![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0002.png)
2
Exercising Your Data Access Rights under the Personal Data (Privacy) Ordinance (Frequently Asked Questions and Answers) / June 2016
Q1 How should I make a data access request?
To assist individuals to make data access requests, the Privacy Commissioner for Personal Data, Hong Kong
(the “
Commissioner
”) has issued a Data Access Request Form (Form OPS003) (the
“
DAR Form
”). The last part of
this leaflet contains the current version of the DAR Form for reference.
You should make the data access request on the current version of the DAR Form. By providing the information
required in the DAR Form, you will assist the data user to process your request promptly. If you do not use the
DAR Form, the data user may refuse to comply with your data access request. The completed DAR Form should
be sent directly to the data user to whom the data access request is made, not to the Commissioner.
Q2 Apart from completing the DAR Form, what other information or documents should I
provide?
The data user may ask you to provide your identity proof, such as your identity card or other identification
documents, e.g. a staff card, medical card or student card previously issued to you by the data user. The data user
may require you to provide further information to enable it to locate the data you requested. In some cases, you
may be required
to fill out a form specified by the data user (though this is not a mandatory requirement). If you
wish to make a data access request on behalf of another individual, please see Q10 below.
Q3 When completing the DAR Form, what should I pay attention to?
You should complete all parts of the DAR Form and, as far as possible, state specifically and clearly the personal
data requested. This will assist the data user in complying with your data access request promptly, and will
help avoid any misunderstanding and dispute. If the data user is not supplied with the information reasonably
required to locate the data requested, it may refuse to comply with your data access request pursuant to section
20(3)(b) of the Ordinance.
Q4 Can I make a request for “all personal data”?
Such description of the data requested may be too general. You should clearly specify the data requested,
e.g. medical reports, appraisal reports, job application forms, etc. and the date of data collection. You should
also include relevant information (if any) about the particular incident or transaction associated with the data
requested and the circumstances under which the data requested was collected. If the data user is not supplied
with the information reasonably required to locate the data requested, it may refuse to comply with your data
access request pursuant to section 20(3)(b) of the Ordinance.
Q5 Can I make a request for a copy of a specified document which contains my personal data?
Under section 19 of the Ordinance, the data user is obligated only to supply you with a copy of your personal
data, not a copy of the document in which the data is contained. The data user may edit out from the document
information which is not your personal data. Further, if the data requested is recorded in an audio form, the data
user may provide you with a transcript of that part of the audio record which contains the data requested.
Q6 Can the data user charge me a fee for complying with my data access request?
Yes. The Ordinance allows the imposition of a fee for complying with a data access request but the fee charged
shall not be “excessive”. In general, the data user may charge for costs “directly related to and necessary for” the
compliance with a data access request. The cost of compliance varies with the scope and complexity of the data
access request concerned, and with different data users. A data user may, for administrative convenience, impose
a flat fee that is less than the “direct and necessary costs”. Where additional copies of the personal data requested
are required, a data user is entitled to recover the actual cost which is not more than the administrative and other
costs incurred in supplying the additional copies. If you consider that the fee charged for compliance with your
data access request is excessive, you may first raise the matter with the data user. If you are not satisfied with the
explanation given by the data user, you may lodge a complaint with the Commissioner.