2

Exercising Your Data Access Rights under the Personal Data (Privacy) Ordinance (Frequently Asked Questions and Answers) / June 2016

Q1 How should I make a data access request?

To assist individuals to make data access requests, the Privacy Commissioner for Personal Data, Hong Kong

(the “

Commissioner

”) has issued a Data Access Request Form (Form OPS003) (the

“

DAR Form

”). The last part of

this leaflet contains the current version of the DAR Form for reference.

You should make the data access request on the current version of the DAR Form. By providing the information

required in the DAR Form, you will assist the data user to process your request promptly. If you do not use the

DAR Form, the data user may refuse to comply with your data access request. The completed DAR Form should

be sent directly to the data user to whom the data access request is made, not to the Commissioner.

Q2 Apart from completing the DAR Form, what other information or documents should I

provide?

The data user may ask you to provide your identity proof, such as your identity card or other identification

documents, e.g. a staff card, medical card or student card previously issued to you by the data user. The data user

may require you to provide further information to enable it to locate the data you requested. In some cases, you

may be required

to fill out a form specified by the data user (though this is not a mandatory requirement). If you

wish to make a data access request on behalf of another individual, please see Q10 below.

Q3 When completing the DAR Form, what should I pay attention to?

You should complete all parts of the DAR Form and, as far as possible, state specifically and clearly the personal

data requested. This will assist the data user in complying with your data access request promptly, and will

help avoid any misunderstanding and dispute. If the data user is not supplied with the information reasonably

required to locate the data requested, it may refuse to comply with your data access request pursuant to section

20(3)(b) of the Ordinance.

Q4 Can I make a request for “all personal data”?

Such description of the data requested may be too general. You should clearly specify the data requested,

e.g. medical reports, appraisal reports, job application forms, etc. and the date of data collection. You should

also include relevant information (if any) about the particular incident or transaction associated with the data

requested and the circumstances under which the data requested was collected. If the data user is not supplied

with the information reasonably required to locate the data requested, it may refuse to comply with your data

access request pursuant to section 20(3)(b) of the Ordinance.

Q5 Can I make a request for a copy of a specified document which contains my personal data?

Under section 19 of the Ordinance, the data user is obligated only to supply you with a copy of your personal

data, not a copy of the document in which the data is contained. The data user may edit out from the document

information which is not your personal data. Further, if the data requested is recorded in an audio form, the data

user may provide you with a transcript of that part of the audio record which contains the data requested.

Q6 Can the data user charge me a fee for complying with my data access request?

Yes. The Ordinance allows the imposition of a fee for complying with a data access request but the fee charged

shall not be “excessive”. In general, the data user may charge for costs “directly related to and necessary for” the

compliance with a data access request. The cost of compliance varies with the scope and complexity of the data

access request concerned, and with different data users. A data user may, for administrative convenience, impose

a flat fee that is less than the “direct and necessary costs”. Where additional copies of the personal data requested

are required, a data user is entitled to recover the actual cost which is not more than the administrative and other

costs incurred in supplying the additional copies. If you consider that the fee charged for compliance with your

data access request is excessive, you may first raise the matter with the data user. If you are not satisfied with the

explanation given by the data user, you may lodge a complaint with the Commissioner.