Personal Data Privacy: Real-life situations in business

Roy Grubb answers some of the questions that have come his way during seminars and consulting on compliance with the new Personal Data (Privacy) Ordinance.

The Ordinance does not apply to information about individuals who are no longer living so the doctor’s excuse was not correct. At the same time the Ordinance does not provide any means to force the doctor to give the information to the insurance company.

In future, we expect insurers who are not doing so already, to ask insured persons to sign medical records release authorisations that survive the insured’s death. Once these have worked their way through the system as policies are renewed, this problem should become much smaller.

If you have a contract that states that a data user gives you information on condition that you do not reveal it, then generally you should follow that. What you must do is pass on contact details of the data user who does control the information, so that the data subject may approach them. If a data user outside Hong Kong controls the data, they cannot be forced to comply.

This may look like a convenient way of hiding troublesome data, but the indication from the Privacy Commissioner’s Office (PCO) is that in case of any complaint, they would expect to see that the overseas control was real, and not one constructed to hide personal data from the HK Ordinance. If they felt that the arrangement was not genuine, the PCO might issue an enforcement notice to the Hong Kong-based company, depending on the case.

Yes. The Ordinance gives people the opportunity to correct information about themselves and without an opportunity to request copies and corrections, the blacklisted workers could be discriminated against because of wrong information. One approach would be not to flag these workers as ‘blacklisted’ but to record the factual event that caused you to see them as unemployable: "Drinking alcohol on site, 31/5/96" for example.

If you do intend to keep information about former employees, you should consider the original purpose of the data. You could define the purpose (on a job application form, say) to be sufficiently broad to cover the long-term staffing needs of the company. Alternatively, you might specify the purpose as covering just the relationship with staff. In the second case, keeping a blacklist would seem to be outside the limits of Principle 2 (2): ". . . not be kept longer than is necessary for the fulfillment of the purpose . . .".

Section 58 provides answers if the ‘irregularities’ fit one of the matters there. It says that personal data kept for the purpose of preventing crime, seriously improper conduct, dishonesty or malpractice, etc. need not be shown to the data subject if doing so would prejudice their purpose, or identify the person who provided the information. Sometimes, if the individual just knows of the existence of data of this type, then its value in detecting irregularities will be reduced. Section 63 may then allow you to avoid saying that you even have such data.

This situation is similar to the problem with ship-management crew data. Assuming that you have a contract to process the data only in accordance with your client’s instructions, you have no control over their use. When a data subject requests access, you have a right to ask for identification and the information necessary to find their record. This will show them to be a customer (say) of one of your clients. The Ordinance allows you to deny access if you do not control the data in any way (Section 20(3)(d)). Even so, you still have to inform data subjects who ask, whom they may contact for copies of their data.

A company that enters into processing contract like this, with a computer bureau, is liable under the Ordinance for any breaches of security or the like. A clause in the contract indemnifying them against the bureau’s faults would be a wise precaution.