Exercising Your Data Access Rights under the Personal Data (Privacy) Ordinance (Frequently Asked Questions and Answers)

✂

Important Notice to Data User

You are required by section 19(1) of the PDPO to comply with a data access request

within 40

days

after receiving the same. To comply with a data access request means: (a) if you hold the

requested data, to inform the requestor

in writing

that you hold the data and supply a copy of the

data; or (b) if you do not hold the requested data, to inform the requestor

in writing

that you do

not hold the data (except that the Hong Kong Police may inform the requestor

orally

if the

request is whether it holds any record of criminal conviction of an individual). A mere

notification given to the requestor to collect the requested data or a note sent to the requestor for

payment of a fee is insufficient. In complying with the request, you should omit or otherwise

not disclose the names or other identifying particulars of individuals other than the data subject.

If you are unable to comply with the data access request within the 40

day period, you must

inform the requestor by notice

in writing

that you are so unable and the reasons, and comply with

the request to the extent, if any, that you are able to

within the same 40-day period

, and

thereafter comply or fully comply, as the case may be, with the request as soon as practicable (see

section 19(2) of the PDPO).

If you have a lawful reason for refusing to comply with the request pursuant to section 20 of the

PDPO, you must give the requestor

written notification

of your refusal and your supporting

reasons

within the same 40-day

period (see section 21(1) of the PDPO).

It is an offence not to comply with a data access request in accordance with the requirements

under the PDPO. Any data user convicted of such an offence is liable to a fine at level 3

(currently set at HK$10,000) (see section 64A(1) of the PDPO).

You may charge a fee for complying with a data access request, but section 28(3) of the PDPO

provides that “no fee imposed for complying with a data access request shall be excessive”. The

PDPO does not define the meaning of “excessive” with regard to imposing a data access request

fee. According to the principle laid down in the decision of Administrative Appeal No. 37/2009,

a data user is only allowed to charge the requestor for the costs which are “directly related to and

necessary for” complying with a data access request.

You shall refuse to comply with a data access request –

(a)

if you are not supplied with such information as you may reasonably require –

(i)

in order to satisfy you as to the identity of the requestor;

(ii)

where the requestor purports to be a relevant person, in order to satisfy you –

(A) as to the identity of the individual in relation to whom the requestor

purports to be such a person; and

(B) that the requestor is such a person in relation to that individual;

(b) subject to section 20(2) of the PDPO, if you cannot comply with the request without

disclosing personal data of which any other individual is the data subject unless you are

satisfied that the other individual has consented to the disclosure of the data to the

requestor; or

Part VIII: Further Information and Payment

I understand that before complying with this request, you may require me to provide

(a) proof of my identity;

(b) proof of the Data Subject’s identity if I am making this request as a relevant person and further

proof of my status as a relevant person;

(d) payment of a fee charged under section 28 of the PDPO

Part IX:

U e of Personal Data

Except with the prescribed consent of the individual concerned, the personal data provided in this Form

will be used for the purpose of processing this data access request and other directly related purposes

only.

___________________________

___________________________________________

Date

Signature of the Requestor

Failure to provide the information as required by the Data User under this Part may result in the data access request being refused,

or not being complied with to the desired extent.

Sections 28(2) and (3) of the PDPO provide that a fee may be charged for complying with a data access request made under section

18(1)(a) or (b), which fee shall not be excessive. According to section 28(5) of the PDPO, compliance with a data access request

may be refused unless and until any such fee has been paid.

Form OPS003 (revised 09/2012)