Complaint Case Notes

編號: 0020/2013/IP

標題: Online registration printouts included others’ personal data

立案原因: Active intervention


    A citizen called the Office for Personal Data Protection (GPDP), indicating that when he performed online registration for examination on the webpage of School A and printed out the completed registration form and other registration information, data of other registered persons were also generated for printing by the system. 
  This incident involves the security of data processing and is suspected of violating the Personal Data Protection Act (PDPA), so the GPDP actively initiated an investigation.


    According to Paragraph 1(1) of Article 4 and Article 3(1) of the PDPA, the processing of data of this case should be governed idem.
  After receiving the complaint, the GPDP informed School A to terminate the online registration system immediately, and to resume that system after the problem is fixed or repaired to guarantee that no personal data will be leaked.
  School A replied to the GPDP that the system that leaked the data was developed and maintained by Company B.  The GPDP is in the opinion that as School A was the entity that decided to adopt online registrations, followed by commissioning Company B to develop and maintain the system.  The information collected through the system is identical to that as collected by the application forms of School A.  Since School A was the one to decide using different methods to collect information, so according to Article 4(1)(5) of the PDPA, it is regarded as the data controller.  On the other hand, though Company B has a certain level of rights as to decide for the functions and operations of the systems, but subject to the commission of School A.  Consequently Company B should be deemed as a the processor as specified in Article 4(1)(6) of the PDPA.  According to School A, the personal data that has been leaked including the names of the applicants and their parents, their religions, ID card numbers, telephone numbers and email addresses, etc., amongst which religion is regarded as sensitive information.
  According to Article 111 and the subsequent articles of the Civil Code, as approved by Decree 39/99/M, the applicants enrolled in kindergartens are all minors, whose incapacity should be remedied by parental rights.  When parents provide the personal data of their children to schools for enrollment, School A can be deemed as processing the personal data of the applicants with their express consent.  Subject to non-discrimination principle and the security measures specified in Article 16 of the PDPA, that [the consent] satisfies the conditions for establishing legitimacy as governed by Article 6 and Article 7(2)(3) of the same law. 
  With regard the proportionality of data collection, Article 10(4) of Law 5/98/M (Freedom of Religion and Worship) provides that ‘persons registered at education facilities operated by religious groups shall be construed as accepting the religious and ethnic education adopted by such groups……’  As School A is operated by a religious organization, unless the parents who applied to School A for enrollment raise objections based on personal, compelling legitimate grounds that are justifiable, School A could process data concerning the religions of the applicants within its scope of lawful activities and according to the laws, which satisfied the legitimacy condition specified in Article 7(3)(2) of the PDPA.
  In addition, the GPDP holds the opinion that, according to Article 32(1) of Decree Law 38/93/M (General Rules on Private Education Organizations), the operation of a private education organization should comply with the applicable laws and regulations, accept teaching scrutiny according to the instructions of the Education and Youth Affairs Bureau and, according to the Guidelines on School Admission (amended for academic year 2013/2014) prepared by the Education and Youth Affairs Bureau, education institutions are required to inspect the original identification documents upon admission, so as to verify the age of the students and whether they can stay or live in Macau.  In addition, the Education and Youth Affairs Bureau also requires the applicants to provide photocopies of their, and their parents’, IDs, health certificates and addresses.
  Therefore, when collecting the mentioned data from the applicants and their parents through the online registration system, School A did not apparently violate the principle of proportionality as specified in Article 5(1)(3) of the PDPA.
  With regard the security issues involved in personal data processing, when sensitive data is involved a data controller has to be in compliance with Article 15 and Article 16 of the PDPA.  As the GPDP has acquired, the online registration system of School A required the users to first register and then login the system to complete the registration information before the print out.  In essence, only when the system identified the parents’ user identity, they could log in the system to input and modify their information.  In addition, the backstage operations of the mentioned system require the system administrator to provide their passwords to log in, which aimed to prevent any unauthorized persons from entering the system to read, modify, delete or remove any data.  Therefore, School A has taken certain security measures to protect data security for the said online registration system.
  According to GPDP’s technical analysis, the data leak was caused by the network traffic overload and program bugs.  As for the former, before School A, which has been engaging in education for many years and in face of the huge demand of kindergarten education, decided to establish online enrollment, it should have expected the huge amount of online traffic the system would handle.  As for the latter, the remedy measures Company B adopted revealed that if more detailed technical features were considered, the data leaks could have been avoided.
  With regard to the processor supervision, though Company B signed a Non-disclosure Statement after the data leaks, undertaking to provide further solutions for the software system of School A and that all data learned by all its staff would be kept absolutely confidential, such statement is only binding on the software system solutions this company provides, which cannot be deemed that School A has provided sufficient guidance or regulations on its processor.
  Various types of data were involved in the mentioned data leaks, with which personal data of six subjects was accessed by five users, including information on religious beliefs.  Obviously, during the system development School A neglected to evaluate the amount of traffic the system could handle.  Moreover, it also did not provide appropriate guidelines and regulations to the processor, and even when the system was launched it did not properly regulate the processor. 
  Therefore, School A failed to take appropriate security measures to protect the sensitive data of the applicants and their parents, which violated Article 16(1) of the PDPA.
  As School A was suspected of violating the PDPA, it could be punished with a fine.  Under Article 93 of the Administrative Procedural Code, as approved by Decree 57/99/M of October 11th, the GPDP undertook hearing on the violation of School A.
  During the hearing School A did not make any explanation on its suspected violation of the PDPA, but suggested some improvement measures.  Therefore, School A failed to provide reasonable and sufficient justification for its violations.


    School A failed to take appropriate security measures for its online registration system to protect the sensitive data of the applicants and their parents, which violated Article 16(1) of the PDPA. The GPDP decided that according to Article 33(1) of the same Law to impose School A a fine of MOP$4,000.

Please refer to "Personal Data Protection Act", articles 3, 4, 5, 6, 10, 15, 16 and 33.