Complaint Case Notes

編號: 0122/2015/IP

標題: Hospital documents scattered on street

立案原因: Active Intervention


    Early in the morning of October 13th 2015, batches of medical documents of the Centro Hospitalar Conde de São Januário (CHCSJ; hereinafter as “the Hospital”), under the Health Bureau, were found scattered on the Dr. Rodrigo Rodrigues Avenue.  The Office for Personal Data Protection (GPDP) immediately initiated investigations after knowing the incident.


    On October 15th 2015, the GPDP received a written notification from the Health Bureau.  The following information was received after contacting the Health Bureau on two occasions by writing.
  1. Causes of the incident:
  Two employees of the Health Bureau, on October 12th 2015, failed to follow the procedures set out in Guidelines for the Handling of Confidential Waste, which formalize that confidential waste must first be torn into shreds before being dispose of or handed over to the Hospitality Division to handle.  On the contrary, for convenience they bagged the waste into black refuse sacks and discarded them as ordinary waste.  Altogether six bags of confidential waste were packed with black refuse sacks for disposal. 
  During the same evening, the Macau Residue System Company, Ltd (Companhia de Sistemas de Resíduos, Limitada/CSR), as usual, collected waste from the Hospital.  However, one of the waste trucks was not functioning properly as its crusher panel failed to force the waste into the body of the truck.  The truck driver decided to use another truck but meanwhile a bag of the waste dropped out from the vehicle unnoticed. 
  Some time after midnight, the Health Bureau sent staff to the mentioned location to pick up the scattered documents, and at the same time the CSR also deployed staff to collect the strewn documents and to examine if any were left on the route the truck travelled, in order to confirm that no documents were left uncollected.   
  1. The documents found on the street were issued by the Department of Clinical Pathology and the Department of Hematology Laboratory of the Hospital, mainly consisting of laboratory reports, different test applications, etc.  These documents contained patients’ medical card number, ID card number, name, date of birth/age, gender, type of clinic visited, test items and results.
  2. Before this incident, the Health Bureau already formulated the Waste Management Guidelines for the Personal Data Protection Act (Conjunto de Guias de Lei da Protecção de Dados Pessoais); Guidelines for the Treatment of Confidential Waste; Guidelines for Confidential Waste Processing–Requirements for Contractor and Cleaners; and the Guidelines for Confidential Waste Processing–Requirements for the Hospitality Division .
  The Guidelines for the Treatment of Confidential Waste requires that any waste that contains personal data must be treated as confidential waste, with which every department of the Hospital must follow the processing procedures in the same Guidelines.  The Guidelines further defined confidential waste into four categories—papers and photos, video tapes, medical items, and computer equipment and computer items.  The Guidelines also established the respective handling procedures and the responsible departments, setting down instructions on the handling of confidential waste of paper documents and photos as follows:

(1) Before handled as ordinary waste, paper documents and photos of confidential waste nature should be shredded by the department itself, on a daily basis.  The shredded waste will be transported by the CSR, along with other hospital waste, to the Macau Solid Waste Incineration Center (hereinafter as “Incineration Plant”) in Taipa.
(2) In case of bulk waste, a department can contact the Hospitality Division and ask to collect the confidential waste on a regular basis.  But such waste should be disposed of in a confidential waste sack and secured by cable ties to avoid spillage, before it is collected by the contractor that provides cleaning services.  When refuse sacks are handed over to the contractor staff, the bags will be registered and reconfirmed whether they are packed with the dedicated refuse sacks and the contents inside are secured.  Secure tags will be used to specify the abbreviation of the department that generated the waste.  Porters of the contractor will move the collected sacks with a trolley to the waste trucks, which are built with covered hoppers. Staff from the Hospitality Division will present while the waste is hauled to the Incineration Plant.  The Hospitality Division has the responsibility to monitor the contractor, including ensuring the number of refuse sacks collected corresponds with that the departments registered, whether cable ties were used to secure the contents inside the waste sacks, sending staff to monitor when refuse sacks are hauled offsite for incineration, keeping records, etc.  
  1. On the day after the incident happened, the Health Bureau issued an internal order to require its staff to shred all the unwanted documents and photos once they were found containing personal data or confidential information.  The Guidelines for the Treatment of Confidential Waste were also updated.  The updated Guidelines asked staff to shred the confidential documentation and photos on a daily basis before they are disposed as ordinary waste, and the Hospitality Division will no longer collect confidential waste on a regular basis. Confidential waste, after being shredded, must be securely put into dedicated green sacks and sealed, and then disposed of after they are weighted.  Departmental heads should have records of the number of refuse sacks asked for each month, the number of sacks used and the weight of each filled sack.  Keeping records as such will help derive statistics for monitoring the handling of confidential waste.
  Since the scattered documentation on the street contained the identity information and test results of the patients, they should be treated as the sensitive personal data relating to the health information of data subjects.  The Health Bureau’s processing of such data should be in compliance with Article 15 and 16, Chapter IV, of the Personal Data Protection Act (PDPA)in which security and confidentiality of processing are provided for.  

