An investigation report into a data breach involving EC Healthcare published by the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) on 14 November 2022 highlights the need for organisations to ensure that any use of personal data is limited to purposes notified at the time of collection, or a directly related purpose.
Any organisation obtaining personal data from another data user, particularly in the course of a merger and/or acquisition, should obtain prior explicit consent from data subjects for any cross-brand transfers or uses of personal data which go beyond purposes notified to them at the time of collection.
EC Healthcare is a Hong Kong-listed company (2138.HK) offering one-stop, non-hospital medical health care services in Asia, including medical, aesthetics and wellness services. It owns a number of businesses operating under 39 brands, 28 of which have adopted an integrated internal system (System).
These 28 brands include Primecare Paediatrics Wellness Centre (Primecare), DR REBORN, New York Medical Group (NYMG) and re:HEALTH.
The System contained personal information of around 1.08 million members, including their names, membership numbers, partial telephone numbers, vaccination and medical check-up records, and past purchase records.
All frontline staff of the EC Healthcare brands could access the System and records of a particular client or member, and related family members, by inputting the client’s phone number.
On 10 June and 26 August 2021, the PCPD received two complaints about EC Healthcare companies (June Complaint and August Complaint).
The June Complaint related to a complainant who took her daughter to consult a doctor at Primecare clinic in June 2018. She gave the phone number of the daughter’s grandmother as a contact. EC Healthcare subsequently acquired Primecare and integrated Primecare’s client personal data into the System. In 2020, the grandmother, after visiting DR REBORN, received a text message from DR REBORN that included her granddaughter’s name – which had only been provided to Primecare, not to DR REBORN.
The August Complaint related to a complainant who visited NYMG for chiropractic treatments in March 2016. In a similar fact matrix, EC Healthcare subsequently acquired NYMG and integrated NYMG’s client data into the System.
In July 2021, when the complainant contacted re:HEALTH to follow-up on some complaints filed by his family members, he was addressed by his full name – despite never providing this full name to re:HEALTH. Staff from re:HEALTH were also able to access the complainant’s record maintained with NYMG.
The PCPD investigation revealed that (1) Primecare's collection of client personal data was only for the provision of medical services, and was not explicitly evidenced in writing; and (2) NYMG had only informed its clients that personal data would be collected for the provision of treatments and dissemination of healthcare newsletters (together, the Original Purposes).
This collection was also carried out prior to EC Healthcare’s acquisition of Primecare and NYMG. Neither Primecare nor NYMG informed their clients about this acquisition. EC Healthcare failed to obtain relevant consent from pre-existing clients of Primecare and NYMG, whose personal data they added to the System after acquiring Primecare and NYMG.
Subject to exemptions under Part 8 of the PDPO1, Data Protection Principle 3 of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) stipulates that a data user shall not use personal data of a data subject for a new purpose, which is not (a) the purpose notified at the time of collection, or (b) a purpose directly related to the original purpose for which the data was collected2, without prescribed consent from the data subject.3 In the context of the PDPO, “use” includes the disclosure and transfer of personal data.4
By failing to specify at the time of data collection that the data might be shared amongst group companies, or integrated into the System for access by frontline staff from other group companies, subsequent use of the data post-merger fell outside the Original Purposes.
While this could have been addressed by obtaining client consent for the use, disclosure and transfer of their data among EC Healthcare companies, failure to do so resulted in the PCPD concluding it contravened Data Protection Principle 3 of the PDPO.
Enforcement Notice and Recommendation
As a result of EC Healthcare’s breach of the PDPO, the PCPD issued an enforcement notice requiring it to take remedial action to prevent reoccurrence of the breach. In particular, EC Healthcare was required to:
- cease and prohibit cross-brand sharing of client personal data and access by staff under different brands through the System, unless EC Healthcare had explicitly notified clients of such sharing and cross-brand access to personal data and obtained their consent;
- ensure prior express consent is obtained from clients for use of their data by group companies, or sharing of their personal data, before such data is integrated into the System in future;
- formulate written policies and guidelines to instruct staff on the permissible use of and access to clients’ personal data in the System, and proper execution of requirements (1) and (2); and
- provide training to staff responsible for or involved in handling relevant personal data.
