Introduction
An investigation report into a data breach involving
Any organisation obtaining personal data from another data user, particularly in the course of a merger and/or acquisition, should obtain prior explicit consent from data subjects for any cross-brand transfers or uses of personal data which go beyond purposes notified to them at the time of collection.
Background
These 28 brands include
The System contained personal information of around 1.08 million members, including their names, membership numbers, partial telephone numbers, vaccination and medical check-up records, and past purchase records.
All frontline staff of the EC Healthcare brands could access the System and records of a particular client or member, and related family members, by inputting the client's phone number.
Complaints
On 10 June and
The June Complaint related to a complainant who took her daughter to consult a doctor at
The August Complaint related to a complainant who visited NYMG for chiropractic treatments in
In
The PCPD investigation revealed that (1)
This collection was also carried out prior to
PCPD Findings
Subject to exemptions under Part 8 of the PDPO1, Data Protection Principle 3 of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) stipulates that a data user shall not use personal data of a data subject for a new purpose, which is not (a) the purpose notified at the time of collection, or (b) a purpose directly related to the original purpose for which the data was collected2, without prescribed consent from the data subject.3 In the context of the PDPO, "use" includes the disclosure and transfer of personal data.4
By failing to specify at the time of data collection that the data might be shared amongst group companies, or integrated into the System for access by frontline staff from other group companies, subsequent use of the data post-merger fell outside the Original Purposes.
While this could have been addressed by obtaining client consent for the use, disclosure and transfer of their data among
Enforcement Notice and Recommendation
As a result of
- cease and prohibit cross-brand sharing of client personal data and access by staff under different brands through the System, unless
EC Healthcare had explicitly notified clients of such sharing and cross-brand access to personal data and obtained their consent; - ensure prior express consent is obtained from clients for use of their data by group companies, or sharing of their personal data, before such data is integrated into the System in future;
- formulate written policies and guidelines to instruct staff on the permissible use of and access to clients' personal data in the System, and proper execution of requirements (1) and (2); and
- provide training to staff responsible for or involved in handling relevant personal data.
Under section 50 of the PDPO, where the PCPD considers there has been a contravention, it may direct data users to take remedial actions within a specified period of time. Failure to comply with such enforcement action may expose data users to criminal liability - a maximum fine of up to
Observations and Takeaways
The PCPD investigation highlights multiple areas that data users need to keep in mind when collecting and using personal information, including:
- The importance of record keeping. The data from subjects of the two complaints had been collected years prior to the complaints, but there were no records of how the data was collected. This demonstrates the importance of record keeping -- because in the event of an investigation, data users would need such records at hand to evidence their compliance with the PDPO (i.e. to demonstrate that adequate notification had been provided to subjects at the point of data collection). This is also helpful when data users conduct an audit and/or are required, in a merger situation, to demonstrate good data practices. Data users should therefore review their records retention policies and practices to ensure such records are adequately preserved.
- Ensuring data users have relevant policies in place that are consistent with data use practices. In the case of the June Complaint, the data subject was not notified of the purpose of data collection, nor of the possibility of a transfer or the class of transferees. In the case of the August Complaint, the purpose of collection was narrowly stated and limited to the provision of medical treatment and marketing through newsletters. In both cases, no information relating to the potential classes of transferees were provided to their respective customers. Since the data subjects had not been notified,
EC Health's subsequent consolidation of the personal information in the System contravened the PDPO. - Obtaining requisite consent from data subjects for any changes in the purposes/uses of personal data. In addition to the aforementioned deficiencies, there was also no notification to customers of the acquisition of other brands. In particular, customers were not informed of storage of their personal information in the System, nor that their personal data would be accessible by all staff of
EC Healthcare (and not just the brand they initially provided their personal information to). The investigation report therefore serves as a reminder that any uses of personal data subsequent to a merger and/or acquisition may require data subjects' consent, combined with proper and adequate notification of the purposes of data collection and the classes of transferees of the data, through a clearly drafted personal information collection statement (PICS). - The PCPD powers of investigation. In addition to conducting the investigation in writing, the PCPD also exercised its power to visit the office of
EC Healthcare and conducted site inspections at two branches of its companies/brands. There have been few instances where such powers have been exercised, and the disruption to business operations of a company in such cases cannot be overlooked. The legislation requires full and prompt co-operation with the PCPD investigations, failure of which amounts to a criminal offence.5 - Higher standards expected for listed companies. The PCPD also expressed an expectation that as a listed company,
EC Healthcare should have adopted a more sophisticated approach to its data practices. The explicit mention of listed companies by the PCPD serves as a good reminder to such companies, as well as large group companies with more extensive business operations, to expect to be held to a higher standard in the event of an investigation, and assess and amend their internal data processing policies and procedures accordingly. - Privacy Impact Assessment (PIA). The PCPD implied that
EC Healthcare should have carried out a PIA before implementing the System. While there is no requirement under the PDPO for data users to conduct a PIA, unlike under the General Data Protection Regulation in theEuropean Union , this remark serves as a reminder to companies undergoing digital transformation projects to have privacy by design at front of mind when embarking on such projects.
Conclusion
Large conglomerates with multiple subsidiaries or companies operating multiple brands should heed this case and implement appropriate staff access management policies to avoid unnecessary cross-brand sharing of clients' personal data.
Where an internal system is deployed to manage clients' personal data collected by various subsidiaries or brands, data audit prior to implementation is a must - followed by a road map to obtain clients' consent for further uses of the data across group companies.
The authors would like to thank
Footnotes
1 Note that while one of the exemptions in Part 8 of the PDPO allows the sharing and disclosure of personal data without data subjects' consent in the context of a merger or acquisition, this is not a general exemption for mergers and acquisitions activities, but solely for the purpose of conducting due diligence. Data must be returned or destroyed as soon as practicable after the completion of such due diligence
2 See the definition of new purpose at Data Protection Principle 3(4) of Schedule 1 of the PDPO
3 See Data Protection Principle 3(1) of Schedule 1 of the PDPO
4 See s. 2 of the PDPO for the definition of "use"
5 Under section 50A of the PDPO, a contravention of an enforcement notice is an offence that would subject offenders to a maximum fine of
Visit us at mayerbrown.com
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This
Ms
16-19th Floor
Tel: 3127820600
Fax: 3127017711
E-mail: Mnoonan@mayerbrown.com
URL: www.mayerbrown.com
© Mondaq Ltd, 2022 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source