  Article 15 of the PDPA specifies that:
  1. The controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
  2. Where processing is carried out on his behalf the controller must choose a processor providing sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out, and must ensure compliance with those measures.
  3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that the processor shall act only on instructions from the controller and that the obligations referred to in paragraph 1 shall also be incumbent on the processor.
  4. Proof of the will to negotiate, the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing in a document legally certified as affording proof.
  Article 16 of the PDPA regulates that:
  1. The controllers of the data referred to in paragraph 2 of Article 7 and Article 8 shall take appropriate measures to:
  1) prevent unauthorised persons from entering the premises used for processing such data (control of entry to the premises);
  2) prevent data media from being read, copied, altered or removed by unauthorised persons (control of data media);
  3) prevent unauthorised input and unauthorised obtaining of knowledge, alteration or elimination of personal data input (control of input);
  4) prevent automatic data processing systems from being used by unauthorised persons by means of data transmission facilities (control of use);
  5) guarantee that authorised persons may only access data covered by the authorisation (control of access);
  6) guarantee the checking of the bodies to whom personal data may be transmitted by means of data transmission facilities (control of transmission);
  7) guarantee that it is possible to check a posteriori, in a period appropriate to the nature of the processing, the establishment in the regulations applicable to each sector of which personal data are input, when and by whom (control of input);
  8) in transmitting personal data and in transporting the respective media, prevent unauthorised reading, copying, alteration or elimination of data (control of transport).
  2. Taking account of the nature of the bodies responsible for processing and the type of facilities in which it is carried out, the public authority may waive the existence of certain security measures, subject to guaranteeing respect for the fundamental rights, freedoms and guarantees of the data subjects.
  3. The systems must guarantee logical separation between data relating to health and sex life, including genetic data, and other personal data.
  4. Where circulation over a network of the data referred to in Article 7 may jeopardise the fundamental rights, freedoms and guarantees of the data subjects concerned, the public authority may determine that transmission must be encoded.
  The confidential waste handling procedures of the Health Bureau are amid its final stage of personal data processing (deletion or destruction of data), instead of being any intermediate procedures.  Such procedures do not relate to its information system, and therefore the five types of control measures–control of entry to the premises; control of input; control of use; control of transmission; and control of input posteriori–as laid down in Article 16 do not apply.  
  Despite the fact that the Health Bureau formulated two different sets of handling procedures for documentation and photos, the Guidelines for the Treatment of Confidential Waste also stated that the Hospital staff should first try to process the confidential waste, according to the Guidelines requirements, as much as they can and without delay, and should avoid accumulating or transferring the waste for other departments to handle.   In addition, such kind of waste should be treated as confidential waste before the handling procedures are completed in order to avoid data leaks. 
  Firstly, when confidential waste are shredded and then handled as ordinary waste, the data in the latter are no longer identifiable.  The shredded waste will be transported to the Incineration Plant directly from the Hospital by the CSR.  At this stage, the data media do not allow the data to be read or used, and also data can hardly be copied, amended or taken away.  This type of data processing is in compliance with Article 16(1)(2), 16(1)(5) and 16(1)(8) of the PDPA. 
