A Complainant made 3 Data Access Requests on respective dates to a Government Department for his personal data pursuant to s.18(1) of the Ordinance. The Government Department charged the Complainant a total sum of $14,599.92. The Complainant complained to the Privacy Commissioner that the fees imposed were excessive.
Data Access Requests made for extensive personal data - s.28(3) of the Ordinance requires that no fee imposed for complying with a data access request shall be excessive - whether the Government Department was in breach of s.28(3) of the Ordinance - the proper interpretation of s.28 of the Ordinance - the test for calculation of fee imposed for complying with data access request - whether enforcement notice should be issued - Sections 18(1), 28(2), 28(3) and 50 of the Ordinance
The Complaint
The Complainant made 3 extensive Data Access Requests ("DAR") to a government department for his personal data covering over 10 years of time. Having noticed the Complainant's objection, the Government Department lowered the estimated fee to a total sum of HK$14,599.92 charged for complying with the 3 DARs by reducing the hourly rate of the staff to be deployed to handle the 3 DARs. The Complainant complained to the Privacy Commissioner that the fee imposed was excessive and thus in breach of section 28(3) of the Ordinance.
Findings by Privacy Commissioner
The Privacy Commissioner carried out an investigation against the Government Department. The Government Department explained to the Privacy Commissioner as to how it calculated the fees charged for compliance with the 3 DARs. The personal data requested by the Complainant were all in English and kept in files/records under different subjects. An assistant clerical officer being the lowest grade of clerical staff and competent in terms of English proficiency would have to be assigned to handle the 3 DARs. The Government Department estimated to charge 66 hours for the compliance with the 3 DARs and had provided a breakdown of the working hours required for retrieving the requested data of the 3 DARs in different locations. The Government Department also explained as to how it calculated the hourly rate of the staff.
Having considered the circumstances of the case, the Privacy Commissioner took the view that the Government Department might be allowed to recover the labour costs and actual out-of-pocket expenses involved in complying with the DARs insofar as they related to the location, retrieval and reproduction of the requested data ("the Tasks"). The amount of the labour costs should only reflect the necessary skills and labour for performing the Tasks. A clerical or administrative staff of the Government Department should be able to perform the Tasks and the labour costs should therefore only refer to the reasonable salary of the clerical or administrative staff in performing the Tasks.
The Privacy Commissioner did not find the photocopying charges (at HK$1 per page) for about 6000 pages and the registered postage imposed excessive. The Privacy Commissioner also accepted that the 66 man-hours estimated as the time required for retrieving the requested data was not extensive, given the considerable scope and extent of the data requested. It was also not unreasonable for a clerical or administrative staff of that rank to be assigned to perform the Tasks.
In calculating charging rate of the clerical/ administrative staff, it was noted that the Government Department has adopted the items used for staff costing in the Staff Cost Ready Reckoner No.2007/1 promulgated by the Government Treasury ("the Reckoner") and the Financial and Accounting Regulation 440 of the Government ("the Regulation").
The Reckoner provided both the monthly and annual average staff costs for 2007-08 in respect of all ranks of civil service and who were paid through the Treasury Payroll System. The following formula was relied on by the Government Department: -
[Annual Staff Cost of an Assistant Clerical Officer provided in the Cost Table of the Reckoner / Net Annual Working Hours provided in the Reckoner] + 20% Overhead Charge based on the principles in the Regulations.
The Privacy Commissioner did not accept to use the annual salary which would average out to give a monthly salary of HK$19,649 closest to a higher salary level point within the same rank of an assistant clerical officer in computing the labour costs. It was considered that the inclusion of the fringe benefits as part of the labour costs as being unjust for shifting the costs burden to the Complainant. The Privacy Commissioner also did not accept the inclusion of the annual and other leave entitlements reflecting the long-term costs considerations for hiring an officer in calculating the annual salary and hence the hourly rate of the clerical staff. The Privacy Commissioner further disagreed that the Government Department was entitled to include an overhead charge as the costs for reproducing the requested data because the obligation to comply with the 3 DARs was a statutory obligation.
On the basis of the aforesaid, the Privacy Commissioner found the Government Department acted in breach of section 28(3) of the Ordinance and issued an Enforcement Notice on the Government Department giving directions for a lower fee to be imposed. Being dissatisfied, the Government Department lodged an appeal to the Administrative Appeals Board ("AAB").
The Appeal
The AAB considered the relevant provisions under the Ordinance and the legislative history. Section 28(1) of the Ordinance prohibits a data user from imposing a fee for complying with data access request unless the imposition of the fee is expressly permitted by section 28. Section 28(2) expressly allows a data user to impose a fee for complying with a data access request subject to section 28(3) which specifically requires that no fee imposed for complying with a data access request shall be excessive. However, section 28 does not go further to define the fee that is permitted and there is also no definition of what is "excessive". The AAB rejected the Privacy Commissioner's argument to rely on the recommendations made in the Law Reform Commission's Report for "nominal and non-cost-related" data access fees. The AAB considered that the legislature had not adopted the Law Reform Commission's recommendation when enacting the Ordinance.
The AAB took a purposive approach in construing section 28 and came to the view that the word "excessive" in section 28(3) should be construed as confining "the fee only to recover those costs which are directly related to and necessary for complying with a DAR". A fee that exceeds such direct and necessary costs is, in the Board's view, excessive. This only applies to first-time DARs, and do not apply to situation specially provided for under section 28(6) (which requires the adoption of a different statutory formula).
The AAB further pointed out that the onus rests with the data user and he bears the evidential burden to show that the fee represents no more than the direct and necessary costs incurred in complying with the DAR. "Direct and necessary" is not the same as "reasonable". An item that a reasonable data user may see fit to incur may not be strictly necessary as it is still possible to comply with a DAR without incurring that item.
In addition, the AAB stated that section 28(3) does not prevent a data user from imposing a fee that is less, or to waive a fee that he may otherwise be entitled to charge. Data user may consider imposing flat-rate fees for complying with DARs due to administrative convenience so long as the fee imposed is lower than the direct and necessary costs for complying with a DAR in question.
Having considered the circumstances, the AAB found that it was artificial to reject the calculation of the hourly rate of the clerical staff with reference to the Reckoner, based on the reason that the annual salary level average out to a higher salary level within the same rank and to exclude clerical staff's fringe benefit, the annual and other leave entitlements from the calculation. However, the AAB accepted that the inclusion of overhead charge was inappropriate. For these reasons, the AAB knocked down part of the fee imposed and the Government Department was entitled to charge a sum of HK$12,161.55.
With regard to the Enforcement Notice, the AAB took the view that based on the facts of the case, there was no evidence to suggest that the Government Department would insist imposing a fee that the Privacy Commissioner has found to be excessive and there was also no evidence to suggest the Government Department is one which fragrantly disregards the law or has any bad faith. The AAB considered that the case was the first case that was brought for the proper construction of section 28 of the Ordinance. In the circumstances, the AAB allowed the appeal and set aside the Enforcement Notice. The Government Department was ordered to charge a fee not more than the sum as allowed by the AAB for compliance with the 3 DARs.
AAB's decision
The appeal was allowed.
uploaded on web in October 2011