個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0042/2010/IP

Title: Government Bureaus require civil servants to submit “appointment notice” in order to apply for “consultation leave”

Reason: Reports

Brief:

    Civil Servant X of Government Bureau A claimed that Government Bureau A required staffs to submit “appointment notice” and “proof of consultation” in order to be conceded “consultation leave”. Civil Servant X believed that Bureau A’s conduct breached the terms of the “Personal Data Protection Act”, and filed a report to this Office (GPDP).

Analysis:

    In accordance with the provisions in articles 4.1.(1) and 3.1 of the Personal Data Protection Act, the data processing involved in this case is within the scope of regulation by the said Act.
  The “appointment notice” and “proof of consultation” mentioned by Civil Servant X refer to the “outpatient appointment notice” and the “treatment certificate” issued by the Health Bureau.
  As the “treatment certificate” and “outpatient appointment notice”, contain personal data and as the “outpatient appointment notice” may contain sensitive health information, Government A could only legitimately process the two types of information if it did so in accordance with Articles 6 and 7 of the “Personal Data Protection Act”.
  Civil Servant X stated that he had given his superiors a verbal notification of medical appointment in advance, but the superior asked Civil Servant X to hand over a copy of the “outpatient appointment notice” issued by the Health Bureau to the Bureau for processing on the day before the appointment. Bureau A explained that asking civil servants who wish to take a “consultation leave” during office hours to display an “outpatient appointment notice” issued by medical institutions was a right they have under the terms of Article 108 of the “Regulations on Workers of the Public Administration”(ETAPM). However, civil servants may use their discretion to decide whether or not to hand over a copy of it. After the medical consultation, civil servants must submit a “treatment certificate” to their superiors to confirm the motive for the absence they previously applied for.
  In GPDP’s opinion, as the “treatment certificate” and “outpatient appointment notice” contain personal data and as the “outpatient appointment notice” may contain sensitive health information, Government A could only legitimately process the two types of information if it did so in accordance with Articles 6 and 7 of the “Personal Data Protection Act”.
  As there are no provisions in Articles 97 and 108 of ETAPM which determine what type of documents civil servants should provide to their employers to take “consultation leave” during office hours, Bureau A could only have legitimacy to process the relevant personal data with data subjects’ consent. Based on this, and in the course of processing personal data of the civil servants for such a purpose, Bureau A should adopt a uniform policy and collect the personal data of civil servants in a moderate fashion. It should also notify the data subjects of the relevant purposes in order to avoid future disputes.
  In course of processing “treatment certificate” submitted by Civil Servant X, Bureau A should take the general safety measures determined in Article 15 of the “Personal Data Protection Act”. While processing the “outpatient appointment notice” (containing sensitive data) submitted by Civil Servant X, Bureau A must also adopt the special safety measures specified in Article 16 of the “Personal Data Protection Act”. Meanwhile, Bureau A should develop a privacy policy and clear guidelines in order to avoid misunderstandings.
  In summary, the personal data processing carried out by Bureau A did not breach the “Personal Data Protection Act”, but there is room for improvement.

Result:

    GPDP sent a letter to Government Bureau A, informing it of the above mentioned analysis, and recommended that Bureau A should collect personal data in a moderate manner, adopt the appropriate safety measures and develop a privacy policy. GPDP also notified Civil Servant X of the decision.

Reference:
Please refer to "Personal Data Protection Act", articles 3,4,6,7,15,16,41 .

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116