  On the other hand, when confidential waste is not handled by the department that generated the waste and awaited for collection by the Hospitality Division, the former should first pack the waste with the dedicated sacks and use cable ties to secure, ensuring that both the staff of the Hospitality Division and, the contractor staff, who are responsible for the cleaning services, are unable to access the intact documentation and photos inside.  When confidential waste is being handed over, the contractor has to register the number of sacks collected, in addition to putting the refuse sacks in trolleys with closed chambers during the haul.  In the event of finding any sacks broken or loosely tied, the contractor has to immediately inform the Hospitality Division to follow up.  Finally after the Hospitality Division confirmed the number of sacks handed over by the departments, they are all transported to the Incineration Plant under the monitoring of the Division staff.  These procedures revealed that specialized measures were introduced for the control of data media, control of access, and control of transport, in a bid to prevent unauthorized access, copying, amendment of the information or information being taken away when they are hauled from the source (different departments) to the Incineration Plant. This revealed that the measures complied with requirements given in Article 16(1)(2), 16(1)(5) and 16(1)(8) of the PDPA.
  In fact, shredding unwanted paper documents and photos that contain personal data is a safe practice that is widely adopted.  No matter confidential waste is processed in any of the two methods as mentioned, normally staff other than those working for the Hospital and could have access to such waste are those who work for the CSR and the approved contractor that provides cleaning services.  Both of them directly convey the confidential waste from the Hospital to the Incineration Plant, and in the normal hauling procedures no additional risks, caused by unnecessary contact of information or operations, are created.  Moreover, the Health Bureau also formulated three sets of handling guidelines for the three parties that involve in handling the waste, namely different departments of the Hospital, the Hospitality Division and the contractor that provides the cleaning services.  Aside from these guidelines, for the contractor the Health Bureau also included its handling requirements in the terms and conditions of the outsourcing contract and rules of the contractor acceptance agreement.  According to these requirements, the contractor employees are bound by professional secrecy, and should not open any sealed sacks containing confidential waste or use the contents inside for other purposes and the waste handling shall be monitored by Hospitality Division. 
  The above showed that the said measures fulfilled the requirements for personal data protection and surveillance that a data controller should impose on its data controller, being in compliance with Article 15 of the PDPA. 
  If the staff of the Health Bureau had strictly followed the two types of processing procedures as mentioned to process the confidential waste that contained the paper documents and photos, the incident happened on October 12th 2015 would have been avoided, and no confidential waste would have dropped out from the waste truck and no intact documentation would have been scattered on the street.  Due to the fact that the waste treatment procedures and measures adopted by the Health Bureau were in line with the security measures required by Article 15 and 16 of the PDPA, the Health Bureau should not be liable to the confidential waste spillage.  After the incident, the Health Bureau also improved its practices by asking each department to shred its own discarded documentation and photos, and established this as the only way to handle confidential waste.  The shredded material should be packed with designated green sacks and sealed properly.  These sacks will be weighted before they are discarded. 
  The mentioned measures ensured that no intact documents or photos will be leaked and also reduced the number of employees involved and streamlined the procedures of the waste handling (with which the Hospitality Division and cleaning service contractor will no longer handle un-shredded confidential waste for other departments).  As such the chances of data leaks are reduced and risks are lowered, in addition that a constant monitoring mechanism is therefore established to supervise the disposal of confidential waste and the statistics derived can also help detect irregularities and misconduct by any staff.


    The issues of the current case mainly involved the security of personal data processing. Considering the sets of Guidelines that were already in place before the incident happened on October 12th 2015, along with the set of procedures formulated for the handling of discarded documentation and photos that contain personal data, the Health Bureau should not be liable for the current case as its security measures were in compliance of Article 15 and 16 of the PDPA. 
  Despite the fact that the incident was not caused by procedural problems, but the Health Bureau should learn from it and strengthen its monitoring procedures, to prevent any undiscovered misconduct caused by procedural non-compliance.  Considering that the Health Bureau has already improved its handling methods accordingly and established a constant mechanism to monitor staff’s compliance of procedures to prevent any similar incidents, the current case was therefore closed.

Please refer to Article 15 and 16 of the Personal Data Protection Act.