Blood and stone

Yufen Chun 2019-06-26 6 min read {Philosophy} [Research]

Background

Data Protection Principles and its exceptions are difficult to understand, at least for some people.

Unfortunately this piece of legislation [Personal Data (Privacy) Ordinance of 1996] has been misconstrued and misunderstood (or simply not understood) by many in many circumstances. Government departments and private institutions often consider that it encourages secretiveness and lack of cooperation failing to understand that its purpose is to protect data where necessary, not to obstruct across the board. A frequently experienced, though minor example, is of the official, usually a low-ranking one, who on contacting a customer (potential or existing) and ascertaining that the latter’s identity accords with the details he has in front of him or her, is then asked in return who he or she is. The response is to give the name of the department or institution on whose behalf he or she is telephoning, or at best a Christian name, and then on further questioning to decline to give proper identification falling back on the lame excuse – “I am not allowed to give it – data protection!” (Square brackets added.) — Honourable Deputy High Court Judge Seagroatt, Chan Chuen Ping and The Commissioner of Police, HCMP 2741/2013, [2014] 1 HKLRD 142, paragraph 17.

Case No.: 2010C06

The Office of the Privacy Commissioner for Personal Data provides Complaint Case Notes to help the public to understand the Data Protection Principles.

A bank received a letter from the Police. Police asked the bank to provide the personal data of the Complainant for disciplinary investigation of the Complainant’s financial status. The Complainant was a police officer. The Police stated in the letter that the request was exempt from the provisions of sections 58(1)(d) and (2) of the Personal Data (Privacy) Ordinance. What should the bank do?

The answers are given in Case No.:2010C06:

The Bank should try to understand the details of the case and analyze objectively, and make enquiries with the Police to decide if the circumstances satisfied the requirements of section 58(1)(d) of the Ordinance.

On the other hand, section 58(2)(b) of the Ordinance stipulates that the exemption is applicable in a case in which compliance with DPP3 would be likely to prejudice the matters referred to in section 58(1) of the Ordinance.

The Bank should have reasonable ground to believe that non-disclosure of the Data would be likely to prejudice the purpose of section 58(1)(d).

In this case, even if the Bank had learnt about the details of the Police’s investigation of the Complainant, the Bank had to analyze the facts objectively to see whether it would be likely to prejudice or hinder the purpose of section 58(1)(d) if DPP3 was applicable.

Case No.: 2000E17

The organisation in Case No.: 2000E17 asked:

We are being investigated by a supervisory authority. We have kept computer logs for a short period for the purpose of fixing network problems. We are requested by the supervisory authority to provide the computer logs with respect to the activities of our staff to facilitate their investigation. We are concerned that such disclosure may affect the personal data privacy of our staff. The question is, in light of the Personal Data (Privacy) Ordinance (“the Privacy Ordinance”), whether we should accede to the supervisory authority’s request.

The answers are:

Epilogue

In HCMP 2741/2013, the Honourable Deputy High Court Judge Seagroatt went on to say:

  1. I thought we had advanced long past the stage when government departments, or other institutions owing duties to the public at large, or individuals, withheld from them, information which was needed to advance a potential remedy or possible cause of action, in reliance upon a misconstruction of the Personal Data (Privacy) Ordinance or of the High Court Ordinance, failing to realise that, as a matter of common law (and common sense), there was a duty to facilitate the administration of justice.
  1. I am told by Mr Lam [for the Applicant] that over the past 12 months he had been experiencing what I can only term as obstruction, in his attempts to obtain the usual information in the form of Police Reports to enable a civil action to be advanced. (Square brackets added.)
  1. Miss Chung [for the Respondent] was reluctant to indicate to me what advice has been given to the Commissioner of Police in respect of their response to such applications and more specifically the subject one before me, on the ground that it was privileged but I managed to persuade her that this was a matter of public interest, not a matter to be dealt with behind closed doors and therefore we should all know what the future held in store in the form of such advice. (Square brackets added.)
  1. She did in due course indicate that the Commissioner had been advised that discretion should be used in dealing with such an application and that the Data Protection Ordinance should be carefully considered. In my view this is not enough. The Commissioner should be advised as follows:
  1. In relation to accidents in general where the data comes into the possession of the Police, they are exercising a public duty in acquiring or receiving such data whether it has been reported to them or whether they have carried out their own investigations.
  1. Where an application is made to the Police by or on behalf of a party who has or may have a claim, i.e. is seeking a remedy for an act against him, arising out of an incident in respect of which the Police have acquired information relating to such act, they are obliged to provide such information upon payment of a reasonable fee.
  1. The Data Protection Ordinance does not inhibit such a response on its behalf nor can it justify any failure on the Police’s part to respond promptly and constructively to such request.
  1. Failure to respond accordingly is likely to constitute an obstruction to the administration of justice.