個人資料保護辦公室

Gabinete para a Protecção de Dados Pessoais

Office for Personal Data Protection

Complaint Case Notes
Print

No: 0090/2014/IP

Title: Notice containing staff’s personal data

Reason: Active intervention

Brief:

    A citizen reported to the Office for Personal Data Protection (GPDP) that Company A posted a resignation notice in the lobby of an industrial building.  This notice, mentioning that an employee was laid off for his frequent theft of company property, contained his photo (eyes were covered), name and complete ID numbers.
  Since this incident involved the personal data processing handled by Company A, which is subject to the Personal Data Protection Act (PDPA), the GPDP initiated an investigation.  

Analysis:

    For the current case, even the photo had been partially concealed, there were possibilities that someone could still recognize the employee.  Moreover, as the notice contained the complete name and ID numbers, to which the respective processing should be handled according to Article 4(1)(1) and 3(1) of the PDPA.  
  After having been informed of the case, the GPDP asked Company A to remove the said notice and required it for a written explanation of the incident.  
  Afterwards, the person in charge of Company A called and explained that the said employee was laid off for his repeated stealing of property of both the company and customers and those stored in the building management office.  Even having been dismissed, the employee still entered the building and pier, as a staff of the company, and took away the goods.  Company A, therefore, decided to put up the mentioned notice to prevent him from entering.  The company staff, however, included in the notice his personal data as a result of negligence.   
  In terms of external relationship, an employee can, on behalf of the company, perform all the acts that are related to the duties that he has been charged with and entrusted with.  Thus, it could not rule out the possibility that this employee, once responsible for the company’s harbour freight, would handle the goods on the company’s behalf after the dismissal. 
  Throughout its business operations, Company A, to protect its interests, informed the said employee the termination of their labour relationships, followed by putting up the notice.  This revealed that Company A was acting for its legitimate interests, which forewent the interests, rights, freedom and safeguards enjoyed by the employee.  In other words, it achieved the legitimacy as laid down in Article 6(5) of the PDPA. 
  In terms of processing proportionality, Article 5(1)(3) of the PDPA regulates that data for processing should be necessary for the purposes for which it is collected and/or further processed.  Effects brought about by the processing should be reduced whenever possible. 
  Since ID numbers are unique and used as identification, they are tools that are completely able to identify individuals when combined with other types of information (names, photos, etc.).    The notice was put up to inform others whether the person came for the freight was a staff that who has been dismissed or not.  Generally speaking, name and incomplete ID numbers are sufficient for identification and therefore complete ID numbers and photo should not be included in the notice.  Even in case ID numbers should be included, some numbers should be concealed to avoid excessive disclosure of personal data, as complete numbers could be abused for illegal activities. 
  To sum up, the three types of information as disclosed by Company A were already adequate in proving the identity of the employee.  Despite the fact that Company A achieved the legitimacy to put up the notice, its excessive disclosure of personal data violated the principle of proportionality.  Along the same line, its disclosure of personal data should be reduced to the minimum, so as to prevent exorbitant infringement of the employee’s rights and interests.  Publishing the ID numbers and photo in the notice, as a consequence, was actually a violation of the proportionality principle as laid down by Article 5(1)(3) of the PDPA. 

Result:

    Having taking into account the following: 1. Company A violated the PDPA for the first time; 2 Although the investigation was delayed by Company A, who did not provide the information during required period, it removed the notice after the GPDP had recommended, in addition to providing a written reply and an apology to the employee, the GPDP imposed an administrative fine of MOP 4,000 according to Article 33(1) of the PDPA. 

Reference:
Please refer to Article 3, 4, 5, and 6 of the Personal Data Protection Act.

Back

Avenida da Praia Grande, N.º 804, Edif. China Plaza, 17.º andar, Macau Tel:(853) 2871 6006 Fax:(853) 2871 6116