An investigation report into a data breach involving
Any organisation obtaining personal data from another data user, particularly in the course of a merger and/or acquisition, should obtain prior explicit consent from data subjects for any cross-brand transfers or uses of personal data that go beyond purposes notified to them at the time of collection.
Background
These 28 brands include
The System contained personal information of around 1.08 million members, including their names, membership numbers, partial telephone numbers, vaccination and medical check-up records, and past purchase records.
All frontline staff of the EC Healthcare brands could access the System and records of a particular client or member, and related family members, by inputting the client's phone number.
Complaints
On 10 June and
The June Complaint related to a complainant who took her daughter to consult a doctor at
The August Complaint related to a complainant who visited NYMG for chiropractic treatments in
In
The PCPD investigation revealed that:
Primecare's collection of client personal data was only for the provision of medical services and was not explicitly evidenced in writing, and- NYMG had only informed its clients that personal data would be collected for the provision of treatments and dissemination of healthcare newsletters (together, the Original Purposes).
This collection was also carried out prior to
PCPD findings
Subject to exemptions under Part 8 of the PDPO, Data Protection Principle 3 of the Personal Data (Privacy) Ordinance (Cap 486) (PDPO) stipulates that a data user shall not use personal data of a data subject for a new purpose, which is not:
(a) the purpose notified at the time of collection, or
(b) a purpose directly related to the original purpose for which the data was collected (see the definition of 'new purpose' at Data Protection Principle 3(4) of Schedule 1 of the PDPO), without prescribed consent from the data subject (see Data Protection Principle 3(1) of Schedule 1 of the PDPO). In the context of the PDPO, use includes the disclosure and transfer of personal data (See section 2 of the PDPO for the definition of 'use').
Note that while one of the exemptions in Part 8 of the PDPO allows the sharing and disclosure of personal data without data subjects' consent in the context of a merger or acquisition, this is not a general exemption for mergers and acquisitions activities, but solely for the purpose of conducting due diligence. Data must be returned or destroyed as soon as practicable after the completion of such due diligence.
By failing to specify at the time of data collection that the data might be shared amongst group companies, or integrated into the System for access by frontline staff from other group companies, subsequent use of the data post-merger fell outside the Original Purposes.
While this could have been addressed by obtaining client consent for the use, disclosure and transfer of their data among
Enforcement notice and recommendation
As a result of
- cease and prohibit cross-brand sharing of client personal data and access by staff under different brands through the System, unless
EC Healthcare had explicitly notified clients of such sharing and cross-brand access to personal data and obtained their consent - ensure prior express consent is obtained from clients for use of their data by group companies, or sharing of their personal data, before such data is integrated into the System in future
- formulate written policies and guidelines to instruct staff on the permissible use of and access to clients' personal data in the System, and proper execution of requirements (1) and (2), and
- provide training to staff responsible for or involved in handling relevant personal data.
Under section 50 of the PDPO, where the PCPD considers there has been a contravention, it may direct data users to take remedial actions within a specified period of time. Failure to comply with such enforcement action may expose data users to criminal liability - a maximum fine of up to
Observations and takeaways
The PCPD investigation highlights multiple areas that data users need to keep in mind when collecting and using personal information.
The importance of record-keeping
The data from subjects of the two complaints had been collected years prior to the complaints, but there were no records of how the data was collected. This demonstrates the importance of record-keeping, because in the event of an investigation data users would need such records at hand to evidence their compliance with the PDPO (that is, to demonstrate that adequate notification had been provided to subjects at the point of data collection). This is also helpful when data users conduct an audit and/or are required, in a merger situation, to demonstrate good data practices. Data users should therefore review their records retention policies and practices to ensure such records are adequately preserved.
Ensuring data users have relevant policies in place that are consistent with data use practices
In the case of the June Complaint, the data subject was not notified of the purpose of data collection, nor of the possibility of a transfer or the class of transferees. In the case of the August Complaint, the purpose of collection was narrowly stated and limited to the provision of medical treatment and marketing through newsletters. In both cases, no information relating to the potential classes of transferees were provided to their respective customers. Since the data subjects had not been notified,
Obtaining requisite consent from data subjects for any changes in the purposes/uses of personal data
In addition to the aforementioned deficiencies, there was also no notification to customers of the acquisition of other brands. In particular, customers were not informed of storage of their personal information in the System, nor that their personal data would be accessible by all staff of
The PCPD powers of investigation
In addition to conducting the investigation in writing, the PCPD also exercised its power to visit the office of
Under section 50A of the PDPO, a contravention of an enforcement notice is an offence that would subject offenders to a maximum fine of
Higher standards expected for listed companies
The PCPD also expressed an expectation that as a listed company,
Privacy Impact Assessment
The PCPD implied that
Conclusion
Large conglomerates with multiple subsidiaries or companies operating multiple brands should heed this case and implement appropriate staff access management policies to avoid unnecessary cross-brand sharing of clients' personal data.
Where an internal system is deployed to manage clients' personal data collected by various subsidiaries or brands, data audit prior to implementation is a must - followed by a road map to obtain clients' consent for further uses of the data across group companies.
The authors would like to thank
Originally published by CGj.
Visit us at mayerbrown.com
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This
Ms
16-19th Floor
Tel: 3127820600
Fax: 3127017711
E-mail: Mnoonan@mayerbrown.com
URL: www.mayerbrown.com
© Mondaq Ltd, 2023 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source