Complaint Case Notes

編號: 0066/2012/IP

標題: Application form containing uncovered personal data was passed to other students

立案原因: Report


    The GPDP has received a report from resident X, who has applied the course held by Centre B via Bureau A.  He pointed out that through a subordinate department his data, including the identity card number, date of birth, name, civil service position, qualifications and others, was provided to Centre B.  However, Centre B has handed over to other students the application forms containing his personal data without covering up. 
  X was of the view that, regarding the relevant processing, Centre B has violated the Personal Data Protection Act (PDPA), and therefore reported to the Office for Personal Data Protection (GPDP).


    According to the Articles 4(1)(1) and Article 3(1) of the PDPA, the processing of  the data in the current case is regulated by the PDPA.
  In Centre B’s reply, it stated that, based on its internal working guidelines, if the organization who commissioned the trainings provided the students’ personal data to the Centre, it would not collect data from the students in class.  The course where this case involved was commissioned by Bureau A.  Since this Bureau only provided some of the required data, therefore the Centre required the students to provide other data.  Generally, the centre shall provide a copy of the Course Application Form to each student to complete.  Also, each form is filled and submitted to the Centre by each student independently.  However, only in the current case, one Centre staff member mistakenly provided the document the Organizational Internal Trainings – Applicant’s Information” (hereinafter as Applicant Information Form) to the students to complete.  Given that this was not an independent application form, thus causing some students’ personal data, as filled by the students themselves, were uncovered and seen by other students while passing the form.
  In the present case, Centre B requested the students to provide their information in order to organize classes, and all the students voluntarily provided their personal data.  It can be seen that, the processing of personal data by Centre B complies with the explicit consent as governed by Article 6 of the PDPA.   In addition, during the application, the students knew that the course was held by Centre B, who is also responsible to provide the venue and to process their grades and certificates.  Thus, if students did not submit the necessary information, Centre B would not issue any certificates.  It can be viewed that, there existed a contractual relationship between Centre B and the students.  Centre B could handle the students’ personal data based on Article 6(1) of the same law, and thus Centre B achieved two types of legitimacy in processing the students’ personal data. 
  Due to the fact that the data contained in the Applicant Information Form, which was passed to other students, includes the names, identity card numbers, departments and positions, dates of birth, and some others.  These were regarded as general personal data, of which the staff did not cover properly.  As a result, the personal data of the students was inappropriately disclosed to the third parties.  Thus, the said processing of Centre B has violated Article 15 of the PDPA. 
  In its reply, Centre B pointed out that since being informed of the report it has immediately corrected the problem.  Furthermore, it also clearly explained the working guidelines to its staff, and reinforced the awareness and trainings of the staff for the personal data protection.  Since the course has been organized by the Centre, no similar incidents have taken place.  Therefore, this was a sporadic incident, which was mainly caused by individual staff’s negligence.
  In addition, the sample of the Applicant Information Form, as provided by Centre B, parts of which were printed with the background color of grey, therein required the applicant to fill in information like the name, identity card number, date of birth, gender, nationality and credit card, and others. These parts were printed with “Information of the grey parts is mandatory for producing certificate”.  However in Centre B’s reply, it pointed out that such data (e.g. date of birth) was used for analysis and producing reports.  In other words, the data types and the contents required in these parts were different from the actual purposes.  In addition, the application form did not clearly state the consequences when a person failed to provide the mandatory information, which has misled the data subjects to believe that all data should be mandatorily provided.  Obviously, such application form has not clearly provided the data subjects the information pursuant to Article 10(1) of the PDPA, which failed to conform to the relevant legal provisions.  Therefore, the GPDP also reminded Centre B to review the accuracy of the data provided in the application form, and based on the actual circumstance, the data types provided by the applicant in an application shall be clearly stated whether it is mandatory or optional, and the purpose of processing such data.
  Overall, Centre B has violated Article 15 of the PDPA, but it is not liable to any penalty.


    Since Centre B has improved the problem, and no follow-ups is necessary.  Moreover, in order to avoid similar incidents from happening, the GPDP has notified Centre B to comply with Article 15 of the PDPA when processing personal data.  At the same time, it was also reminded to provide accurate and necessary information for its forms in order to comply with Article 10 of the same Law.
  The GPDP decided to close the case and to inform X of the result.

Please refer to "Personal Data Protection Act", articles 3, 4, 10 and 15.