個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0103/2015/IP

Title: Published consultation result contained personal data

Reason: Active intervention

Brief:

    After finding out that a public department, Department A, in a public consultation result it complied and published, disclosed the personal data of a number of individuals, the GPDP (Gabinete para a Protecção de Dados Pessoais) decided to initiate an investigation.  The investigation result showed that the said compilation contained the names of those who gave in their written opinions, not least it revealed the complete address and contact numbers of one of the concerned individuals.  Apart from this, a citizen’s email address and ID numbers were shielded by black boxes though, the printing quality made the data discernible.   
  At the same time, in another consultation compilation Department A also published the complete names of those submitted their opinions.  The complete address and pixelated contact numbers of an individual were revealed in the compilation document; incongruously another individual’s ID numbers and address were replaced by “X”. 

Analysis:

    Article 4(1)(1) of the PDPA regulates that “‘personal data shall mean any information of any type, irrespective of the type of medium involved, relating to an identified or identifiable natural person (data subject)”. The gathered opinions were compiled and published online or through written copies, in which personal data, at least included the names of those provided their opinions, were included and they qualify as personal data.  Under Article 3(1) of the PDPA, such data should be regulated by the same Law.  
  The GPDP learnt that the described consultation was conducted on an anonymous basis, on which citizens were free to express their opinions.  If they voluntarily provided their personal data, Department A would then process the personal data on the purpose of collecting the opinions for the compilation.  In other words, it processed the personal data with the legitimate processing criteria achieved−−in compliance with Article 6 of the PDPA.  However, Department A still had to comply with the principles as Article 5 of the same Law sets out, notably the principle of proportionality laid down in Paragraph 1(3) of the same Article.  
  In fact, the forms as produced for collecting the opinions did not provide any spaces for entering personal data.  In other words, the mentioned personal data were provided voluntarily by the citizens.  Department A published the names of the individuals in order to truly depict the opinions collected and to prevent suspicions of fabricated consultation.  More specifically, Department A did not intend to criticize, or encroach on the interests of, those given in their opinions.   Just the same, showing the individuals’ names along with their opinions was a sign of respect, in addition that the names could be fictitious or of people with the exact same name.  That being so, if the information published only included the names, instead of including information of any other sorts, was acceptable.  
  Saving the names, the compilation also published the complete addresses, contact numbers, email addresses and identity numbers, all of which were either improperly concealed or even unshielded.  As long as the street or building name of an individual was revealed, his location would then be exposed, although location information or address of those who gave in their opinions, under certain circumstances, rendered important to the consultation result. Likewise, it was unnecessary to reveal one’s floor number or block number; equally it was unnecessary, and for no reason, to publish their contact numbers.  As a matter of fact, in one of the consultation compilation it published before, Department A also obscured the said types of data, in which case intentional disclosure of such data left unjustified. 
  Concerning the individuals’ email addresses and ID numbers, Department A expressed that such data must be concealed but they were still visible because of improper concealment, due to the typesetting and printing problems caused by the contracted companies.  Under Article 15(2) and 15(3) of the PDPA, Department A should be held accountable for its failed regulatory responsibilities.  Put differently, negligence was found as it failed to notice the unmasked addresses and contact numbers, as well as the improperly concealed email addresses and ID numbers.  Such over-dependence on the contractor and the failure to fully observe its monitoring obligations were the central causes of the current case.  
  According to Department A, for internal and confidential documents it had already formulated guidelines, which are, however, not directly governing the processing of personal data relating to consultation compilation.  Staffers were lacking instructions to adhere to regarding what types of data should be published and what should be concealed, specifically saying.  With this, Department A was found violating Article 15 of the PDPA. 
  The current case stemmed from Department A’s negligence, which made the addresses, contact numbers, email addresses and ID numbers of certain individuals, who expressed their opinions for the consultation, exposed to the public, which was unnecessary for the purpose of showing a true view of the consultation result.  Considering that the written copies of the compilation were available to the public and accessible online, the disclosed personal data, therefore, is prone to illegal abuse.  Concurrently, subsequent forwarding or dissemination would be uninhibited and the GPDP, taking this into account, came to the conclusion that this was a violation of the principle of proportionality as laid down in Article 5(1)(3) of the PDPA. 

Result:

    The analysis of the mentioned facts led to the conclusion that Department A violated Article 5(1)(3) and 15.   To the first violation, with reference to Article 33(1) and 35(1) it shall constitute administrative offenses; considering the it was an unintentional violation caused by insufficient monitoring, instead of deliberate violation, and its cooperativeness during the investigations, the remedial measures introduced and other factors, the GPDP decided to impose a penalty of MOP$10000.

Reference:
Please refer to Article 3, 4, 5, 6, 15, 33 and 35 of the PDPA.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116