Table of Contents Table of Contents
Previous Page  142 / 192 Next Page
Information
Show Menu
Previous Page 142 / 192 Next Page
Page Background

10.56

In this situation, section 20(1)(b) requires that the data access request be refused, unless

the other data subject has consented to the disclosure of the data to the requestor.

However, section 20(1)(b) is expressly provided to be read subject to section 20(2),

which provides as follows:

(2) Subsection (1)(b) shall not operate –

(a). so that the reference in that subsection to personal data of which any other

individual is the data subject includes a reference to information identifying that

individual as the source of the personal data to which the data access request

concerned relates unless that information names or otherwise explicitly identifies

that individual;

(b). so as to excuse a data user from complying with the data access request

concerned to the extent that the request may be complied with without disclosing

the identity of the other individual, whether by the omission of names, or other

identifying particulars, or otherwise.

10.57

In summary, the overall effect of section 20(1)(b) and section 20(2) of the Ordinance has

been interpreted by the Commissioner as follows:

(a) Where the information requested under a data access request contains the

personal data of any other individual, then either:

• the consent for the release of such data to the requestor must be obtained from

such individual; or

• the data user must erase/redact from the copy of the data provided to the

requestor, the personal data of the other individual.

(b) It is not the data user’s obligation to ensure that the requestor cannot deduce or

infer the identity of the other individual(s), so long as the name or other explicit

identification particulars have been redacted. To require otherwise would impose

an additional duty on the data user to ascertain the subjective knowledge of the

requestor in relation to the identity of such third party, notwithstanding the erasure

of the name or other explicit identification information from the copy provided to

the requestor, and would be too onerous a burden to discharge and not in

accordance with the letter and spirit of section 20(2). Against this background, the

data user cannot therefore refuse to comply with a data access request on the

grounds that the requestor can deduce or infer the identity of other individuals, so

long as the identifying information of the other individuals (e.g. name, etc.) has

been deleted from the copy of the data provided to the requestor.

10.58

For example, where in the data access request the requestor asks for written comments

on himself made by a specified third party, the fact that the requestor already knows

the identity of the third party does not, in the Commissioner’s view, give the data user

any justification for refusing to comply with the data access request, for the sake of

protecting the privacy of the third party involved. All that the data user needs to ensure

is that the data as released does not contain the name or other identifying information

of the third party.

1 137 138 139 140 141 142 143 144 145 146 147 148 192  FlippingBook