To share is not to care: Hong Kong Privacy Commissioner finds healthcare service provider’s contravention in sharing and disclosure of clients’ personal data

Written By

wilfred ng Module
Wilfred Ng

Partner
China

I am a partner in our Commercial Department based in Hong Kong. As a technology, media, telecoms and data protection lawyer, I am experienced in advising on all aspects of commercial, transactional and regulatory matters in the TMT space.

alison wong module
Alison Wong

Partner
China

As a partner in our Intellectual Property Group in Hong Kong and Head of our Life Sciences & Healthcare Sector Group in Asia, I have 24 years' experience in advising clients in the life sciences, healthcare, food & beverage and retail & consumer sectors.

The Office of the Privacy Commissioner for Personal Data (“PCPD”) in Hong Kong issued an investigation report on 14 November 2022 regarding the non-compliance with the Personal Data (Privacy) Ordinance (“PDPO”) by a healthcare service provider concerning the disclosure and transfer of personal data of clients.

Background

PCPD commenced investigations on receipt of two separate complaints lodged against four brands held by EC Healthcare in the provision of various clinical healthcare and medical consultation services: Primecare Paediatric Wellness Centre (“Primecare”), Dr Reborn, New York Medical Group (“NYMG”) and re:HEALTH.

The complaints concerned the fact that “cross-brand” access to personal data was made possible by another service provider within the group when the clients had only dealt with and provided data to the original service provider. According to the investigation report, EC Healthcare had shared clients’ personal data of two newly acquired brands (Primecare and NYMG) with its other existing brands through an integrated system without informing the affected clients or seeking their consent. The complainants were made aware of such sharing in two separate instances: the staff of EC Healthcare’s existing brands had sent a SMS message containing personal data of a client of Primecare, and initiated a telephone conversation which revealed the staff had access to the personal data of a client of NYMG.

PCPD has the statutory right to investigate any suspected violations of the PDPO based on reasonable grounds of belief or upon receiving a complaint.

Upon its investigation, PCPD is of the view that there was PDPO contravention and issued an enforcement notice to EC Healthcare directing it to, among others, cease and prohibit any cross-brand sharing unless with the explicit statement of such sharing and access or the express consent of data subjects; to ensure any personal data to be integrated into the system through future acquisitions must be originally collected for the purposes of cross-brand sharing and access.

Findings of the PCPD

The investigation report finds that EC Healthcare stored personal data of clients of newly acquired brands in an integrated system, resulting in the clients’ personal data of one brand being disclosed to the staff of other brands for their access and use. Notably, the majority of brands under EC Healthcare have adopted the system, involving a significant number of data subjects.

Frontline staff of the 28 brands of EC Healthcare were able to gain cross-brand access to and use clients’ personal data from the integrated system without the clients’ knowledge and consent, inconsistent with the original purpose of collection of personal data provided to a single brand.

PCPD considers that EC Healthcare had failed to, in contravention of Data Protection Principle 3(1) of the PDPO:

  • obtain consents from the complainants to the use, disclosure and transfer of their personal data amongst the various brands within the group; and
  • inform the complainants that their personal data would be stored in the integrated system.
     

Points to note for data users

This investigation is a stark reminder that data users must not assume that any data collected for an original purpose is automatically enabled for any subsequent intra group transfer, use or access by other group entities. Data Protection Principle 3 stipulates that personal data, without the express and voluntary consent of the data subject, shall only be used for the purpose for which the data was to be used at the time of the collection of the data, or a purpose directly related to that purpose.

An effective way of managing the PDPO compliance of personal data of operations acquired through business expansion is through internal policies and governance structure – ensuring the original collection in the first instance covers any future intra-group sharing or access, and such purpose has been duly notified to the relevant data subjects.

Data subjects are also patients. Apart from data protection considerations, healthcare service providers must always consider the duty of confidentiality (owed to patients) prior to disclosing or accessing any information in the provision of medical or consultation services.

 

Latest insights

More Insights
featured image

EDPB weighs in on key questions on personal data in AI models

1 minute Dec 20 2024

Read More
Curiosity line pink background

Australia’s first standalone cyber security law – the Cyber Security Act 2024

Dec 18 2024

Read More
Curiosity line blue background

The New Cybersecurity Dawn – Hong Kong readies for new critical infrastructure legislation

7 minutes Dec 10 2024

Read More