7.17
Sometimes, an express stipulation imposed by the data subject may not be accepted
by the Commissioner as properly restricting the use of the personal data, if it is
unreasonable in the circumstances and taking into account the purpose for which the
data subject provided his data. In a complaint that came before the Commissioner, a
bank customer provided his data to a bank officer in an application for a particular
service. He requested his data to be handled only by that particular bank officer.
Subsequently, in accordance with the bank’s normal procedures, the bank officer
transferred the data to other bank officers for further processing, in order to provide the
customer with the service applied for. Such passing on of the data within the bank
contrary to the data subject’s request (which may, however, be considered to be
unreasonable) was considered by the Commissioner not to amount to use of the data
contrary to DPP3(1).
7.18
In other cases that were brought before the Commissioner, the data subjects had
lodged complaints with various authorities and requested non-disclosure of their
identities to the parties complained against. The Commissioner found that in some of
these cases, where anonymity did not affect the effective and fair handling of the
complaint in question, the request would, in the Commissioner’s view, have the effect of
limiting the purposes of use for which the identity data in question was collected, so that
its disclosure to the party complained against might amount to contravention of DPP3(1).
7.19
In AAB No. 4/2010, a resident was dissatisfied with the management of her residential
complex and filed numerous complaints. She wrote to the members of the Incorporated
Owners and asked for individual responses. The letters were subsequently passed on to
the management office for reply. The appeal related to whether there was a breach of
DPP3 by the Incorporated Owners as a result of the transfer of the letters. The bone of
contention was the declaration made by the complainant at the end of her letters sent
to the Incorporated Owners, which stated that her letters should not be passed on to the
management office. Upon examination of the declaration, the AAB found that it was a
“request” and should not be interpreted as a “prohibition” against the disclosure of the
letters to the management office. The AAB accepted that the appointment of a
management company to handle enquires or complaints made by owners and other
related persons was very common and was based on valid legal grounds, i.e. the power
conferred upon the Incorporated Owners under the Building Management Ordinance
(Cap 344). Therefore, the AAB found that there was no prima facie evidence of
contravention on the part of the Incorporated Owners or its individual members.
7.20
In AAB No. 41/2006, the complainant complained to the management company about
the detection of a foul smell along the corridor outside her flat. The management
company reported the matter to the police for investigation. Later, the complainant
lodged a complaint against the management company for, contrary to a prior
agreement, disclosing her personal data, including her name, address and contact
telephone number, to the police without her consent. The AAB ruled that when the
management company provided the complainant’s personal data to the police upon
request, the management company was using the complainant’s personal data for a
purpose directly related to the purpose for which her data was collected in the first
place (i.e. for investigation of the complaint of foul smell). Accordingly, the AAB found