This legal update is part of our series of updates to discuss the implications of the Personal Data (Privacy) Amendment Ordinance 2012 ("Amendment Ordinance").
In this legal update, we look at a new criminal offence created under the Amendment Ordinance which prohibits the disclosure of personal data kept by a data user without the data user’s consent.
An example of where this provision applies is where an employee sells personal data obtained in the course of his employment to a marketing company. The new provision in the Amendment Ordinance makes the employee criminally liable for the unauthorised disclosure of the personal data.
Read on to find out how you can manage these risks in the workplace more effectively!
1. Before the amendment:
Under the Personal Data (Privacy) Ordinance (PDPO), data protection principle (DPP) 3 provides that unless a data user obtains the consent of the data subject, a data user cannot use the personal data of a data subject for any purpose other than:
- the original data collection purpose; or
- a directly related purpose.
However, there is no criminal sanction for delinquent employees who wilfully contravene DPP3. Employees are not "data users" if they hold the personal data for their employer.
Under section 65 of the PDPO, if employees improperly use or disclose personal data obtained during the course of their employment, the employer would be liable for such actions whether or not they were carried out with the employer's knowledge or approval. The only defence available is where the employer can demonstrate to the Privacy Commissioner that it took "such steps as were reasonably practicable" to prevent the employees from carrying out that act or engaging in that practice.
2. What's New?
2.1 New offence - disclosure of personal data for gain or to cause loss or psychological harm
Under the new section 64 created under the Amendment Ordinance, it is a criminal offence for a person to disclose any personal data of a data subject obtained without the consent of the data user with the intention to:
- obtain a gain in money or other property, whether for his own benefit or not; or
- cause losses to the data subject.
It is also an offence for a person to disclose (irrespective of his intention) any personal data of a data subject obtained from a data user without the data user’s consent where the disclosure causes psychological harm to the data subject.
Under this new offence, employees who sell personal data obtained during the course of employment to a marketing company would be criminally liable for their actions.
Employees who recklessly disclose customer data to third parties and as a result cause psychological harm to the customers could also incur criminal liability.
The maximum penalty for the offence is HK$1,000,000 and imprisonment for up to five years.
The Amendment Ordinance provides a number of defences for an individual who has breached the new section 65, namely:
- the individual reasonably believed that the disclosure was necessary for the purpose of preventing or detecting a crime;
- the disclosure was required or authorised by law or by an order of a court;
- the individual reasonably believed that the data user had consented to the disclosure; or
- the individual—
- disclosed the personal data for the purpose of a news activity or a directly related activity; and
- had reasonable grounds to believe that the publishing or broadcasting of the personal data was in the public interest.
3. The Privacy Commissioner's views
The Privacy Commissioner has indicated that under the new law, it is irrelevant whether there is actual gain (by the person disclosing the personal data or another person) or loss (by the data subject).
It is the intention to obtain gain or cause loss that matters.
The terms “gain” and “loss” are not restricted to gain or loss in the monetary sense, but can include gain or loss in other property.
Further, the “gain” which may be obtained can be for the benefit of the person disclosing the personal data, or for the benefit of another person. However, the “loss” caused by the disclosure must be caused to the data subject and not to other people.
4. Tips from us
To incur liability under this new provision, the individual disclosing the personal data (e.g. an employee) must have failed to obtain consent from the data user (e.g. the employer) to do so. However, it is not clear whether consent from the data user needs to be expressed explicitly, or can be implied.
To minimise the risks of contravention, employers should consider the following:
- alert all employees to this newly created offence;
- not to give consent or be seen to be giving consent to employees to disclose or use personal data they obtained during the course of employment for non-work related purposes;
- provide regular training to employees on handling of personal data and keep a record of these training sessions;
- ensure adequate policies and procedures are in place for handling personal data; and
- ensure adequate security measures are implemented to protect personal data (such as restricting access to personal data through the use of passwords, storing personal data in a secure location, etc.).
We recommend that in adopting the measures suggested above, employers should keep a record of the steps they have taken.
In the event that an employee breaches a provision of the PDPO, the employer can use this to demonstrate to the Privacy Commission that it has taken "such steps as were practicable" to prevent such actions from being taken by the employee.
To minimize the risk of non-compliance with the new requirements under the Amendment Ordinance, data users would be well advised to provide adequate training to employees on the handling of personal data.
Stayed tuned for our other updates on the Amendment Ordinance!