that there was no contravention of DPP3.

3

7.21

Generally, when a data subject has imposed a condition on the data user to keep his

personal data confidential, the most prudent practice is for the data user to obtain the

data subject’s prior consent before disclosing his personal data to a third party, and to

inform the data subject of the consequences of him failing to provide such consent (e.g.

inability to effectively deal with a complaint lodged by the data subject). It is worth

noting that the potential opportunity for a data subject to expressly stipulate the

purposes of use in relation to his personal data, exists only on or before the collection of

the data. It is generally not open to a data subject, whose personal data has already

been collected or even used by a data user, to unilaterally introduce thereafter any

restriction on or modification to the purposes of use.

7.22

For personal data that is intended by the data subject to be held by the data user in

confidence, the mere fact that there might exist a duty of confidentiality does not thereby

necessarily render the disclosure by the data user a breach of DPP3(1). The tenet is the

purpose of disclosure. A complainant in his complaint to the Commissioner alleged that his

employer had wrongfully disclosed the fact that he was subject to disciplinary

proceedings (which he claimed to be a confidential matter) to his doctor when

requesting a medical certificate as to his mental and physical fitness to attend the

proceedings. The evidence supplied showed that the disciplinary proceedings had been

postponed several times as a result of his production of sick leave certificates. The

Commissioner found that the personal data was collected for deciding the employment

matter of the complainant and the disclosure of such disciplinary proceedings to his

doctor for certifying his fitness to attend the proceedings was, in the circumstances of the

case, proper as it was for the same or directly related purpose under DPP3. This view was,

on appeal by the complainant, upheld by the AAB in AAB No. 26/2004.

Transferring Personal Data between Data Users

7.23

Sometimes, personal data is transferred by a data user (“the transferor”) to another data

user (“the recipient”). Such transfers of personal data must comply with DPP3(1), i.e. if

the transfer amounts to a new purpose, prescribed consent must be obtained from the

data subject unless it falls within one of the exemptions under the Ordinance.

4

However,

transferors should exercise caution when seeking to rely on an exemption under the

Ordinance as the basis for transferring personal data without obtaining the data

subjects’ prescribed consent pursuant to DPP3(1).

7.24

The transferor may also specify to the recipient the purpose for providing the personal

data to it in order to avoid misuse. Once so specified, any future use of the data by the

recipient will be restricted under DPP3(1). However, there are cases where the transferor

does not stipulate any purpose of use. The purpose of collection will then have to be

ascertained by considering the circumstances of the case. In case of doubt, it is prudent

3

The AAB went on to examine the application of section 58(2)(a) to exempt from DPP3 the use of the data for a purpose

under section 58(1)(a), i.e. the prevention or detection of crime. The complaint to the management company related

to one of the acts of deliberate nuisance committed by some unidentified person or persons. In order to properly

investigate the complaint, the police needed the basic information, including the complainant’s name, address and

telephone number. The AAB found that the use of the data was for a purpose falling within the scope of section 58(1)

and hence exempted from the requirements of DPP3.

4

Part 8 of the Ordinance.