個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0025/2009/IP

Title: A medical institution registered visitors’ personal data

Reason: Complaints

Brief:

    Citizen X complains that a healthcare institution A requires visitors to fill in Visitor Registration Forms with such data as name, gender, ID number, contact number, the gender and bed number of the visited person, etc. Citizen X thinks that it is not necessary for Institution A to collect visitors’ ID numbers.
  In addition, X claimed that Institution A usually denies access should a visitor refuse to provide his personal data, which X thinks is as good as forcing the visitors to surrender their personal data. X also alleged that the security staff of Institution A had double standards in managing visitor access, e.g., some visitors were allowed access without providing their ID numbers.
  X believed that A’s conduct violated the Personal Data Protection Act, and filed a complaint with this Office (GPDP).

Analysis:

    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  Article 5.1.(3) of the Personal Data Protection Act provides that “personal data must be relevant, appropriate and not excessive for the purposes for which they are to be collected and processed.” Whether Institution A was over-collecting visitors’ personal data in this case should be judged in reference to its purposes of data collection and whether the data collected were necessary for its purposes. In general, institutions may, for security reasons, collect visitor data such as name, type and numbers of ID documents, etc., so that the visitors may be identified. Other information to register may include the time and place of the visit and data of the visited persons.
  To ensure the security of its patients and caretakers, it is apparently necessary for Institution A to collect visitors’ personal data. As a person’s ID number is a unique identifier of a person, it makes sense to collect it for effective and efficient identification of the visitor. Therefore, collecting personal data such as ID numbers by Institution A in security management did not constitute what X claimed to be the over-collection of personal data by the institution.
  As for X’s allegation that denying visitor access who fail or refuse to provide personal data is as good as forcing them to surrender their personal data, it should be pointed out that Institution A has the right to frame its visitor registration rules to ensure the security of itself as well as the citizens in its vicinity. Besides, hospital wards are not meant for free access. As Institution A bears the responsibilities to ensure the security of the wards, the patients and other users of the institution, it has the right to register the personal data of identifiable visitors so it can trace suspects should any security incident occur. Any one visiting the institution, be it the complainant or other citizens, should abide by its rules. If they refuse to have their data registered, Institution A has the right to deny them access.
  As to X’s allegation that the security staff of Institution A use double standards in managing visitor access (e.g. allowing visitors access without registering their ID numbers), GPDP believed this was only the internal management issue of Institution A.
  In summary, Institution A’s data processing was in compliance with the Personal Data Protection Act.

Result:

    GPDP sent letters to X and Institution A to inform them the analysis, and referred to Institution A the issue that the security staff use double standards in managing visitor access.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,5 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116