個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0071/2013/IP

Title: Transferring unsealed physical checkup reports

Reason: Report

Brief:

    Citizen A reported that Company K, where he is working, every year, would arrange all its employees to go for physical checkups at Company B. Afterwards Company B would deliver the checkup reports of to Company K before they are delivered to each of them (data subjects).  In the past, the said reports were sealed when being delivered. However, in the current incident, these reports were unsealed and delivered to the data subjects, so that those who got in touch with them (including those who delievered the reports to Company K) could access the health data therein. A believed that Company K might have violated the Personal Data Protection Act (PDPA, or Law 8/2005) and thus asked the Office for Personal Data Protection (GPDP) to follow up.

Analysis:

    According to Article 4(1)(1) and Article 3(1) of the PDPA, the data processing involved in this case shall be governed by the same Law.
  Company B indicated in its reply that it had been entrusted by Company K to perform annual physical checkups for its employees. According to the arrangement of Company K, it staff information would first be verified by Company B.  Afterwards, each of their information would be inputted into the a computer system in order to generate a reference code for each of the staff memebers.  After the physical checkups were completed, one copy of the report would be printed according to each reference code.  These reports will be confirmed by the designated staff of Company B followed by he officially signing the reports on behalf of the Company.  This time, in order to more easily verify the identities and reference codes of Company K’employees, Company B did not seal each report separately, but instead putting all the reports into a bag for delivery. After the incident, Company B has amended its internal confidentiality procedures.
  Company K indicated in its reply that the reports received from Company B this time were not sealed. As the physical checkup is one of the benefits that provided to the employees, Company K, after receiving the health reports, will not record, manually or by a computer, or check the contents of the reports, but will simply deliver them to the employees.
  In GPDP’s opinion, though Company K had entrusted Company B to perform physical checkups for its employees, which means the former was only paying for the involved expenses.  Due to the fact the personal data of the staff was processed by Company B, in addition that Company K is not a medical organization, the latter was not in any position to intervene the processing of health reports.  Therefore, Company B has the right to decide for the purposes and methods of the personal data processing relating to the physical checkups (i.e. the employees of Company K). According to Article 4(1)(5) of the PDPA, Company B shall be deemed as the data controller for the processing of health data of the employees that received the physical checkups.
  As the check-ups were part of the benefits enjoyed by the Company K’s staff, it was the staff that accepted the check-ups to be provided Company B, in other words, they also accepted the processing of their personal data by this Company B.  As the data recorded in the health reports is sensitive data, according to Article 6 and 7(a) of the PDPA, Company B, as long as having ensured the principle of non-discrimination and the security measures as specified in Article 16 have been introduced, has the legitimacy to process the health data of data subjects based on the explicit consent of those who decided to receive check-ups. 
  With regard the delivery of health reports to Company K by Company B, the GPDP is in the opinion that as reference codes could be used to sufficiently identify data subjects, even if the reports were sealed separately, they could still be used to identify the employees.  In the past, Company B would seal each report separately, and the reference codes did not obstruct the identification, however, in the current case no evidence supported that Company B was necessary to change the practice of sealing the reports.  Before the current case, Company B did not have any stringent procedures in place [to guarantee confidentiality], therefore no particular reasons supported that it should change the original practice. 
  It is true that sealing the reports could lower the risks of data leaks, which means that it is a security measure, which is within the control of Company B that it could adopt. All the employees of Company K that received the physical checkups were involved in the current incident. No confidentiality agreement between the two organizations were signed and, in fact, after the reports were delivered, they are no longer controlled by Company B.  Any loss or data data leaks after that would induce serious consequence. Therefore, Company B was suspected of violating Article 16 of the PDPA. According to Article 33(1) of the same Law, in case of an administrative offence, Company B could be punished with a penalty, so that GPDP conducted a hearing for the incident.
  After that, Company B explained in the written hearing that, in the time the staff decided to have check-ups, they were asked to sign an Application for Physical Checkup. Article 9 of the Agreement attached to this Application specifies that “…the applicant can inquire and request for a health report of his medical check up or a body check.” This terms of the Agreement could be regarded as an commission to Company K by the staff, as a consequence one could read and obtain a medical report.  Company B, subjectively or objectively, did not disclose any personal data of the employees of Company K.
  In GPDP’s opinion, the “applicant” as referred to in Article 9 of the Agreement refers to the employee that applied for physical checkup, but not the one, as pointed out by Company K, that was commissioned to obtain and read the health reports.  In fact, what Company K had to do was to distribute health reports for Company B. According to Article 35 of the PDPA, when a data controller, by negligence on its part, did not introduce security measures to protect sensitive data shall be punished.  As Company B failed to provide reasonable and sufficient explanations, all its claims were declined.
  To sum up, Company B failed to take proper security measures when processing sensitive data, so that the contents of the health reports might have been accessed by unauthorized persons, which violated Article 16 of the PDPA.

Result:

    The GPDP, according to Article 33(1) of the PDPA, imposed to Company B a fine of MOP$4000 after considering the following factors : 1. Company B has insufficient awareness of security; 2. The checkup reports contain sensitive data of the data subjects; 3. All employees of Company K that had received physical checkups were involved in the current incident; 4. Company B has taken improvement measures; 5. It was Company B’s first violation of the PDPA.

Reference:
Please refer to “Personal Data Protection Act”, articles 3, 4, 6, 7, 16, 33 and 35.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116