130 / 192
(iii) in a reasonable manner; and
(iv) in a form that is intelligible;
(c) be given reasons if a request referred to in paragraph (b) is refused;
(d) object to a refusal referred to in paragraph (c); . . .
10.2
In addition, Part 5 of the Ordinance contains detailed provisions and procedural
requirements regarding how a data subject may make, and how a data user complies
with, a data access request. Failure to comply with a data access request in
accordance with the requirements under the Ordinance without reasonable excuse
may constitute an offence and render the offender liable on conviction to a fine.
1
In
addition to the grounds provided under Part 5 which prescribe when a data user shall or
may refuse to comply with a data access request, there are exemption provisions in Part
8 of the Ordinance which, when properly invoked, may exempt the data user from
complying with a data access request.
10.3
There are stringent provisions under Part 5 of the Ordinance on the manner and the
procedure of complying with a data access request that a data user has to observe.
Thus, when a data access request is received, the data user shall handle it according to
the relevant provisions in complying with or refusing to comply with, the data access
request.
10.4
Salient points on the making of a data access request by a data subject or his relevant
person,
2
and on the handling and responding to such a request by the data user are set
out below. The Guidance Note on Proper Handling of Data Access Request and
Charging of Data Access Request Fee by Data Users issued by the Commissioner
provides general guidance on compliance with a data access request.
3
What Constitutes a Data Access Request?
10.5
The first question to consider is what constitutes a data access request under the
Ordinance. In this connection, “data access request” is defined in section 2(1) as “a
request under section 18”.
10.6
Section 18(1)
provides as follows:
(1) An individual, or a relevant person on behalf of an individual, may make a request –
(a) to be informed by a data user whether the data user holds personal data of which
the individual is the data subject;
(b) if the data user holds such data, to be supplied by the data user with a copy of
such data.
1
A level three fine, see section 64A(1).
2
As defined under sections 2(1) and 17A of the Ordinance.
3
Available on the Website:
https://www.pcpd.org.hk//english/resources_centre/publications/files/DAR_e.pdf