個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0022/2016/IP

Title: An association was alleged secretly reading its staff’s medical reports

Reason: Report

Brief:

    The GPDP (Office for Personal Data Protection) received a report, which stated that Association A requested its staff members to go for annual body check-ups and read their reports without the staff’s consent.

Analysis:

    According to Association A, its staff members, under the staff regulations, are required to undergo pre-employment medical check-ups before assuming their duties, and the reports will then be vetted by its Human Resources Departments.  This arrangement intended to find out any risks of infectious diseases and to better monitor any risks of community spreading.  On the other hand, Association A also provides free annual medical check-ups to its full-time staff, under the collaboration of medical organizations.  These health examinations are on voluntarily basis and non-mandatory.  Reports are sealed individually before being returned to Association A to be picked up.  On the other hand, they can be collected personally from the medical organization.  Association A will not open, nor read, the staff’s reports. 
  Under Article 4(1)(1) and 3(1) of the Personal Data Protection Act (PDPA), as long as Association A processes any data relating to pre-employment medical reports, it should be governed by the PDPA; additionally, the processing of health records (sensitive data), if any, is legitimate given that Association A fulfilled both Article 6 and 7 of the same Law. In this case, staff members are requested to undertake pre-employment medical check-ups, and they should understand that these health examinations are carried out voluntarily and are taken as employment prerequisite.  Association A, as a consequence, is processing such personal data under two types of circumstances–for taking steps prior to entering into contracts and under the explicit consent of the concerned data subjects.  These both fulfilled the criteria of legitimate data processing as laid down in Article 6 of the PDPA. 
  With regard to the free medical check-ups offered by Association A to its staff, the former was only passing the reports to the persons that received the check-ups.  On the other hand, no evidence showed that Association A processed the report data by any automatic means or stored any of such data in its databases.  To the above, PDPA is not applicable to Association A’s passing of reports, which is not a circumstance that Article 3(1) of the PDPA should regulate.  On the other hand, Association A denied that any of its staff had ever opened or read any of the said medical reports, which were sealed by the medical organization. Compounded with the fact that no concrete evidence has been provided by the Complainant to the GPDP, the Complainant’s allegation is therefore unsubstantiated. 

Result:

    This case was closed and the investigation results have been informed to the Complainant and Association A.

Reference:
Please refer to Article 3, 4, 6 and 7 of the PDPA.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116