個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0110/2017/IP

Title: Inadequate protection of students’ personal data adopted by a training centre

Reason: Complaint

Brief:

    This case stemmed from a complaint against Training Centre A (hereinafter as Centre A) regarding an excel worksheet, contained in an email attachment it sent out.  This worksheet recorded a catalog of students’ information, obtained from all of those who attended one of its training courses, including their name, date of birth, ID numbers, gender, profession, contact numbers, email address, etc.  Such detailed information should not be recorded in the email attachment, according to the Complainant; therefore, he lodged a complaint with the GPDP (Gabinete para a Protecção de Dados Pessoais/Office for Personal Data Protection).

Analysis:

    According to Article 4(1)(1) and 3(1) of the PDPA (Personal Data Protection Act/Law 8/2005), this Law applies to the data processing of the current case. 
  Under normal circumstances, the attendants, for application purpose, will submit their personal data to Centre A, which is one of the conditions of legitimate personal data processing–based on the explicit consent of the data subjects–governed by Article 6 of the PDPA.
  As explained by Centre A, the respective students could be eligible for the subsidies provided by Bureau B after they completed the course. Originally the attached file that Centre A sent out would only contain a worksheet specifying  student numbers and ID type and ranges for special remarks.  The students were supposedly to verify their own information on this worksheet, as a bid to ascertain correct information would be submitted to Bureau B later.  According to Centre A, the mentioned attachment also included another worksheet that illustrated the firstly mentioned information, only intended to be submitted to Bureau B; however, it was obliviously hidden in the same file.  Despite the staff of Centre A had verified the email and the attachment before sending them out, they failed to notice the inclusion of that hidden worksheet, which was inattentively sent out in the form of confidential document.  Aside from the above, Centre A also required its staff to apply password to files containing students’ personal data, as a data protection measure.  In the event of any notices or memos intended for multiple recipients, Centre A requires its staff to send them out in the format of confidential document. 
  The above illuminated that, despite data protection measures were in place for protecting the personal data of its students, the email–which the Complainant received–contained a worksheet that detailed the personal data of all the respective students, indeed being a sign of insufficient measures.  This violated Article 15 of the PDPA but did not constitute any administrative offence.

Result:

    The GPDP has already informed the investigation results to the Complainant and Centre A and required it to improve its protection measures.  The improvement should spiral around clearer staff guidelines and raising the internal personal data protection awareness.  This case was closed.

Reference:
Please refer to Article 3, 4, 6, and 15 of the PDPA.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116