Table of Contents Table of Contents
Previous Page  136 / 192 Next Page
Information
Show Menu
Previous Page 136 / 192 Next Page
Page Background

19(3)(a) provides as follows:

(3) A copy of the personal data to be supplied by a data user in compliance with a data

access request shall –

(a) be supplied by reference to the data at the time when the request is received

except that the copy may take account of –

(i) any processing of the data –

(A) made between that time and the time when the copy is supplied; and

(B) that would have been made irrespective of the receipt of the request; . . .

10.33

It can be seen that the relevant point in time by reference to which personal data is said

to be held by the data user is the time when the request is received by the data user

and not any subsequent time when further personal data may be collected. That said,

the data user may, but is not obliged to, take into account any processing of the data

that would in any event take place prior to compliance with the data access request.

10.34

The operation of section 19(3)(a) may pose questions as to the application of the other

provisions relating to compliance or non-compliance with the data access request. For

instance, if a data user invokes the application of any of the Part 8 exemptions in

refusing to comply with the data access request, does it also mean that the exempting

circumstances can only be ascertained at the time when the request was received and

no account shall be taken of any exempting circumstances that existed after receipt

but before compliance with the data access request? The view adopted by the

Commissioner is that section 19(3)(a) concerns only the technical aspect of drawing the

time line for the obligation of the data user to supply copies of the personal data. The

right to refuse compliance, as provided under section 20 of the Ordinance, is not

restricted insofar as it is properly invoked with reasons stated and the requestor is notified

in accordance with section 21.

10.35

Sometimes, a data access request may be framed in such a way that it contains a

subjective element (e.g. “all data that affects my reputation”). In complaints arising from

this type of requests, the Commissioner has generally taken the view that a data subject

who chooses to make his request in an unspecific manner will have to rely on the

judgement of the data user in selecting the relevant data that needs to be provided.

Broad and Generic Requests for Personal Data

10.36

Often, a data subject may, in the data access request, ask for copies of “all personal

data” relating to him held by the data user. This may, however, create serious practical

difficulty for the data user, especially where there have been extensive dealings

between the parties, during which a large amount of personal data may have been

collected and/or created, e.g. where the data subject is or used to be employed by the

data user for many years. In these circumstances, the data user may reasonably ask the

requestor to provide further information in order to assist the data user to locate the

requested personal data. Failure to provide such information may entitle the data user

to refuse to comply with the data access request.

7

7

Section 20(3)(b) of the Ordinance.

1 131 132 133 134 135 136 137 138 139 140 141 142 192  FlippingBook