Hong Kong regulator declares that the disclosure of personal data of potential COVID-19 carriers is permissible under law.

By Kieran Donovan

COVID-19 is having a profound impact not only on the way the world interacts socially, but also in the way it interacts in business. Businesses are choosing to protect the health and well-being of their employees by vetting the travel histories and health status of visitors, as well as tracking potential COVID-19 carriers using social media.

Hong Kong’s data protection regulator, the Office of Privacy Commissioner for Personal Data (PCPD) has recently published guidance considering the implications of these activities, as described below.

Consent required for use of personal data outside original purpose

“Personal data” is defined in the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) as information which relates to a living person and can be used to identify that person and exists in a form in which access to or processing of it is practicable.

The PDPO sets out six data protection principles (DPPs) to comply with when one deals with personal data. The third principle (DPP3) prohibits the use of personal data for any new purpose which is not or is unrelated to the original purpose when collecting the data. Prior consent of the relevant parties must be obtained before using the information for a different purpose, e.g., if previously collected information will not be used for tracking potential virus carriers. The purpose of DPP3 is to protect one’s personal data from potential abuse or misuse.

Disclosure of suspected virus carriers’ personal data

Notwithstanding the importance of obtaining consent before using personal data for another purpose, the PCPD has instructed that using personal information available on social media to track potential COVID-19 carriers or disclosing their personal information to third parties (e.g., health authorities) is permissible under the PDPO. The PCPD has indicated that this is lawful as it is for the purpose of protecting public interest and public health.

PDPO public health exemption

The PDPO provides for an exception to the general rule in DPP3. That is, a data user (also known as “data controller” in other data protection regimes) may disclose personal data relating to the physical or mental health of the data subject (the individual) to a third party without the data subject’s consent if the application of DPP3 would likely cause serious harm to the physical or mental health of the data subject or any other individual.

Pursuant to this, a data user may disclose the identity or location of a data subject to a third party without the data subject’s consent. This exemption is designed to enable relevant authorities/persons timely access to a person’s personal data, e.g., a suspected carrier’s identity, and to take immediate action to protect public health interests.

In addition, the PCPD has confirmed that although the right to personal data privacy is a fundamental right, it is not an absolute right, and it is subject to other competing rights or interests specified under the International Covenant on Civil and Political Rights, such as the absolute right to life and public interest. Therefore, where the right to life and public interest are thrown into the balance, they will prevail over the right to personal data privacy.

PDPO required by law exemption

As COVID-19 has been added to the Prevention and Control of Disease Ordinance (Cap. 599) as a notifiable infectious disease, medical practitioners are required under law to notify the Department of Health of all suspected or confirmed cases of COVID-19. Therefore, the PCPD has stated that medical practitioners may rely on section 60B of the PDPO to disclose a data subject’s personal data to the Department of Health without their consent for the purpose of protecting public health. Section 60B provides that DPP3 does not apply if personal data is required to be disclosed under law.

Doxxing is illegal and unethical

Although there are exceptions to DPP3, the PCPD reminds the public that, in general, DPP3 should be complied with and, in particular, doxxing (i.e., deliberately posting another person’s personal data online with the intention of causing harm) will not be tolerated. In February 2020, the PCPD received a large number of cases of organized doxxing of medical staff, and one complaint of doxxing of a suspected COVID-19 patient’s personal data. The PCPD has stated that doxxing is a “despicable weaponisation of personal data” and is a contravention of the PDPO. Under section 64(2) of the PDPO, it is an offence for a person to disclose any personal data of a data subject obtained from a data user without the data user’s consent and if the disclosure causes psychological harm to the data subject. Breach of this provision can result in a fine of up to HK$1 million and imprisonment of up to five years. Doxxing and cyberbullying may also constitute criminal offences, such as criminal intimidation. Affected persons may claim compensation from the persons involved in respect of the damage suffered.

Guidelines for employers and employees in relation to health data

The COVID-19 outbreak has raised the question of whether employers are permitted to collect health data about their employees to help monitor and prevent the spread of the virus. The PCPD has stated that this is permitted as the collection/use of personal data is in the public interest and/or the interest of public health. However, employers must bear in mind that the use and collection of data must adhere to the usual DPPs, including the principles of minimization, purpose specification and use limitation. Most importantly, the measures taken to collect data must be necessary, appropriate, and proportionate.

As many employees transition to work from home arrangements, there may be more opportunities for cybercrime. Employers and employees must stay vigilant during these times and the PCPD has set out some advisable practicable steps to take to safeguard personal data security prior to working from home.

Are employers permitted to collect health data from employees, and if so, what kinds of personal data?

Yes, the PCPD confirmed that there is a legitimate basis for employers to collect additional data of their employees to help control the spread of the disease and to protect the health of employees. The kinds of personal data that employers may take include employees’ temperature measurements, information on medical symptoms that may reflect COVID-19 symptoms and their travel history if they have returned from overseas.

How should employers collect health data?

A self-reporting system is preferred to an across-the-board mandatory system where health data is collected indiscriminately. Employers should spell out to their employees how the data collected will be handled and a fresh Personal Information Collection Statement must be provided if the collection of data is not covered by the existing privacy notices.

Once the purpose for which personal data is collected is fulfilled (i.e., for the purposes of fighting COVID-19), employers shall “permanently destroy” the personal data collected. To ensure its security, employers should take all practicable steps (e.g., encrypting data) to protect the personal data collected against unauthorized or accidental use. This is particularly important as health data is sensitive personal data and a breach may cause significant harm to the individuals concerned.

Disclosure of employees’ health data

As mentioned above, for the purposes of protecting public health, it will not be a breach of DPP3 for employers to disclose the identity, health, and location data of individuals to the health authorities. If an employee becomes infected, the employer may notify relevant parties at the workplace (e.g., other employees, office and building management etc.) without disclosing personally identifiable information of the infected, i.e., disclosure that a staff has been infected is sufficient.

Other privacy questions

Is collecting location data for quarantine purposes lawful?

The PCPD has stated that location data of persons under quarantine is collected for a lawful purpose, which is to enable the government to monitor compliance with quarantine conditions for public interest. Also, as the consent of quarantined individuals was obtained before implementation of the quarantine, the collection of such data is lawful and not excessive.

Can merchants require customers to register their real names when buying masks?

The PCPD has stated that, in accordance with the DPPs, merchants must collect customers’ personal data in a lawful and fair manner, should not collect excessive data, and should not retain personal data for longer than necessary to achieve the original purpose. Therefore, merchants should erase the personal data collected as soon as practicable after selling the masks, and if the personal data is to be used for a new purpose, the data subject’s prior consent must be obtained.

This post was prepared with the assistance of Malika Sajdik and Bianca Lee in the Hong Kong office of Latham & Watkins LLP.