Under section 50 of the PDPO, where the PCPD considers there has been a contravention, it may direct data users to take remedial actions within a specified period of time. Failure to comply with such enforcement action may expose data users to criminal liability – a maximum fine of up to HK$100,000 and imprisonment for 2 years.
Observations and Takeaways
The PCPD investigation highlights multiple areas that data users need to keep in mind when collecting and using personal information, including:
- The importance of record keeping. The data from subjects of the two complaints had been collected years prior to the complaints, but there were no records of how the data was collected. This demonstrates the importance of record keeping -- because in the event of an investigation, data users would need such records at hand to evidence their compliance with the PDPO (i.e. to demonstrate that adequate notification had been provided to subjects at the point of data collection). This is also helpful when data users conduct an audit and/or are required, in a merger situation, to demonstrate good data practices. Data users should therefore review their records retention policies and practices to ensure such records are adequately preserved.
- Ensuring data users have relevant policies in place that are consistent with data use practices. In the case of the June Complaint, the data subject was not notified of the purpose of data collection, nor of the possibility of a transfer or the class of transferees. In the case of the August Complaint, the purpose of collection was narrowly stated and limited to the provision of medical treatment and marketing through newsletters. In both cases, no information relating to the potential classes of transferees were provided to their respective customers. Since the data subjects had not been notified, EC Health's subsequent consolidation of the personal information in the System contravened the PDPO.
- Obtaining requisite consent from data subjects for any changes in the purposes/uses of personal data. In addition to the aforementioned deficiencies, there was also no notification to customers of the acquisition of other brands. In particular, customers were not informed of storage of their personal information in the System, nor that their personal data would be accessible by all staff of EC Healthcare (and not just the brand they initially provided their personal information to). The investigation report therefore serves as a reminder that any uses of personal data subsequent to a merger and/or acquisition may require data subjects’ consent, combined with proper and adequate notification of the purposes of data collection and the classes of transferees of the data, through a clearly drafted personal information collection statement (PICS).
- The PCPD powers of investigation. In addition to conducting the investigation in writing, the PCPD also exercised its power to visit the office of EC Healthcare and conducted site inspections at two branches of its companies/brands. There have been few instances where such powers have been exercised, and the disruption to business operations of a company in such cases cannot be overlooked. The legislation requires full and prompt co-operation with the PCPD investigations, failure of which amounts to a criminal offence.5
- Higher standards expected for listed companies. The PCPD also expressed an expectation that as a listed company, EC Healthcare should have adopted a more sophisticated approach to its data practices. The explicit mention of listed companies by the PCPD serves as a good reminder to such companies, as well as large group companies with more extensive business operations, to expect to be held to a higher standard in the event of an investigation, and assess and amend their internal data processing policies and procedures accordingly.
- Privacy Impact Assessment (PIA). The PCPD implied that EC Healthcare should have carried out a PIA before implementing the System. While there is no requirement under the PDPO for data users to conduct a PIA, unlike under the General Data Protection Regulation in the European Union, this remark serves as a reminder to companies undergoing digital transformation projects to have privacy by design at front of mind when embarking on such projects.
Large conglomerates with multiple subsidiaries or companies operating multiple brands should heed this case and implement appropriate staff access management policies to avoid unnecessary cross-brand sharing of clients’ personal data.
Where an internal system is deployed to manage clients’ personal data collected by various subsidiaries or brands, data audit prior to implementation is a must – followed by a road map to obtain clients’ consent for further uses of the data across group companies.
The authors would like to thank Peggy Tsang, Trainee Solicitor at Mayer Brown, for her assistance with this Legal Update.
1 Note that while one of the exemptions in Part 8 of the PDPO allows the sharing and disclosure of personal data without data subjects’ consent in the context of a merger or acquisition, this is not a general exemption for mergers and acquisitions activities, but solely for the purpose of conducting due diligence. Data must be returned or destroyed as soon as practicable after the completion of such due diligence
2 See the definition of new purpose at Data Protection Principle 3(4) of Schedule 1 of the PDPO
3 See Data Protection Principle 3(1) of Schedule 1 of the PDPO
4 See s. 2 of the PDPO for the definition of “use”
May be of interest to you:
Revised Specification for Certification of Cross-border Transfers of Personal Information Issued in China – Takeaways