Table of Contents Table of Contents
Previous Page  143 / 192 Next Page
Information
Show Menu
Previous Page 143 / 192 Next Page
Page Background

10.59

This view was confirmed in the case of Wu Kit Ping by the Court of First Instance, in which

the learned judge considered that

. . . by s.20(2)(a), the restriction on the disclosure of personal data of one data subject, which

might disclose the personal data of other data subject, operates only where the maker of the

report, that is the source of the personal data to which the data access request is concerned,

is named or explicitly identified. If the person who examined diagnosed and treated Ms Wu is

not named in the report, it is likely that by deduction or inference Ms Wu will know the name of

that person, if it had been given to her, for example, at the time of treatment. The fact that

that deduction or inference may be made is not a barrier to the disclosure of Ms Wu’s personal

data . . . But unless the data names or otherwise explicitly identifies the complainant, the fact

that the complainant’s identity might be determined by deduction or inference is not a barrier

to the disclosure of the data . . . The effect of s.20(2)(b) is that if the data user can supply to the

data subject his personal data, without the disclosure of the identity of the source of the

information, then a means to supply the data must be found.

10.60

The AAB followed the reasoning in Wu Kit Ping’s case in other appeal cases. For instance,

in AAB No. 15/2012, an employee made a data access request to his employer for his

appraisal reports. The AAB found that the redaction of the names, post titles and

signatures of those appraising officers, reviewing officers and countersigning officers in

the appraisal reports was legitimate as the redacted particulars were not the personal

data of the employee, and section 20(2)(b) applied as those names and information

explicitly identified the officers.

Charge for Complying with a Data Access Request

10.61

For compliance with a data access request, a data user may levy a charge on the

requestor in accordance with the following provisions in section 28 of the Ordinance:

(1) A data user shall not impose a fee for complying or refusing to comply with a data

access request or data correction request unless the imposition of the fee is expressly

permitted by this section.

(2) Subject to subsections (3) and (4), a data user may impose a fee for complying with a

data access request.

(3) No fee imposed for complying with a data access request shall be excessive.

. . .

(5) A data user may refuse to comply with a data access request unless and until any fee

imposed by the data user for complying with the request has been paid. . .

10.62

While section 28(3) prohibits the imposition of an “excessive” fee for complying with a

data access request, what is “excessive” is not defined. In determining whether the fee

imposed by the data user is excessive, the Commissioner regards it as important that the

fee, if any, charged should not be set with a view to generating profit, or worse,

deterring the data subject from exercising his data access right under the Ordinance. In

cases handled by the Commissioner, the charging for the actual out-of-pocket

expenses, such as the photocopying fee and postage incurred by the data user, was

not regarded as excessive. A data user may be asked to justify the basis of calculation

of the fee in determining whether the fee charged is excessive in the circumstances of