7.17

Sometimes, an express stipulation imposed by the data subject may not be accepted

by the Commissioner as properly restricting the use of the personal data, if it is

unreasonable in the circumstances and taking into account the purpose for which the

data subject provided his data. In a complaint that came before the Commissioner, a

bank customer provided his data to a bank officer in an application for a particular

service. He requested his data to be handled only by that particular bank officer.

Subsequently, in accordance with the bank’s normal procedures, the bank officer

transferred the data to other bank officers for further processing, in order to provide the

customer with the service applied for. Such passing on of the data within the bank

contrary to the data subject’s request (which may, however, be considered to be

unreasonable) was considered by the Commissioner not to amount to use of the data

contrary to DPP3(1).

7.18

In other cases that were brought before the Commissioner, the data subjects had

lodged complaints with various authorities and requested non-disclosure of their

identities to the parties complained against. The Commissioner found that in some of

these cases, where anonymity did not affect the effective and fair handling of the

complaint in question, the request would, in the Commissioner’s view, have the effect of

limiting the purposes of use for which the identity data in question was collected, so that

its disclosure to the party complained against might amount to contravention of DPP3(1).

7.19

In AAB No. 4/2010, a resident was dissatisfied with the management of her residential

complex and filed numerous complaints. She wrote to the members of the Incorporated

Owners and asked for individual responses. The letters were subsequently passed on to

the management office for reply. The appeal related to whether there was a breach of

DPP3 by the Incorporated Owners as a result of the transfer of the letters. The bone of

contention was the declaration made by the complainant at the end of her letters sent

to the Incorporated Owners, which stated that her letters should not be passed on to the

management office. Upon examination of the declaration, the AAB found that it was a

“request” and should not be interpreted as a “prohibition” against the disclosure of the

letters to the management office. The AAB accepted that the appointment of a

management company to handle enquires or complaints made by owners and other

related persons was very common and was based on valid legal grounds, i.e. the power

conferred upon the Incorporated Owners under the Building Management Ordinance

(Cap 344). Therefore, the AAB found that there was no prima facie evidence of

contravention on the part of the Incorporated Owners or its individual members.

7.20

In AAB No. 41/2006, the complainant complained to the management company about

the detection of a foul smell along the corridor outside her flat. The management

company reported the matter to the police for investigation. Later, the complainant

lodged a complaint against the management company for, contrary to a prior

agreement, disclosing her personal data, including her name, address and contact

telephone number, to the police without her consent. The AAB ruled that when the

management company provided the complainant’s personal data to the police upon

request, the management company was using the complainant’s personal data for a

purpose directly related to the purpose for which her data was collected in the first

place (i.e. for investigation of the complaint of foul smell). Accordingly, the AAB found