Legal update: Privacy, Politics and Protests: Perspectives on privacy issues in Hong Kong


Personal data privacy is often seen as one of the lesser legal rights in this part of the world. You are in a coffee shop, and click through the free wifi Terms of Use. You’re using a new site to buy an experience holiday, and click ok to those pesky cookie notices. Then, suddenly, it can be quite an important legal right. You are a police officer performing your duty in relation to recent demonstrations in Hong Kong, and your details are posted on the Lennon Walls. Personal data privacy becomes real.

The Privacy Commissioner in Hong Kong has issued a number of recent media statements to provide observations and respond to recent incidents with personal data privacy implications. Let’s have a look and see what was on his mind.

Personal data protection in Accident and Emergency Departments


Allegations were reported in the South China Morning Post on 18 June 2019 in respect of patient privacy in Accident & Emergency Departments in Hong Kong. The report stated that files of some patients treated in the emergency ward of a public hospital on June 12 and 13 were marked as having attended a “mass gathering” outside the Legislative Council building in Hong Kong, and there was a note on the top-left corner of the document that read “For police”. There was an additional allegation that access to the clinical data system in some hospitals could be obtained without requiring a login.

The Commissioner for Police denied that police officers had access to the IT systems in hospitals. Officers at police posts in hospitals had computers, but they were not connected to the hospital’s networks.

The Hospital Authority also clarified some misunderstandings arising from the reports. The tab “For Police” does not indicate any disclosure of patient data to police officers. This is a printing function option, used if the Hospital Authority needs police officers’ help to communicate with patients’ families. This may arise when a patient list would help the police account for injured or missing people, and when a hospital needs police help to contact a patient’s family. There is not a designated page or function for direct police access.

Views of the Privacy Commissioner

The Privacy Commissioner issued a media statement in respect of this allegation on 17 June 2019. This offered the Privacy Commissioner the opportunity to remind people of the limited scope of some exemptions from data protection principles. These exemptions are those that may apply in emergency situations and the detection of crime. In addition to these reminders, the Privacy Commissioner also commented on the need for any organisation that collects personal data to take practicable security measures to protect against unauthorised or accidental access.

The emergency situation exemption

An emergency situation will arise if the failure to disclose personal data may prejudice:

  1. identifying a person in a life-threatening situation;
  2. informing immediate family members or relevant persons of another person’s life threatening situation;
  3. carrying out emergency rescue operations or providing emergency relief services.

In these situations, the organisation is exempt from the requirement to obtain the data subject’s consent for disclosure or use for a new purpose. A new purpose is a different purpose to the purposes disclosed at the time of the original collection of personal data. There is no automatic right for health officials to disclose patients’ personal data to police officers, without regard to data protection principles. The emergency situation exemption is much more limited than that. 

The detection of crime exemption

Personal data held for the purposes of the prevention or detection of crime is also exempt from the requirement to obtain the data subject’s consent for disclosure or use for a new purpose. However, even here, the exemption is qualified. The exemption only applies if the refusal to disclose the personal data would be likely to prejudice the detection of crime. Also, most of the other data protection principles continue to apply. 

The hospital needs to follow a process before it provides personal data of patients to enforcement officials for a new purpose. A hospital receiving a data access request from a police officer in relation to patient personal data would need to request the enforcement authority to provide sufficient information to assess whether the exemption applies. This information includes:

  1. the purpose of the data collection;
  2. the nature of the case being investigated;
  3. the relevance of the requested personal data to the investigation; and
  4. the reason why the investigation may be hindered if the personal data is not provided.

The enforcement authority should also inform the hospital whether the supply of the personal data is essential. 

Again, this exemption is significantly more limited than might first appear. There is no unqualified right for enforcement authorities to obtain patient personal data from hospitals in the course of criminal investigations or enquiries. Ultimately, if there is a dispute between the enforcement authority and at the hospital, the enforcement authority can apply to the Courts for a search warrant.

Personal data protection in online chat rooms


The Privacy Commissioner has initiated criminal investigation into 430 cases in relation to the suspected disclosure of personal data of government officials, public figures, police officers, citizens and their family members in online discussion forums and instant messaging platforms. The allegation is that the disclosure of this personal data was without the consent of the related individuals, and for illegal purposes such as bullying, incitement and intimidation.

Views of the Privacy Commissioner

The Privacy Commissioner has taken a strong stance in relation to these complaints. The starting principle is that any person disclosing another’s personal data must consider whether the means of collection and use of that personal data is legal and fair. This applies even if personal data in question was first obtained from the public domain. Simply because personal data was previously made public does not mean that it may be used for all purposes. More seriously, a person commits an offence if he discloses personal data of a data subject obtained from a data user without consent, and the disclosure causes psychological harm to the data subject. 

The Privacy Commissioner has taken a number of steps to address this issue. He has set up a special team to proactively search for web links with improper posts, and to contact those platforms to remove links that include or involve privacy intrusion. There has been a reasonably cooperative response to this approach, with more than half of notified web links removed. The Privacy Commissioner has contacted overseas privacy enforcement authorities for cooperation in respect of platforms operated outside Hong Kong.

The psychological harm offence

The maximum penalty for the offence of unauthorised disclosure of personal data, causing psychological harm, is a fine of HK$1 million and imprisonment for five years. Some defences can be raised to the charge, including:

  1. the accused reasonably believed the disclosure was necessary for the purpose of preventing or detecting crime;
  2. the disclosure was required or authorised by law or an order of the court;
  3. the accused reasonably believed the data user had consented to the disclosure; or
  4. the accused disclosed the personal data for the purpose of a news activity, and had reasonable grounds to believe that publishing or broadcasting the personal data was in the public interest.

The Privacy Commissioner does not prosecute these offences himself. The process is that the Privacy Commissioner reports suspected criminal offences to the police for further investigation. The police will conduct enquiries and collect evidence. Ultimately, the Department of Justice will determine whether to initiate a prosecution against the persons involved. This all depends on the relevant facts of each case, and the available evidence.

Concluding comments

Personal data privacy is an unusual area of the law. Personal data rights are often invoked in aid of other objectives. For instance, data access requests are often used as an alternative or supplement to litigation disclosure and discovery processes. Other times, personal data rights seem to have little value. However, in stressful or contentious situations, personal data privacy rights are often a refuge and a resource. It is remarkable how neutral and fair the application of privacy rights can be in these scenarios. It is an equaliser.

The recent media statements of the Privacy Commissioner highlight this point once again. Enforcement authorities do not have any unqualified right of access to personal data of data subjects (whether in hospitals or otherwise). Netizens using personal data of police officers or other officials in online media forums for the unlawful purposes, could be committing a criminal offence under the Personal Data (Privacy) Ordinance, even if that personal data was obtained from the public domain. Both sides of the current political dimension in Hong Kong are on the receiving end of fair and impartial comment from the Privacy Commissioner, applying privacy principles that can protect us all.

Padraig Walsh

The above is not intended to be relied on as legal advice and specific legal advice should be sought at all times in relation to the above.

If you would like to discuss any of the matters raised in this article, please contact:

Padraig Walsh
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.