that there was no contravention of DPP3.
3
7.21
Generally, when a data subject has imposed a condition on the data user to keep his
personal data confidential, the most prudent practice is for the data user to obtain the
data subject’s prior consent before disclosing his personal data to a third party, and to
inform the data subject of the consequences of him failing to provide such consent (e.g.
inability to effectively deal with a complaint lodged by the data subject). It is worth
noting that the potential opportunity for a data subject to expressly stipulate the
purposes of use in relation to his personal data, exists only on or before the collection of
the data. It is generally not open to a data subject, whose personal data has already
been collected or even used by a data user, to unilaterally introduce thereafter any
restriction on or modification to the purposes of use.
7.22
For personal data that is intended by the data subject to be held by the data user in
confidence, the mere fact that there might exist a duty of confidentiality does not thereby
necessarily render the disclosure by the data user a breach of DPP3(1). The tenet is the
purpose of disclosure. A complainant in his complaint to the Commissioner alleged that his
employer had wrongfully disclosed the fact that he was subject to disciplinary
proceedings (which he claimed to be a confidential matter) to his doctor when
requesting a medical certificate as to his mental and physical fitness to attend the
proceedings. The evidence supplied showed that the disciplinary proceedings had been
postponed several times as a result of his production of sick leave certificates. The
Commissioner found that the personal data was collected for deciding the employment
matter of the complainant and the disclosure of such disciplinary proceedings to his
doctor for certifying his fitness to attend the proceedings was, in the circumstances of the
case, proper as it was for the same or directly related purpose under DPP3. This view was,
on appeal by the complainant, upheld by the AAB in AAB No. 26/2004.
Transferring Personal Data between Data Users
7.23
Sometimes, personal data is transferred by a data user (“the transferor”) to another data
user (“the recipient”). Such transfers of personal data must comply with DPP3(1), i.e. if
the transfer amounts to a new purpose, prescribed consent must be obtained from the
data subject unless it falls within one of the exemptions under the Ordinance.
4
However,
transferors should exercise caution when seeking to rely on an exemption under the
Ordinance as the basis for transferring personal data without obtaining the data
subjects’ prescribed consent pursuant to DPP3(1).
7.24
The transferor may also specify to the recipient the purpose for providing the personal
data to it in order to avoid misuse. Once so specified, any future use of the data by the
recipient will be restricted under DPP3(1). However, there are cases where the transferor
does not stipulate any purpose of use. The purpose of collection will then have to be
ascertained by considering the circumstances of the case. In case of doubt, it is prudent
3
The AAB went on to examine the application of section 58(2)(a) to exempt from DPP3 the use of the data for a purpose
under section 58(1)(a), i.e. the prevention or detection of crime. The complaint to the management company related
to one of the acts of deliberate nuisance committed by some unidentified person or persons. In order to properly
investigate the complaint, the police needed the basic information, including the complainant’s name, address and
telephone number. The AAB found that the use of the data was for a purpose falling within the scope of section 58(1)
and hence exempted from the requirements of DPP3.
4
Part 8 of the Ordinance.