Chapter 10

Data Protection Principle 6(a) to (d) and the

Data Access Provisions in Part 5

The main questions:

• What constitutes a data access request?

• Who may make a data access request?

• How can a data access request be made?

• How can a data user comply with a data access request? What should a data user

do if it does not hold the personal data requested?

• What should a data user do if the requested data comprises personal data of other

individual(s)?

• What charge may a data user levy for complying with a data access request?

• When may a data user refuse to comply with a data access request?

• What steps must a data user take in refusing to comply with a data access request?

The questions discussed in this Chapter concerning data access requests and DPP6 and Part 5

of the Ordinance have been selected on the basis of their practical importance in light of the

Commissioner’s own experience. Before reading this Chapter, readers should read paragraphs

1.7 to 1.11 in Chapter 1 —

Introduction, which contain important general information on using

this Book.

The Basis of a Data Access Request

10.1

The right to make a data access request is an important right vested in the data subjects

under paragraphs (a) to (d) of Data Protection Principle 6 to ascertain whether a data

user holds his personal data and, to obtain a copy of the data so held by the data user:

Principle 6 – access to personal data

A data subject shall be entitled to –

(a) ascertain whether a data user holds personal data of which he is the data subject;

(b) request access to personal data –

(i) within a reasonable time;

(ii) at a fee, if any, that is not excessive;