design of this

application form in our view simply discourage people from reading the fine print”. The

AAB was of the view that if the data user intended to provide the personal data to a

third party, it must be clearly stated in a legible manner. The AAB upheld the decision of

the Commissioner that the bank had not taken sufficient steps to make sure that the

relevant terms and conditions (in connection with the purposes of use of personal data