A data subject submitted a request to Organisation B for accessing his personal data originated from Organisation A
The Complaint
With the consent of the complainant, Organisation A provided a copy of a report in relation to the complainant to Organisation B. The complainant later submitted a data access request to Organisation B for accessing the report. However, in the written reply of Organisation B they only stated that the report was not composed by them and suggested the complainant to request for the same from Organisation A. The complainant hence complained to this office against Organisation B for not complying with his data access request.
The Outcome
Section 19(1) of the Ordinance requires a data user to comply with a data access request within 40 days after receiving it, unless there is a ground of refusal permissible under section 20 of the Ordinance. Under section 2(1) of the Ordinance, “data user” means a person who controls the collection, holding, processing or use of the personal data.
According to section 20(3)(d) and 21(1)(c) of the Ordinance, if a data user has imposed restriction to another data user on further disclosure when personal data was transferred from the first-mentioned “data user” to the second-mentioned “data user” in the first place, the second-mentioned “data user” may use this as a reason to refuse compliance with a data subject’s data access request, as long as the second-mentioned “data user” has provided the name and address of the first-mentioned “data user” to the data subject.
In response to our inquiries, Organisation B confirmed that they were neither an agent nor a data processor appointed by Organisation A (i.e. Organisation B is an independent “data user”). Organisation B further confirmed that no restriction on further disclosure was imposed to them when they obtained the report from Organisation A.
Not being the composer of the report is not a reason permissible under the Ordinance to refuse compliance with a data access request. As long as no restriction of disclosure was imposed to Organisation B and there is no other reason of refusal permissible under the Ordinance, Organisation B as a “data user” of the report in question has a duty to provide the complainant with a copy of his personal data contained therein.
This office explained relevant provisions under the Ordinance to Organisation B, who had subsequently complied with the complainant’s data access request.
(Uploaded in March 2019)