Data access request - Collection of personal data - A person holding data which are not "personal data" within the meaning under section 2 of the Ordinance is not obliged to comply with a data access request - A person who does not collect, hold, process or use the personal data is not a data user in relation to that data and is not obliged to comply with a data access request in relation to that data - A person who holds personal data of which the individual making a data access request is not the data subject is not obliged to comply with that request - unnecessary to investigate - DPP 6, sections 19 and 39(2)(d)
The complaint
The complainant wrote on behalf of a Foundation to a regulatory body regarding a complaint the Foundation had against a company ("the Company"). The Company wrote to the complainant informing him that the regulatory body had forwarded to them the two letters from the complainant requesting the Company to reply directly to him. The complainant asked the Company to let him have copies of those two letters together with the covering letter from the regulatory body. The Company replied that they were unable to provide the complainant with copies of the requested letters. The complainant complained to the Privacy Commissioner that, in contravention of section 19 of the Ordinance, the Company had not provided him with copies of the requested letters within 40 days of his request.
Findings by the Privacy Commissioner
The Privacy Commissioner found that (1) the Company had received those two letters for the purpose of dealing with the complaint; (2) the correspondence between the Company and the regulatory body was about the complaint and did not concern the complainant personally; (3) there was no collection of personal data about the complainant by the Company and therefore the Ordinance did not apply; and (4) no investigation or further investigation was necessary.
The appeal
Dissatisfied with the decision of the Privacy Commissioner, the complainant lodged an appeal to the Administrative Appeals Board ("AAB"). The question to be asked is whether the Company is required under the Ordinance to provide those two letters to the complainant. This depends on (1) whether those two letters received by the Company from the regulatory body are personal data or contain personal data; (2) even if they could be regarded as personal data, whether they are personal data of which the complainant was the data subject; (3) whether the Company was a data user in relation to those two letters or the data contained therein in the sense that the Company had control on the collection, holding, processing or use of the data.
In relation to (1), the AAB found that although those two letters were signed by the complainant they were not his personal letters but the Foundation's. The contents of those letters relate to the Foundation's complaint against the Company to the regulatory body. The fact that the care of address, phone and fax numbers on the letterhead of those two letters may be those of the complainant does not make them the personal data of the complainant insofar as those two letters are concerned. They relate to the Foundation for the purpose of the complaints made to the regulatory body. As the Foundation is not a living individual, those two letters or their contents do not relate to a living individual, and are not personal data of the complainant within the meaning of the Ordinance.
In relation to (2), the AAB found that for the same reason those two letters and their contents are not personal data of which the complainant was the data subject.
In relation to (3), AAB found that those two letters were received by the Company for no other purpose other than to answer to the complaint made by the complainant on behalf of the Foundation. Receiving and answering complaint letters is a far cry from the collecting, holding, processing or using personal data. In receiving those two letters from the regulatory body, the Company was not "collecting" personal data in the sense of compiling information about an identified person or about a person whom the data user intends or seeks to identify. The Company was not obliged to comply with the complainant's data access request in relation to those two letters.
The AAB also found that the complainant's complaint is simply not a matter within the Ordinance and the Privacy Commissioner was right in not investigating the complaint pursuant to section 39(2)(d).
AAB's decision
The appeal was dismissed.