Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

finding of no contravention, the complainant appealed to the AAB. The appeal was

subsequently dismissed.

7.42

In some circumstances, an authority or organisation who receives a complaint may find it

necessary to disclose the details (including personal data of the complainant) to the

person being complained against for the purpose of investigating the complaint. In AAB

No. 33/2012, the AAB pointed out that when a person is faced with a serious accusation of

having committed a criminal offence, and where the credibility of his accuser is crucial to

the law enforcer’s decision as to whether or not to launch a criminal prosecution, it is only

fair that the accused person be informed of the identity of his accuser, so that he may

respond to the accusation and explain why the accusation should not be pursued. The

disclosure of the accuser’s identity in that case was considered important and desirable

for the purpose of conducting a fair and proper investigation, and thus there was no

contravention of DPP3. Similar decisions were reached by the AAB in AAB No. 8/2014 and

AAB No. 1/2015.

Both cases involved the disclosure of complaint details received by an

organisation to the person being complained against for the purposes of resolving the

disputes or investigating the complaint. In each case, the AAB considered the

circumstances of the cases and decided that such disclosure was directly related to the

original purpose for which personal data contained in the complaint was collected.

However, it should be assumed that the identity of an informant should or may be

disclosed to the accused person by the investigating authority or organisation in every

case. There may well be statutory provisions or common law principles which prohibit such

disclosure. The relevant data user should always observe the requirements under DPP3

(unless an exemption applies) and consider if the disclosure would be justifiable in the

circumstances.

Data User to Avoid Disclosing Unnecessary and Excessive Personal Data

7.43

Notwithstanding that there may be legitimate purpose(s) for transferring personal data

to a third party, care should be taken to ensure that the amount and the kind of

personal data used are necessary for attaining such a purpose. For instance, the transfer

of a copy of the identity card of a debtor by a creditor to debt collection agents may

not be necessary for the purpose of debt recovery and as such may contravene

DPP3(1). The provision of the address and contact data of a debtor would generally

suffice for the purposes of locating and contacting the debtor.

7.44

Any excessive disclosure of personal data not necessary for the purpose of use will risk

contravening DPP3, in particular where such personal data is made public and the

damage that is likely to occur to a data subject upon wrongful disclosure may be

significant, having regard to the nature and the type of personal data involved.

Sometimes the extent of disclosure may exceed the reasonable privacy expectation of

the data subject, and thus might become the subject of a potential dispute.

AAB No. 17/2002

. In the course of hearing the evidence, it emerged that the complainant did in fact give her written

consent to the disclosure of her medical records to the Medical Board. In another AAB case,

AAB No. 11/2004

, an

educational institution’s disclosure of the evaluation questionnaire on a staff member completed by students to an

academic committee for the staff assessment review was held to be a directly related purpose in the circumstances of

the case.