Complaint Case Notes

編號: 0015/2011/IP

標題: A Public Department partially publishes the identity card numbers of residents in a list of approved candidates in a public recruitment exam

立案原因: Reports


    Candidate X indicated that Government Department A published the full Chinese and Portuguese names, as well as part of the identity card numbers (5 out of the 8 numbers) in a public recruitment exam it opened to recruit a 2nd class assistant-technician and a 2nd class technician.
  Candidate X considers that Department A published too much personal information and that consequently his superiors and colleagues were all aware that he had participated in that public exam. He filed a complaint with this Office (GPDP), as he believed that Department A’s conduct breached the “Personal Data Protection Act”.
  He also requested GPDP to intervene in this case and void the public exam.


    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  After consulting the candidates’ list and examining the information published by Department A on the Internet, GPDP discovered that the Department A did in fact conceal 3 of the digits of each of the identity card numbers. GPDP discovered that 2545 people participated in the public exam to recruit a 2nd class assistant-technician, and 1993 people participated in the public exam to recruit a 2nd class technician.
  GPDP believes that the “Regulations on Workers of the Public Administration”, approved by Decree-Law no. 87/89/M (hereinafter referred to as the ETAPM) is applicable to public exams opened with the purpose of recruiting permanent staff-members. The ETAPM regulates the procedures regarding the preparation, publication and other procedures relating to temporary, definitive and results lists. It aims to ensure that the public exams organized by the government are transparent, fair and impartial for all the public to see.
  According to Article 25.3 of the ETAPM, there are no regulations regarding the organisation of public exams for the recruitment of AQ contract staff. As such, taking into account the specific situation and in accordance with the articles on public exam procedures provided in the ETAPM and the Personal Data Protection Act (particularly Articles 2 and 5 regarding the general principles for the processing of data and the principle of proportionality), Department A can make its own decisions regarding the treatment of personal data in public exams for the recruitment of AQ contract staff.
  As a large number of people participated in this public exam, there could be several occurrences of identical names. This means that the names alone would be insufficient to identify the candidates. To counteract this, Department A decided to publish the identity card numbers of the candidates in order to better distinguish them, which is a reasonable and appropriate objective. Government Department A used this method to handle the data in order to ensure that the public exam would be transparent, fair and impartial, which corresponds to the legal provisions established in the ETAPM and the “Personal Data Protection Act”.
  However, publishing the candidates’ personal information on the Internet may easily lead to dissemination in public networks without proper security measures. If Department A were to use image files, it could prevent other people from easily accessing the personal data of the candidates. There is, therefore, room for improvement by Department A.
  Candidate X’s request to void the exams falls outside GPDP’s competence.
  In summary, Department A published the identity card number of the candidates for identification purposes and did not breach the provisions of the “Personal Data Protection Act”.


    The GPDP sent an official letter to Department A containing the above mentioned analysis and recommended that it could use image files when posting personal information on the internet in the same situation in the future, so as to prevent the candidates’ personal data from being easily searched by third parties.

Please refer to "Personal Data Protection Act", articles 2,3,4,5 .