Furthermore, the AAB has also decided in AAB No. 16/2008 that where the data user

reasonably requires the data requestor to supply information to enable him to locate the

relevant personal data, unless and until such information has been supplied, there is no

valid data access request for the data user to comply with. Whether the request for

information by the data user is reasonably made depends upon the circumstances and

the facts of each case.

10.41

It is also important to note that the data requester is entitled to a copy of his personal

data only, not every document which refers to him. This view is confirmed by the AAB in

AAB No. 27/2006 and the Court of First Instance in Wu Kit Ping v Administrative Appeals

Board [2007] HKLRD 849. The Court considered that

If in a document, the maker of the document expresses an opinion about a data subject, that

opinion will constitute personal data to which the data subject will be entitled to access.

However, an opinion expressed in the same document, by the maker of the document, about

the maker of the document himself, unless relating indirectly to the data subject, will not

constitute the personal data of the data subject.

10.42

The judgment given in Wu Kit Ping’s case was considered by the AAB in AAB No. 20/2013.

This case concerns a data access request made by an applicant for, inter alia, the full

underwriting report held by an insurance company who turned down his insurance

application. By following the reasoning of Wu Kit Ping’s case, the AAB took the view that

while the data subject has a right to know what personal data the data user possesses,

he is not entitled to access every document simply because there may be a reference

to him. Having reviewed the full underwriting report, the AAB was satisfied that certain

references to the applicant in the underwriting report were only made as part of the

internal workflow within the insurance company and the handling of the applicant’s

complaint by different personnel. The AAB found that the insurance company did not

have to provide the applicant with those pages of the underwriting report containing

the references.

Steps to Be Taken for Failure to Comply with a Data Access Request within the Statutory

Period

10.43

As mentioned above, the time for compliance with a data access request is forty days

after the data user’s receipt of the data access request. If the data user is “unable to

comply” with a data access request within such forty-day period, the data user must act

in accordance with section 19(2) of the Ordinance, which provides as follows:

(2) A data user who is unable to comply with a data access request within the period

specified in subsection (1) or (1A) shall-

(a) before the expiration of that period-

(i) by notice in writing inform the requestor that the data user is so unable and of

the reasons why the data user is so unable; and

(ii) comply with the request to the extent, if any, that the data user is able to

comply with the request; and

(b) as soon as practicable after the expiration of that period, comply or fully comply,

as the case may be, with the request.