Complaint Case Notes

編號: 0030/2011/IP

標題: Displaying medical certificate publicly

立案原因: Referral


    X, who is a staff member of Bureau B, complained to Public Authority A about his direct superior Y publicly displayed his medical certificate, which contained his personal data. Y is a functional head of Department C, which is a subordinate unit of Bureau B. Because of this, X believed that Y might have violated the secrecy obligation.
  Due to the complaint may involve violations of the Personal Data Protection Act, Public Authority A, therefore, transferred the case to GPDP.


    According to Articles 4(1)(1) and 3(1) of the Personal Data Protection Act, whose regulatory scope the processing of personal data in the present case falls within.
  Bureau B explained that, as its subordinate unit Department C requires staff to work on shifts, Y had to reassign staff immediately on that day as X suddenly took a sick absence. Later, Y fastened up X’s medical certificate, along with the roster changes, in the rest area for team members, in order to promptly notify the staff members on shift that day. The said area was restricted to be used by three staff members on shift, and the medical certificate was attached to the glass door of a cabinet until the end of the reassignment. Afterwards, Y was requested by Division Head Z to apologize personally to X. In addition, a letter of apology and review was also put up on the same place where the medical certificate was. This is the first occurrence of such incidence in Bureau B.
  The information provided by Bureau B showed that it has not regulated for the processing of medical certificates. According to the established general procedures, staff members will submit the said document to a superior to confirm and sign, before it was handed over to the personnel department for related administrative procedures. Later, this will be published in the weekly internal news bulletin.
  The crux of the present case is to confirm who the controller is. According to Article 4(1)(5) of the Personal Data Protection Act, a controller shall mean the party that makes decision for the purposes and methods of data processing. The organizational law of Bureau B regulates its director within his competence to formulate compliance rules and guidelines for the normal functioning of the department. GPDP believed that, in the present case, due to Bureau B has the right to decide the processing purposes and methods of the medical certificates, it possesses the identity of the controller. Despite Bureau B explained that it was a personal conduct of Y to put up X’ s medical certificate, in the current case since the latter did not possess the competence to process medical certificates, therefore, Y engaged in the said conduct for discharging his duties. For this reason, Bureau B, instead of Y, was indeed the controller.
  With regard to the nature of data, as the medical certificate contained X’s personal data, partly of which related to X’s health conditions, therefore they are considered sensitive. According to Articles 6(2) and 7(2)(1) of the Personal Data Protection Act, Bureau B has the legitimacy to process X’s medical certificate though, the processing should be in accordance with the principles laid out in Articles 2 and 5 of the said Law, including the principle of proportionality. In other words, the processing purposes should be in line with that the controller intended to and where processing is necessary.
  In GPDP’s point of view, no detail specification for the processing procedures of medical certificates has been laid down in the Statute of Workers of Macao Public Administration, as approved by Decree Law 87/89/M, and consequently it remained as the decision of a public department. In the current case Bureau B has not fulfilled its prudent obligation and put up X’s medical certificate, thus giving access to personal data by non-interested parties. To its intended purposes, the said processing was evidently inappropriate and unnecessary, which violated the principle of proportionality given in Article 5(1)(3) of the Personal Data Protection Act.
  In terms of the security for processing sensitive data, Article 16(1) of the said Law specified a list of special security measures, amongst which in particular Article 16(1)(2) regulated that “preventing data media from being read, copied, altered or removed by authorised persons”. If the processing of X’s medical certificate were in accordance with the general procedures, the other two team members would only learn of X’s absence from their superior or the internal news bulletin, instead of finding it out from the medical certificate directly. That is to say, these team members are considered as the aforesaid “unauthorized persons”. The processing by Bureau B violated Article 16(1)(2) of the Personal Data Protection Act as a consequence.
  In relation to secrecy obligation, from Y’s putting up of medical certificate of X, to Y’s subsequent explanation and apology, these were carried out in the identity of a functional head, and the processing of personal data was accordingly considered as Bureau B’s conduct. In addition, the disclosure or dissemination of personal information contained in the certificate were both unintentional, thereupon it showed no indication the conduct violated the secrecy obligation laid out in Article 41 of the Personal Data Protection Act.
  In summary, Bureau B’s processing violated Article 5(1)(3) and 16(1)(2) of the said Law.


    Bureau B’s conduct violated Article 5(1)(3) of the Personal Data Protection Act, which constituted an administrative infraction, leading to a fine of MOP $ 4,000 according to Article 33 (1) of the Personal Data Protection Act.
  Its conduct was also in violation of Article 16(1)(2) of the Personal Data Protection Act, which constituted an administrative infraction, to which, according to Article 33(1) of the same Law, a fine of MOP $ 4,000 was imposed.
  According to Article 34(2) of the aforesaid Law, concurrent administrative infractions are subject to penalties issued in conjunction. As a result, Bureau B was fined with MOP $ 8,000, and the punishment has been executed.

Please refer to "Personal Data Protection Act", articles 2,3,4,5,6,7,15,16,18,21,30,32,33,34,41 .