Complaint Case Notes

編號: 0027/2008/IP

標題: The school registration form

立案原因: Reports


    A local middle school A is alleged to require its students to submit their registration forms each year on their renewal of enrolment registration, even if their data remain unchanged, together with copies of their parents’ ID documents, copies of the students’ passes for travel to the mainland.
  Resident X believed that School A over-collected personal data, and did not respect the data subjects’ right to information. X believed these behaviours violated the Personal Data Protection Act and filed a complaint with this Office (GPDP).


    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  School A explained that it required only certain students (students of the junior first year, senior first year, senior third year and all the new students) to submit their “enrollment registration forms” and copies of student card, copies of their valid ID documents and that of their parents or guardians. It was not an annual collection measure, nor was it compulsory for students to submit copies of their passes for travel to the mainland. The school collected the required data to build, update and compare its student databases. Besides, to ensure accuracy of the student data, the school collected students’ personal data again before preparing the students’ diplomas. In addition, when the students participated activities that organized in mainland China, the school might collected the passes for travel to the mainland. In summary, X’s allegation was not true.
  In GPDP’s opinion, tt is legitimate for School A to process the personal data of its students and their parents or guardians for the purposes of fulfilling its legal and managerial obligations in accordance with Article 6 of the Personal Data Protection Act and no. (1) of Article 29 of Decree-law 38/93/M (Regulations of Private Non-tertiary Education Institutions) and Decree-law 81/92/M (Organic Law of the Education and Youth Affairs Bureau).
  Besides, the data collected with the “student enrolment registration form” include student’s religion and “the date and place of baptism” fall in the category of religion data defined in Article 7.1 of the Personal Data Protection Act as sensitive data. Regarding the collection of religious data, School A as a Catholic school also has the legitimacy in collecting and handling students’ sensitive data for the purposes of arranging for the students’ church activities, in compliance with Article 7.3.(2).
  The practice of requiring certain students to submit their “enrolment registration forms” is in line with the requirements of the school’s obligations to manage student database and provide accurate student data to the Education and Youth Affairs Bureau, as is the practice of regular updating student registration data and checking them with the collected copies of students ID documents. School A’s practice of collecting copies of students’ “passes for travel to the mainland” is proved necessary for facilitating the students in providing data to travel agencies. Its collecting student religion data for the arrangement of religious activities is also proved pertinent with the purposes of its activities, and thus meets the provisions of Article 5 of the Personal Data Protection Act.
  On the other hand, there is no evidence indicating that the school has failed to take any measure to protect the student data it undertook to process.
  However, as a data controller, the school failed to provide adequate information to data subjects about its data processing as required by Article 10 of the Personal Data Protection Act. Therefore, there was room for improvement.
  In Summary, although School A’s data processing might be not in compliance with Article 10 of the Personal Data Protection Act, it did not constitute an administrative offence. However, there was room for improvement.


    GPDP sent a letter to School A, advised that A should prepare its statement on personal data collection and policy on student data processing, and make sure that its students are properly informed.
  School A replied and accepted GPDP’s recommendations.

Please refer to "Personal Data Protection Act", articles 3,4,5,6,7,10 .