個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0022/2009/IP

Title: The staff passed a client’s personal data to a third party

Reason: Complaints

Brief:

    Resident X is a customer of Company A. To update his address registered with Company A, he sent Z, one of his family members, to Company A to fetch a customer information updating form.
  Z brought a “customer data form” to X, on which X saw his data, including ID document type, ID number, name, birth date, gender, address, profession, contact number, etc. X views this as improper disclosure of his personal data by the company to a third party (Z). Resident X believed that Company A’s conduct violated the Personal Data Protection Act, and filed a complaint with this Office (GPDP).

Analysis:

    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  Company A explained that it had a clear set of regulations and code of conduct in line with the Personal Data Protection Act for its staff to follow in dealing with customers updating their personal data, to prevent customer data from unauthorised alteration and access by third parties. According to those regulations, when a third party approaches to update the data of a customer, the receiving clerk should check whether the third party has the authorisation by the customer. Should it prove otherwise the clerk should refuse the third party. “Customer data form” bearing customer personal data may only be made available to the customer in person on request, and may not be given to unauthorised third parties.
  In GPDP’s opinion, apparently in this present case the clerk Y handling the request in this case failed to follow Company A’s procedural rules, knowing that the person demanding data alteration was not the customer in person, by giving X’s personal data to the third party without the his consent nor other proper authorisation. It was an incident of a clerk breaching company regulations, for which Y, rather Company A, should be held responsible.
  In another aspect, the clerk Y involved was bound by duty of professional secrecy. Therefore, the clerk in this case might be guilty of criminal offence under Article 41 of Personal Data Protection Act. However, Article 41.4 of the same Act provides that criminal proceedings against confidentiality breaches are dependent upon complaint, as it was a “sub-public offence”. In other words, that was out of this Office’s competence and X could only file his complaint in person to the competent police authority if he wanted to sue Y for his criminal liability.
  According to Article 14.1 of the Personal Data Protection Act, X has the right to claim damages against the data controller for the loss he may have sustained as a result of his data being mis-processed or processed in breach of laws or regulations on personal data protection. X may also seek compensation via civil lawsuit.
  In Summary, Company X did not breach the Personal Data Protection Act, by its clerk Y might violated Article 18.1 of the said Act by not following the procedures instructed by Company A. X could only file his complaint in person to the competent police authority if he wanted to sue Y for his criminal liability.

Result:

    GPDP sent letters to X and Company A and informed them about the analysis and decision.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,14,18,41 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116