Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

at level 3 and to imprisonment for six months.

10.26

Such an offence is intended to deter persons from conducting fishing expeditions for

personal data through providing false or misleading information to the data user when

making a data access request.

How and When to Comply with a Data Access Request?

10.27

A data user, upon receiving a data access request, must comply with such a request

(unless there are grounds which allow or require the data user to refuse to comply with it,

under section 20 or Part 8 of the Ordinance). The next question is how and when to

comply with such a request.

Statutory Period

10.28

First, it should be noted that a data user must respond within forty days after receiving

the request.

10.29

Section 19(1)(a) and (b) provides as follows:

(1) Subject to subsection (2) and sections 20 and 28(5), a data user must comply with a

data access request within 40 days after receiving the request by –

(a) if the data user holds any personal data which is the subject of the request –

(i) informing the requestor in writing that the data user holds the data; and

(ii) supplying a copy of the data; or

(b) if the data user does not hold any personal data which is the subject of the request,

informing the requestor in writing that the data user does not hold the data.

10.30

What should a data user do if it does not hold the personal data requested? Pursuant to

section 19(1)(b) (as introduced by the Amendment Ordinance) a data user must inform

the data requestor in writing within the statutory period of forty days after receiving the

data access request that it does not hold the personal data.

It is also advisable for the

data user to inform the data requestor of the reason why it does not hold the personal

data, for example, that the requested data has been destroyed after the purpose for

which the data was to be used has been served. This may ease the data requestor’s

suspicion that the erasure is made in bad faith. For instance, examination papers may

be destroyed by an education institution regularly in accordance with its data retention

policy and after publication of the examination results.

10.31

However, if evidence suggests that a data user has deliberately destroyed the

requested data after receiving the data access request with a view to avoiding its

statutory obligation to supply a copy of data to the requestor, this may amount to non-

compliance with the data access request.

10.32

Furthermore, it should be noted that a data access request under section 18(1)(b) is a

request to be supplied with a copy of the data held, if any. In this connection, section

This obligation is made subject to section 19(1A). For detailed discussion, please refer to paragraphs 10.49 to 10.52.