Complaint Case Notes

編號: 0046/2012/IP

標題: Authorized access to CCTV surveillance system data

立案原因: Complaint


    X, the supervisor of Department A, suspected that Y, his staff, has faked his attendance records, and accessed the image data of the CCTV surveillance system installed in the Department.  In addition, the email attached with the image data of Y and his attendance records have been emailed to his immediate supervisor, Z.  Later Z has forwarded the email to Y.  
  Y believed that X has violated the Personal Data Protection Act (PDPA), and has complained to the GPDP the following:
1. X suspected that the access to the image data has deviated from the purposes of the CCTV surveillance.
2. X has accessed and obtained the image data of the surveillance system without the approval of the head of Department A.
3. X sent out the email which contained Y’s personal data without encryption.


    According to Articles 4(1)(1) and 3(1) of the PDPA, handling of the data in this case is regulated by the PDPA.
  Department A has already notified to the GPDP regarding the CCTV surveillance system.  The purposes of the notification include: (1) to safeguard the safety of the property, security and other legal interests with respect to the building; (2) to protect the staff’s safety and other legal interests; (3) to ensure the service quality of the public reception area; (4) to evaluate the working performance of the staff (limited to the public reception area, the entry area of the office, including the area where the attendance records were made).  Since X suspected that Y faked his attendance records and therefore accessed to the image data of the CCTV surveillance system installed in Department A, this has not deviated from the processing purposes of the data.
  Being the controller with the said purposes, although Department A has laid down the guidelines for accessing the data of the CCTV system.  Also therein it specified a person, only after having been authorized, could access the image data of the system.  As X accessed the image data being authorized by the head of Department A, which may involve an improper access to data under Article 38 of the PDPA.  Furthermore, the fact that X has accessed the system image data, this reflects that there is insufficiency in the information security of the department, which does not conform to the security requirement as laid down in Article 15 of the PDPA.
  As X has sent the email, without encryption, to Y.  Contained in this email are the image data and the attendance records, which are not sensitive data.  In addition that X accessed Y’s attendance records for his works, and sent Z the email with the equipment provided by Department A (to follow up the attendance records).  In principle, only the receiver of the email could access the email content.   According to the PDPA, when a person obtained knowledge of the personal data processed while carrying out his work duties should comply with the obligation of professional secrecy.  At present, no data leakage has been found, and it could assume that X has adopted certain security measures for the personal data processing.  Although the email was not encrypted for better protection, it should not be taken that it has caused security risks inappropriate to the processing as mentioned.


    In short, X’s processing of the personal data of Y has not deviated from the processing purpose, and the fact that X has sent the email consisting of Y’s personal data without encryption, these have not violated the PDPA.
  Although X has accessed the CCTV surveillance data without the authorization of the head of Department A, which could be regarded as an improper access pursuant to Article 38 of the PDPA.  The GPDP has already reported to the said Department, so that proper arrangement can be taken according to laws.  The inadequacy found in Department A’s security policies, however, does not constitute any administrative offenses.   The GPDP has already informed this Department, in writing, of the problems of the current case, and required it to adopt improvement measures within a certain period of time.
  Department A has adopted improvement measures according to the GPDP’s request.  This case was therefore closed.

Please refer to "Personal Data Protection Act", articles 3, 4, 15 and 38.