Complaint Case Notes

編號: 0065/2012/IP

標題: Healthcare data of the participants were collected during the activity

立案原因: Report


    Participants were recruited in an activity held by Department A, and the participants’ healthcare data was also collected during the process.  
  X was of the view that, Department A’s act has violated the Personal Data Protection Act (PDPA), therefore, he requested the GPDP to follow-up.


    According to Articles 4(1)(1) and 3 of the PDPA, processing of the mentioned data is regulated by the PDPA.
  The processing of the personal data by Department A, on top of general data, also involved was the healthcare data of the participants.  Pursuant to Article 7 of the PDPA, healthcare data is regarded as sensitive data.  Hence, Department A shall also comply with the legitimacy as laid down in Articles 6 and 7.  Based on the data provided by Department A, the participants of the activities have voluntarily provided their data.  Thus, Department A has achieved the legitimacy in accordance with Article 6 of the PDPA.  In addition, the data subjects’ clear permission referred in Article 7 of the PDPA is regarded as an expressed legal act.  Hence, the data subject shall express direct consent to the controller in processing the sensitive data.  In this case, since the participants voluntarily provided the data, Department A has also obtained the legitimate requirement subject to Article 7(2)(3) of the PDPA.
  When Department A processed the participants’ personal data, in addition to the legitimacy, one shall also comply with the processing principles in the PDPA.  According to the data provided by Department A, the participants’ basic data (e.g. name, date of birth, contacting telephone number, contact address) was collected for the purpose of contacting the participants, and such data directly relates the purposes of ascertaining the participants’ identities and their contact.  Furthermore, the original purpose of collecting the healthcare data is to obtain information about the health status of the participants and to prepare the contingency measures for any future field trips, or similar activities, to be organized Department A.  In this regard, the GPDP was not of the view that Department A violated Article 5 of the PDPA.
  Having said that, Department A expressed that all the data in the application form was provided by the participants voluntarily, and the healthcare data was not a prerequisite for joining the activities.  However, Article 2 of the application rules printed on the application form stated that an applicant shall provide all the necessary personal data provided in the application form.  This did not correspond with, and even contradicted, the reply of Department A.  This can be seen that Department A has not seriously reviewed the application forms of the current case and immediately replied, which negligence was found.  Hence the GPDP has officially requested, in writing, Department A to revise the activity application forms in order to provide accurate information.  At the same time, it has been reminded that Article 10 of the PDPA shall also be complied regarding the right to information when processing personal data in future activities.  Otherwise, pursuant to Article 33(1) of the same Law, its act may constitute an administrative offense.
  Since the personal data processed by Department A includes sensitive data, safety measures as referred in Articles 15 and 16 of the PDPA shall be adopted, especially when the personal data and the sensitive data were used for logical segregation.  Otherwise, this may constitute an administrative offense.


    The GPDP has already notified Department A of the result; this case has been closed.

Please refer to "Personal Data Protection Act", articles 3, 4, 5, 6, 7, 10, 15, 16 and 33.