Aside from the rights to transparent information under DPP1(3) and DPP5 which were discussed in our previous articles, it is important to bear in mind some of the other rights of data subjects, in particular the right to access. Data subjects are entitled to access to the data held by the data users and allow to make corrections if it is discovered the data is inaccurate under Data Protection Principle 6 (“DPP6”).
Data Access
The data subject’s rights in respect of access to his/her personal data are as follows:-
- Ascertain whether a data user holds his/her personal data; and
- Obtain a copy of the relevant data (i) within reasonable time (ii) at a fee that is not excessive (iii) in a reasonable manner; and (iv) in an intelligible form
If data user refuses to provide the data as requested by the requestor, reasons should be given. This also applies to request served by data subject on data user for correcting inaccurate personal data. Failure to handle a data access request in accordance with the requirements of the Ordinance without reasonable excuse may constitute an offence and render the offender liable on a conviction to a fine of HK$10,000.
Complying with a Data Access Request:
How?
To exercise his/her right of access, data subjects are encouraged to use the Data Access Request Form (Form OPS003) specified by the Commissioner (“DAR Form”). Though request not made in the DAR Form is one of the grounds which data user is allowed to rely on for non-compliance, the Commissioner strongly advises data users to respond to the request if the requestor is able to set out the scope and details of the requested personal data and reminds that the requestor may simply lodge another data access request using DAR Form.
Upon receipt of a data access request, data user should verify the identity of the requestor. If there is insufficient identity proof, the data user should not proceed with the request and inform the requestor the reason for refusal. On the other hand, data users can also refuse to entertain a request if it is not in writing in the Chinese or English language.
When?
If, having examined the data access request, data user confirms that no statutory ground for refusal is applicable, it is required to supply a copy of the requested data to the requestor within 40 calendar (not working) days after receiving the request.
Scope
Upon receipt of a data access request, data users should pay attention to the following aspects in relation to the scope of the requested data:
- Personal data belonging to the requestor
If requested data comprises of personal data of another individual(s), either consent of the other data subject has to be obtained before use, or the data user must delete/redact the personal data of the other individual from the copy of requested data to be sent to the requestor.
- Personal data that originates from another data user
As long as no restriction of disclosure is imposed by the originating data user and there is no reason to refuse to comply with the request under the Ordinance, data user who has received the request is under a duty to provide the requestor with a copy of his personal data (Case No. 2018C01).
- The data must be in a form in which access to or processing of the data is reasonably practicable.
In a recent complaint case (Case No.2018C02), a complainant lodged a data access request with an institution for personal data contained in the handling of records of his application for an assistance scheme. During the inspection of the institution’s records, the Commissioner discovered that save and except the application form together with supporting documents, which were kept in a paper file, all processing records were stored in the institution’s computer system, copies of such data were not provided to the complainant. The Commissioner reminds data users that the “practicable form” as laid down in the Ordinance includes both data stored in physical and electronic means.
- A copy of the specified personal data vs. a copy of “the document containing the personal data”
Organizational data users should be aware of the difference between “specified personal data” and “document containing the personal data concerned”.
In Judicial Review Wu Kit Ping v. Administrative Appeals Board [2007] HKLRD 849, if a maker of a document expresses an opinion about a data subject in the said document, that opinion will constitute the personal data of that particular data subject. However, an opinion expressed by the maker in the same document about the maker himself, it will not constitute the personal data of the data subject unless the opinion is indirectly relating to the data subject.
In a complaint lodged by a member of the teaching staff of the university, he alleged that the university had failed to provide him with a copy of the minutes of a meeting in response to his data access request on copy of document in relation to the assessment of his application. Upon investigation, the Commissioner’s office came to realize that the requested data was already contained in an integrated report which had been provided to the complainant earlier. Thus, the university would not contravene the requirement of the Ordinance for not having provided the complainant with a copy of the said minutes.
Charge
Data user may impose a fee which is not excessive on requestor for complying with the data access request. No later than 40 days after receiving the data access request, data user should inform the requestor the fee to be charged. A fee may be considered as ‘excessive’ under the following circumstances:-
- Fees that exceed the costs of compliance;
- Costs amount to more than they would have been incurred under normal circumstances;
- Costs of data user in seeking legal advice or costs for consultants or staff to study the requirements under the Ordinance;
- Data user’s administrative or office overheads;
- Redaction cost of personal data exempted from disclosure under any relevant exemption.
For details, you may refer to the Guidance Notice – Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users issued by the Commissioner in June 2016.
Refusing to comply with a Data Access Request: steps to be taken
Data user still has to deal with a request received even there are valid grounds for refusal to comply by:-
- Putting the relevant entry in data user’s log book (section 27 of the Ordinance); and
- Giving a written notification to the requestor on: (i) the refusal; and (ii) the reason for such refusal pursuant to section 20(1) and (3) of the Ordinance.
Data Correction
Upon receipt of a copy of requested data provided by a data user in response to a valid data access request, the data subject concerned may make request the data user to make necessary correction to the data if the data subject considers it is inaccurate. The Proper Handling of Data Correction Request by Data Users issued in May 2017 offers pragmatic approach to data users and data subjects in dealing with data correction request in daily life.
Hugill & Ip’s Privacy Team provides hands on advice in handling data access and correction requests and supports your compliance process. For more information on data privacy, please contact us.
This article is for information purposes only. Its contents do not constitute legal advice and readers should not regard this article as a substitute for detailed advice in individual instances.
