What is a Data Access Request (“DAR”)
Employers, as data users, collect, hold and process the personal data of their employees and other individuals (“data subjects”). Data subjects are entitled to request a copy of the personal data held (the “requestor”). This is called a data access request (“DAR”) and is a core right contained in the Personal Data (Privacy) Ordinance (“Ordinance”).
Complying with a DAR
When an employer receives a DAR, it should:
(i) ascertain the identity of the requestor;
(ii) assess whether it holds the relevant personal data; and
(iii) respond within the statutory time limit.
A requestor is not entitled to access data which is not personal data or personal data not belonging to him. To constitute personal data of an individual, the data must firstly relate directly or indirectly to the individual. Secondly, it must be possible from such data to directly or indirectly determine the identity of the individual.
For example, in a performance appraisal report where the appraising officer states his opinion about the aptitude and performance of the appraisee, such opinion will constitute the personal data of the appraisee. On the contrary, recorded opinion about the performance of a property management company expressed by an owner during an owners’ meeting will generally not constitute the personal data of that owner.
Holding relevant Personal Data
If an employer holds relevant personal data, it should supply a copy of the requested data in an intelligible form and within 40 calendar days after receiving the DAR, unless specific exemptions apply. If the Privacy Commissioner concludes that there is a breach of the Ordinance after investigation, he may serve an enforcement notice on the data user concerned directing it take steps to remedy the situation and where appropriate, to prevent any recurrence. Non-compliance of an enforcement notice is an offence which may result in a fine and imprisonment.
If an employer does not hold the requested data, it is still required to inform the requestor in writing within the 40-day time limit that it does not hold the data.
If an employer has already destroyed the requested data it is required to inform the requestor that it no longer holds the data. To avoid any suspicion of bad faith, your company may explain the reason for destroying the data to the requestor.
Should you provide “all personal data”?
Where the description of the requested data is too generic, especially where there have been extensive dealings between the employer and the requestor during which a large amount of personal data has been generated, the employer should seek clarification from the requestor . If the requestor fails to supply the information reasonably requested for locating the requested data, your company is entitled to refuse to comply with the DAR.
Employers cannot simply rely on the fact that the request is made in too broad or generic terms to refuse to comply with a DAR. If an employer can reasonably locate the requested data without any further specification from the requestor, it should comply with the DAR.
Charge for Complying with a DAR
Data users may impose a fee for complying with a DAR which should not be excessive, and should not charge a fee on a commercial basis. It should clearly inform the requestor what fee, if any, will be charged as soon as possible and in any event not later than 40 days after receiving the DAR.
Fees that will be considered excessive or not directly related to and necessary for the compliance of a DAR could include fees that exceed the cost of compliance, e.g. costs of seeking legal advice in relation to the Ordinance or inclusion or your company’s administrative or office overheads.
The Commissioner’s office has provided examples on fees that may be charged for complying with a DAR in its Guidance Note. Employers may charge the direct costs attributable to the time spent by their staff and the actual out-of-pocket expenses for locating, retrieving and reproducing the requested data for complying with a DAR. For example, if a clerical assistant has spent five hours on retrieving and photocopying the requested data in the course of handling a DAR, the calculation of the labour costs incurred is the hourly rate of his remuneration (including salary and fringe benefits) multiplied by five. Your company may charge for the labour cost attributable to the time spent on extracting or editing the requested data, provided that such tasks are directly related to and necessary for compliance with the DAR.
Refusing to Comply with a DAR
Employers can refuse to comply with a DAR if:
i. it is not supplied with sufficient information to identify the requestor;
ii. it cannot comply with the request without disclosing the personal data of a third party; or
iii. where compliance with the request is prohibited under the Ordinance or any other regulation.
Employers can also refuse to comply with a DAR if the request is not made in writing using either the Chinese or English language.
Written notice with reasons must be give for any refusal to provide requested personal data within 40 days from receiving the DAR and a log must be maintained containing the particulars of the reasons for the refusal of the DAR for four years.
For more information on data privacy, please contact us.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.