Whether a data user would contravene the requirements of the Personal Data (Privacy) Ordinance (the "Ordinance") by simply notifying the data subject within 40 days upon receipt of a data access request (the "40-day period") that it is in the progress of seeking legal advice?
Q: A government department received a data access request ("DAR") from an ex-employee, requesting for a copy of his personal data held by the department. The department sought legal advice on whether the DAR should be acceded to. Shortly before the expiration of the 40-day period, the department notified the data subject that the DAR could not be complied with because it was in the progress of seeking legal advice. Did the department contravene section 19 of the Ordinance under the circumstances?
A: It has been our established view that seeking legal advice is a valid ground on which a data user may rely to hold the compliance in abeyance under section 19(2) of the Ordinance. Where a notification under section 19(2)(a)(i) has been issued by a data user, we shall look into whether the reason given is a valid reason and whether the data user has subsequently complied with section 19(2)(b) by supplying the requested data to the data subject as soon as practicable.
On the other hand, if a data user decides to refuse to comply with the DAR in reliance of any of the statutory grounds laid down in section 20, it should give written notice of refusal and reasons for refusal within the 40-day period pursuant to section 21(1).
Therefore, the government department is expected to decide within the 40-day period whether to comply or refuse to comply with the DAR in accordance with sections 19(1) and 21(1) before the expiration of the 40-day period, regardless of whether the legal advice has been received. Hence, a data user wishing to seek legal advice concerning a DAR needs to ensure that this should be done as soon as practicable.