✂
2
Important Notice to Data User
1.
You are required by section 19(1) of the PDPO to comply with a data access request
within 40
days
after receiving the same. To comply with a data access request means: (a) if you hold the
requested data, to inform the requestor
in writing
that you hold the data and supply a copy of the
data; or (b) if you do not hold the requested data, to inform the requestor
in writing
that you do
not hold the data (except that the Hong Kong Police may inform the requestor
orally
if the
request is whether it holds any record of criminal conviction of an individual). A mere
notification given to the requestor to collect the requested data or a note sent to the requestor for
payment of a fee is insufficient. In complying with the request, you should omit or otherwise
not disclose the names or other identifying particulars of individuals other than the data subject.
2.
If you are unable to comply with the data access request within the 40
-
day period, you must
inform the requestor by notice
in writing
that you are so unable and the reasons, and comply with
the request to the extent, if any, that you are able to
within the same 40-day period
, and
thereafter comply or fully comply, as the case may be, with the request as soon as practicable (see
section 19(2) of the PDPO).
3.
If you have a lawful reason for refusing to comply with the request pursuant to section 20 of the
PDPO, you must give the requestor
written notification
of your refusal and your supporting
reasons
within the same 40-day
period (see section 21(1) of the PDPO).
4.
It is an offence not to comply with a data access request in accordance with the requirements
under the PDPO. Any data user convicted of such an offence is liable to a fine at level 3
(currently set at HK$10,000) (see section 64A(1) of the PDPO).
5.
You may charge a fee for complying with a data access request, but section 28(3) of the PDPO
provides that “no fee imposed for complying with a data access request shall be excessive”. The
PDPO does not define the meaning of “excessive” with regard to imposing a data access request
fee. According to the principle laid down in the decision of Administrative Appeal No. 37/2009,
a data user is only allowed to charge the requestor for the costs which are “directly related to and
necessary for” complying with a data access request.
6.
You shall refuse to comply with a data access request –
(a)
if you are not supplied with such information as you may reasonably require –
(i)
in order to satisfy you as to the identity of the requestor;
(ii)
where the requestor purports to be a relevant person, in order to satisfy you –
(A) as to the identity of the individual in relation to whom the requestor
purports to be such a person; and
(B) that the requestor is such a person in relation to that individual;
(b) subject to section 20(2) of the PDPO, if you cannot comply with the request without
disclosing personal data of which any other individual is the data subject unless you are
satisfied that the other individual has consented to the disclosure of the data to the
requestor; or
7
Part VIII: Further Information and Payment
I understand that before complying with this request, you may require me to provide
12
:
(a) proof of my identity;
(b) proof of the Data Subject’s identity if I am making this request as a relevant person and further
proof of my status as a relevant person;
(c) such further information as may be reasonably required for you to locate the Requested Data;
(d) payment of a fee charged under section 28 of the PDPO
13
.
Part IX:
U e of Personal Data
Except with the prescribed consent of the individual concerned, the personal data provided in this Form
will be used for the purpose of processing this data access request and other directly related purposes
only.
___________________________
___________________________________________
Date
Signature of the Requestor
12
Failure to provide the information as required by the Data User under this Part may result in the data access request being refused,
or not being complied with to the desired extent.
13
Sections 28(2) and (3) of the PDPO provide that a fee may be charged for complying with a data access request made under section
18(1)(a) or (b), which fee shall not be excessive. According to section 28(5) of the PDPO, compliance with a data access request
may be refused unless and until any such fee has been paid.
Form OPS003 (revised 09/2012)