PCPD - A Doctor convicted of breaching the Personal Data (Privacy) Ordinance

A Doctor convicted of breaching the Personal Data (Privacy) Ordinance

1.    A doctor (“the doctor”) was convicted of breaching sections 19 and 64 of the Personal Data (Privacy) Ordinance (“the Ordinance”) and was fined $1,000 in the Kowloon City Magistrates' Courts on 22 February.

2.    Mr. Roderick B Woo, the Privacy Commissioner for Personal Data, commented the case, “This is the first successful conviction under section 19 (non-compliance with “data access request”) since the enforcement of the Ordinance. Many complaints showed that data users did not handle such requests seriously. In fact, making a “data access request” is an important right vested in the public. By doing so, a data subject can know whether his/her personal data held by a data user is accurate or not. Therefore, when a data user receives a “data access request”, it should handle the request in compliance with the requirements of the Ordinance and should not ignore the request.”

3.    Section 18 of the Ordinance stipulates that a data subject may make a request to be informed by a data user whether the data user holds his/her personal data and to be supplied with a copy of such data. Section 19 of the Ordinance provides that a data user shall comply with a “data access request” not later than 40 days after receiving the request. If the data user is unable to comply with all or part of the request within the 40-day period, he shall inform the data subject of the situation and the reasons in writing within the period. Moreover, he shall fully comply with the request as soon as practicable after the expiration of the period. His duty is to supply a copy of the personal data of the data subjects as opposed to a copy of the document which contains the data.

4.    In May 2007, a patient (Ms. A) made her first data access request to the doctor for copies of her medical records from June 2006 to April 2007. The doctor failed to respond to Ms. A within 40 days after receiving the request, so Ms. A lodged a complaint with the PCPD. Upon mediation of the PCPD, the doctor provided Ms. A with the requested data in July 2007. A written warning was also issued to the doctor.

5.    In July 2007, Ms. A made her second data access request to the doctor for copies of her medical records from January 1993 to July 2007. The doctor again failed to respond to Ms. A within 40 days after receiving the request, so Ms. A made her second complaint to the PCPD. The case was subsequently referred to the police for prosecution.

6.    After investigation, the doctor was charged with an offence of breaching sections 19 and 64 of the Ordinance. The doctor pleaded guilty to the charge and was fined $1,000.

7.    Mr. Woo said, “I hope data users could learn from this case so that they will handle “data access requests” seriously and adopt adequate measures to ensure compliance with the Ordinance.”