個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0038/2013/IP

Title: Mistakenly handed someone a form containing personal data of others

Reason: Complaint

Brief:

    X mentioned that B, one of her colleagues from the Conference and Banquet Department of Hotel A where she was working, handed her an internal form of the company, but the content had been altered. On this form, the personal data of X, including her name, address, telephone number and the name of her husband, was recorded.  X indicated that Manager C required her to fill in and sign on the form and then to return it to C through B.  X indicated that this form had been used by someone else.  Though the contents on the form had been covered with correction tapes, when viewed from the back and against the light, the altered contents could be seen clearly (including the signature of the concerned person and her spouse).
  X believed that Hotel A failed to adopt sufficient security measures when processing the personal data of its employees, thus she informed the Office for Personal Data Protection (GPDP) to investigate.

Analysis:

 
  According to Article 4(1)(1) and Article 3(1) of the Personal Data Protection Act (PDPA, or Law 8/2005), the processing of the data found in this case should be governed by this Law.
  As shown in the license summary issued by Bureau C, the license holder of Hotel A is Company F.
  In its response to the GPDP, Company F explained that the company had two types of forms, one for the employees to apply for Company benefits, with which only general personal data would be collected; and the other for the company to learn about the medical history of its employees and would be sent to the hospital in case of emergency.  Both forms are not compulsory to fill in.  Some contents in the form completed by X were hardly visible.  In addition, the form might have been filled out repeatedly (as there were two signatures of X and two dates included).  Company F believed that it was X who applied the correction types.
  The GPDP later sent a letter to Company F, requiring Employee B, Employee D and Manager C to assist the investigation.  C indicated that the administration assistant of the Banquet Department was responsible for the distribution of the forms to the employees, on which the information including employee’s name, employee number, department and title, etc., was recorded, but he had already resigned.  C instructed B that, when distributing these form, he should check the names of the employees and should ask the employees to personally return the forms to B or C or the HR Department.  Later, A returned the completed form, which had been folded for three times, to C, who did not open the form but returned it directly to the HR Department.  C indicated that neither Company F nor Hotel A had prepared any policies or guidelines on the processing of personal data of the employees, nor had they given any instructions for the distribution and recycling of the forms.
  B admitted that he mistakenly gave the form that contained X’s personal data to D.  Later D found that it was not his form when filling in the details, and then B gave her the correct one.  Before B gave the form to X, he applied correction tape to cover some parts that D mistakenly filled in.  X mentioned that he could return the form directly to C.
  The GPDP is in the opinion that, according to the purposes of the two types of forms described in the correspondence from Company F, under Article 4(1)(5) of the PDPA Company F has the right to determine the purposes and methods of data processing as it is the data controller. 
  On the said forms, information such as the name and medical history of the employees was recorded, which is personal data.  In addition, according to Article 7(1) of the PDPA, the information on personal health shall be deemed as sensitive information.
  In this case, the employees have the right to determine whether to submit the forms and, when submitting the forms, the employees indicated that they agreed to submit the forms that contained their general and sensitive personal data to Company F for further processing.  On the other hand, Company F required its employees to provide their health information is to obtain information of their health histories and to send it to hospital when necessary.  Therefore, when processing the related personal data Company F established the legitimacy as provided in Article 6, Article 7(2)(3) and Article 7(3)(1) of the PDPA.  
  With regard to the security measures of Company F adopted for the processing of employees’ data, C designated his subordinate B to distribute the forms, and this is regarded as the internal administration of the company.  As X did not wish B to know her personal data, after folding it she decided to hand it to C who would hand it to the HR department later.  Therefore, the sensitive information contained in the form was not disclosed to any unauthorized third parties.  In addition, though B mistakenly distributed to D the form of X, wherein the latter’s general personal data was contained instead of his health data.  As only general personal data was disclosed to D, such act did not violate Article 16 of the PDPA.
  According to Article 15(1) of the PDPA, a controller should take proper security measures for the processing of general personal data.  Based on the information available, no matter in terms of technical or organizational measures, Company F failed to define the persons and their competence to process the personal data of other employees, nor provided guidance on the processing of the forms that contained personal data or took proper security measures aimed at the distribution of the forms that contained personal data to prevent data leaks.
  In conclusion, the act of Company F did not comply with Article 15 of the PDPA.  Although the Law does not provide for the concerned punishment, Company F has to make improvements.

Result:

    This case has been closed.  The GPDP has notified X and Company F the investigation result and required Company F to improve its security measures.

Reference:
Please refer to "Personal Data Protection Act", articles 3, 4, 6, 7, 15 and 16.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116