Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

However, a data user cannot refuse to comply with a request simply by relying on the

excuse that the request is made in generic or broad terms. If it is still reasonably

practicable for the data user to extract “all personal data” requested without requiring

any further information from the requestor, the data user should comply with the data

access request.

10.37

In the case of AAB No. 24/2001, the complainant asked for “all of [her] personal data”

held by the appellant, including but not limited to certain named categories. Despite

repeated requests for clarification from the appellant, the complainant refused to

narrow the scope of her data access requests in any way. The appellant, having

omitted to provide the complainant with some of her personal data, was found by the

Commissioner to have failed to comply fully with the data access request.

10.38

Upon appeal by the appellant against the enforcement notice issued by the

Commissioner directing it to conduct a “thorough search” for the requested data, the

AAB found in favour of the appellant based on section 20(3)(b) of the Ordinance, which

provides that:

(3) A data user may refuse to comply with a data access request if –

. . .

(b) the data user is not supplied with such information as the data user may

reasonably require to locate the personal data to which the request relates; . . .

10.39

According to the AAB’s decision, it appears that section 20(3)(b), in addition to

constituting grounds of refusal to comply with a data access request, may also operate

to limit the scope of data which the data user is obliged to provide in compliance with

the request even where no such formal refusal is made pursuant to section 21. In

particular, where the data access request is of a general nature, and in the absence of

any information from the requestor to specify or to otherwise assist in the location of the

data requested, the data user’s duty of compliance may only extend to such data as it

may reasonably and practicably be expected to provide (even if this may not

necessarily be exhaustive of all data held by the data user that falls under the

description of the data requested).

10.40

In the case of CACV351/2006 (in relation to AAB No. 61/2005), the Court of Appeal held

that a person making the data access request has a duty to:

• make clear what personal data is being requested under the data access request;

and

• to supply any further information reasonably required by the data user to clarify what

data is being requested.

Indeed, in a situation where the data access request is framed so widely that the type and scope of the data requested

is obviously unclear so that further clarification is required before it can be complied with, the AAB in

AAB No. 17/2004

took the view that the data access request may be regarded as unclear and should not have been accepted for

processing and the time to comply with the data access request does not start to operate until a properly completed

data access request is received.