There has been a timely reminder that the Data Protection Principles are meaningful and require observance. They all have teeth. DPP(4)(1) obliges a data user to take all practicable steps to ensure that the personal data held by the data user is protected against unauthorised or accidental access, processing, erasure loss or use.
A well known medical service provider centre in Hong Kong has over 100 medical branch centres across this territory all of which provide general and specialist practice services and dental consultations and the collection and holding of extensive personal data and medical records of their patients is implemented as a prudent incident of their normal practice. A substantial bulk of these medical records are regularly transferred to a central warehouse for storage.
At all material times the service provider had specific guidelines for handling and storing personal data, medical records and the cleaning of its premises.
All these guidelines were provided to staff at the time of employment and posted on the service provider’s premises. The service provider did not provide training on personal data protection for the frontline staff before this incident on the 15 March 2021.
In March 2021 an assistant of the service provider was performing her regular task of selecting the physical files to be sent to storage.
She put the selected files in a carton box towards the end of her working day and she did not do further work on it or with it. Because the carton box was near a waste paper receptacle, the cleaner took the carton box to be waste paper and disposed of it together with all the content of the waste paper receptacle.
On the next day the assistant informed her supervisor of this incident although not required by the PDPO to do so and on the 2 June 2021 the service provider lodged as a matter of sound practice a formal data breach notification with the Privacy Commissioner for Personal Data (“the Commissioner”) who is required under the PDPO to monitor and supervise compliance with it.
On receipt of the notification from the service provider the Commissioner immediately commenced the compliance check against the service provider to ascertain the relevant facts relating to the incident. Further information was obtained from the service provider and the Commissioner was of the belief that the acts or practices of the service provider in relation to the incident might have been contravention of the requirements of the PDPO.
The Commissioner sent officers to conduct an on-site inspection and the Commissioner concluded that this incident had been a data breach and given that the service provider had control of the collection, holding, processing and use of the personal data concerned it was deemed to be a data user under the PDPO and was required to comply with – and failed to comply with – the requirements of the PDPO including in particular the practical personal data protection in Data Protection Principle 4(1).
The report of the Commissioner summarized her findings that :-
1. the incident was caused by human negligence in that the carton box containing the personal data was not properly placed with proper labels to indicate the contents and their purposes. The placing of the carton box near a waste paper receptacle totally ignored the importance of the personal data therein and was obviously negligent.
2. the policies and guidelines devised by the service provider on the protection of medical records were neither comprehensive or specific and the guidelines even though duly communicated to frontline staff of the service provider did themselves fail to prevent the incident from happening.
3. The service provider did not provide training for its frontline staff regarding the protection of personal data which was another critical factor contributing to the frontline staff lack of awareness of data protection.
4. Given the sensitive nature of the personal data involved the Commissioner considered that while there is no statutory reporting obligation or any set timing the service provider should have lodged the notification to the Commissioner earlier and did only lodge the notification nearly 3 months after the incident.
5. The service provider being a data user managing dozens of medical centres and processing a large number of medical records had failed to devise. There were serious deficiencies in comprehensive policies ensuring the collection, holding, processing and use of the medical records, the conduct of appropriate risk assessments, provision of adequate training for its staff to instill data protection awareness and take all practical security measures in accordance with and was accordingly in breach of Data Protection Principle 4(1) to prevent any personal data held by it from unauthorised or accidental access, processing, erasure, loss or use.
In exercise of its powers under the PDPO the Commissioner accordingly issued a notice in writing to the service provider directing it to take steps to review all its policies and standard operating procedure/guideline in relation to data protection, to devise effective measures to ensure staff compliance with the policies, to devise effective measures to monitor the compliance of staff or third party’s response for cleaning services of medical centres, to provide training for staff members on data protection, recording the training processes properly and evaluating the level of participation of staff and effectiveness of training and to provide documentary proof to the Commissioner within 2 months from the date of the notice showing the completion of these requirements. Contravention of such a notice may result in a maximum fine of HK$50,000 and imprisonment for 2 years on first conviction.