Introduction

In a recent case of 香港特別行政區 訴 陳景僖DCCC 164/2020, the District Court held that unauthorised access of information available by virtue of employment may constitute dishonesty under the offence of“obtaining access to a computer with a view to dishonest gain for himself or another” (section 161 of Crimes Ordinance (Cap. 200)) and was contrary to disclosing personal data obtained without consent from data users under section 64 of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). This is the first doxxing case sentenced for contravention of the PDPO.

Background

On 22 September 2019, the Defendant was found taking photos of a police station using a mobile phone and he was brought to the police station for further investigation on suspicion of committing the offence of loitering.

During investigation, the police discovered that the mobile phone installed an instant messaging application. The application showed that the Defendant sent a message on 9 September 2019 in a chat room for doxxing (the practice of researching and publicly broadcasting private or identifying information often with a malicious intent) of police officers and their family members. The message contained personal information of a family member of a police officer (the “Victim”), including the Victim’s Hong Kong identity card number, English and Chinese full names, and telephone number.

At the material time, the Defendant was employed by a telecommunications company (“HKT”) as Network Service Officer. The police discovered that the Defendant had electronically stored some personal information of police officers and their family members in the computer he used in his employment by HKT. The information was downloaded from HKT’s database.

Charges

The Defendant was charged, among others, with the following offences:

1.        obtaining access to a computer with a view to dishonest gain for himself or another under section 161 of the Crimes Ordinance; and

2.        disclosing personal data obtained without consent from data users and causing harm (including psychological harm) to the Victim under section 64 of the PDPO.

Obtaining access to a computer with a view to
dishonest gain for himself or another

The Defendant argued that he must have known that HKT’s records would show that he had searched for customer information by using his password to log in his work computer. The Defendant had electronically stored part of the information he downloaded from HKT’s database in his work and personal computers but he had never disclosed the information. Therefore, the Defendant argued that even if he had obtained access to information in a computer, he had no dishonest intention and gain.

However, this was not accepted by the Court. According to the case of HKSAR v Au Yeung Ka Man [2018] HKCFA 23, the intended gain by accessing a computer does not have to involve “a gain or loss in money or other property”, but extends “to any such gain or loss”. Such gain includes “information which the person obtaining access to the computer did not have before the access”. As for dishonest intent, it was held that a person would be dishonest if he knew that he was not authorised to access the database to acquire private personal data of third parties for his own purposes and without their consent.

The Court also relied on the case of 香港特別行政區 訴 庾美瓊 HCMA 898/2002 to reject the Defendant’s argument. In that case, the Court held that it was sufficient for the prosecution to prove that the appellant intended to dishonestly gain something when accessing a computer. The appellant was a clerical assistant at the Inland Revenue Department and she admitted that she searched for personal information in the Inland Revenue Department’s database not for work-related needs but out of boredom, fun or curiosity.

During trial, an Engineering Manager of HKT gave evidence that the Defendant did not need to access the information obtained to carry out his duties and the Defendant was not authorised to search for such information. He also gave evidence that HKT did not allow employees to search, store and disclose customer information without authorisation. He confirmed that the Defendant understood HKT’s customer information policy and had participated in customer information training provided by HKT.

Further, the Defendant signed a Confidentiality / Intellectual Property Undertaking with HKT before he entered into employment with HKT (the “Confidentiality Agreement”). Paragraph 3 of the Confidentiality Agreement stipulated that the Defendant would “not disclose, make use of, divulge or communicate to any person (save in the proper performance of [his] duties under the contract of employment)…other confidential or privileged information of or relating to [HKT]…which [the Defendant] receive[d] or obtain[ed] while in the employment of [HKT]”. Since the Defendant was not authorised and did not need to access such customer information to carry out his duties, it was apparent that he was not accessing such information for work. Therefore, he should not search, access, store or disclose the information obtained from HKT’s database.

By searching and obtaining information from HKT’s database, the Defendant obtained information which he did not have before such access. It was therefore irrelevant what his intentions were when accessing the information, be it for fun, verification, or deterrence against others from dealing with people whom he believed to have acted wrongly. Viewed both objectively and subjectively, the Defendant was not performing his duties and carried out unauthorizsd actions. He had also breached the trust HKT placed in him. As such, the Court found that a reasonable and honest person would find the Defendant dishonest, and that he apparently knew that this was a dishonest act.

As a result, the Defendant was found guilty of obtaining access to a computer with a view to dishonest gain for himself or another under section 161 of the Crimes Ordinance.

Disclosing personal data obtained without consent from data users

There was no dispute that the Defendant disclosed information obtained from HKT’s database without the Victim’s consent. However, the Defendant argued that it was uncertain whether the disclosure made by the Defendant caused psychological harm to the Victim. The Victim’s personal information was disclosed on 9 September 2019 but the Victim knew that his personal information was disclosed on 7 September 2019 and 8 September 2019. The Victim did not start to worry until the end of September 2019 when he received propaganda emails.

However, this argument was rejected by the Court. On 9 September 2019, the Victim’s personal information was clearly disclosed. The Victim became worried about his personal safety after he knew that his personal information was disclosed. The psychological report of the Victim indicated that he suffered from psychological harm and showed significant emotional and action changes several months after the disclosure of his personal information. Therefore, the Defendant was also found guilty for disclosing personal data obtained without consent from data users under section 64 of the PDPO.

Implications

This case serves as a reminder to employees that information accessible by reason of employment should only be used for work, and any such access should be authorised. Employees should not access, search, store or disclose such information for any other purposes. Moreover, employees should pay attention to the confidentiality clause(s) in employment contracts as confidentiality obligations generally survives termination. Employees should be mindful not to take away or store in any form any confidential information obtained during his previous employment. Any unauthorised use or disclosure of confidential information may incur potential civil as well as criminal liabilities.

On the other hand, employers should look into the confidentiality clause(s) in their employment contract templates to ensure that confidential information obtained from their ordinary courses of business are sufficiently protected. Staff training should also be provided to the staff to ensure that the staff are aware of and understand their confidentiality obligations.