Complaint Case Notes

編號: 0037/2011/IP

標題: Filming a medical procedure

立案原因: Referral


    The Office for Personal Data Protection (GPDP) received a referral from the Health Bureau regarding a complaint made by Citizen A that Doctor B filmed himself carrying out a dental implant procedure on Citizen A without his consent, thereby invading his privacy.
  As the complaint involved the possible breach of the provisions of the “Personal Data Protection Act”, the Health Bureau forwarded the case to GPDP for follow up.


    The data processing of current case is regulated by the “Personal Data Protection Act” under Article 4(1)( 1) and 3(1) of the “Personal Data Protection Act”.
  After viewing the information from the Health Bureau website, it was confirmed that Doctor B is a registered dentist.
  According to the information provided by Doctor B, he had asked Citizen A to open his mouth to take pictures. Citizen A saw and knew what was happening at the time and never expressed his dissatisfaction or raised an objection. Doctor B expressed that the purpose of filming the dental implant procedure was to improve the follow-up services after tooth loss surgeries. The data photographed by Doctor B was kept in Citizen A’s personal file locked inside his personal office. The data was processed by Doctor B and not used outside of the medical treatment and all of the photos would be deleted upon completion of the treatment. Similar types of photos were taken within a period of four months and Citizen A raised no objections during the payment of the repeated follow-up consultations, and signed the confirmation receipts. Of the 3 treatment receipts that Doctor B provided, two contained Citizen A’s signature. Moreover, the receipts all contained the following reminder: “I clearly understand the doctor’s description of the entire medical treatment procedure, and hereby give my consent to this person to provide me with the corresponding medical treatment, which I confirm through my signature and payment.”
  In this case, although the photos taken were of the oral cavity area, each person’s teeth have unique characteristics such as shape, arrangement, degree of wear and dental arch shape, due to the differences in each person’s age, sex, nationality, living area and eating habits. As such, the person’s teeth can be used to confirm his or her identity. In addition, all of Citizen A’s photos were stored in a subdirectory of Doctor B’s personal computer. As Doctor B had stated that those photos were taken for Citizen A, his identity could be confirmed, making this information fall under the definition of “personal data” specified in Article 4(1)(1) of the “Personal Data Protection Act”.
  Doctor B expressed that he is a dentist at Medical Center B. In order to provide the customer with better follow-up services, the center asks its doctors to take photos during the dental implant procedures. In addition, all of Citizen A’s proofs of payment were issued under the name of Medical Center B. It was therefore clear that Medical Center B was the controller for the personal data processing as specified in Article 4(1)(5) of the “Personal Data Protection Act”.
  Citizen A’s dental health and further treatment needs could be determined from the photos provided by Doctor B and this data consequently falls under the definition of sensitive data related to healthcare matters provided in Article 7 of the “Personal Data Protection Act”.
  In this case, there was no evidence that Doctor B possessed legitimacy beyond the data subject’s consent, in accordance with Articles 6 and 7 of the “Personal Data Protection Act”, thus the data subject’s consent was the only way to prove Doctor B would have had the legitimacy to take the relevant photos.
  According to the information provided by the Health Bureau and Doctor B, Citizen A had full knowledge of and did not object to Doctor B taking photographs of him during the dental implant procedure. This is a free, specific and informed consent given by the data subject, in line with Article 4(1)(9) of the “Personal Data Protection Act”. As to the processing of sensitive data, in accordance with Article 7(2)(3) of the same Act, the data subject must give his or her “explicit consent” (consentimento expresso), which can be given verbally, in writing or through the data subject’s explicit actions. In this case, the information provided by Doctor B indicated that the photos were taken during a 4-month period with each session lasting over an hour and each photo taken more than one minute following the previous one. After the photos were taken, Citizen A continued to receive treatment from Doctor B at least three more times, two of those times having been dental implants. The information provided by the Health Bureau indicated that Citizen A chose to receive treatment from Doctor B consciously and autonomously. Therefore Citizen A’s conduct clearly reflected his consent to Doctor B to proceed with the photos, in accordance with Article 209 of the “Civil Code” which states that it can be “otherwise given through any direct manifestation of the subject’s will”. As such, the aforementioned situation complied with the requirement of explicit permission.
  In this respect, Doctor B’s taking of relevant photos possessed the legitimacy of “when the data subject has given his explicit consent for such processing” as specified in Article 7(2)(3) of the “Personal Data Protection Act”.
  When processing Citizen A’s personal data, Medical Center B not only satisfied the legitimacy criteria specified in the “Personal Data Protection Act”, but also followed the principles of data processing which includes the requirement that the data can be “collected for specified, explicit, legitimate purposes and for purposes directly related to the activity of controller” as specified in Article 5(1)(2) of the same Act, and the principle of adequateness as specified in sub-paragraph 3 of the same paragraph.
  None of the photos taken involved situations beyond the dental implant procedures and the photos taking was one of the methods for recording the progress of the medical treatment. Since neither the Health Bureau nor Citizen A could provide any evidence to prove Doctor B using the photos other than the treatment purposes, there was no evidence that Medical Center B breached Article 5(1) (2) and sub-paragraph (3) of the “Personal Data Protection Act”.
  In summary, no evidence showed that the respective processing procedures breached the provisions of “Personal Data Protection Act”.


    In view of the fact that Medical Center B’s processing of relevant personal data was in line with the Articles 5, 7, 15 and 16 of the “Personal Data Protection Act”, GPDP decided to close this case and notify Citizen A and Doctor B of the results.
  In addition, GPDP sent a letter to Medical Center B, reminding it to execute Articles 10, 11 and 16 of the “Personal Data Protection Act” by establishing a “Personal Data Collection Statement” as soon as possible, and informing GPDP of declaration of the relevant data of automated processing of personal data, as specified in Article 21 of the same Act. It also suggested Medical Center B to avoid taking photos of the medical procedures if the record was unnecessary prior to asking for the data subjects’ explicit consent.

Please refer to "Personal Data Protection Act", articles 3,4,5,6,7,10,11,15,16,21 .