Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

10.72

Section 20(1) provides as follows:

(1) A data user shall refuse to comply with a data access request –

(a) if the data user is not supplied with such information as the data user may

reasonably require –

(i) in order to satisfy the data user as to the identity of the requestor;

(ii) where the requestor purports to be a relevant person, in order to satisfy the

data user –

(A) as to the identity of the individual in relation to whom the requestor

purports to be such a person; and

(B) that the requestor is such a person in relation to that individual;

(b) …

under this or any other Ordinance.

10.73

Section 20(1)(a) requires a data user to refuse to comply with a data access request

lodged by a requester whose identity is in doubt. A data user must be careful to ensure

that a copy of the personal data requested in a data access request is only provided to

a person entitled to exercise the right to issue the relevant data access request.

10.74

It is provided under section 20(1)(c) that a data user shall refuse to comply with a data

access request where such compliance is “for the time being prohibited” under the

Ordinance or another ordinance. There are few situations in which compliance with a

data access request is expressly prohibited under the Ordinance, one of them is where a

data access request is made to the Commissioner himself for personal data collected by

the Commissioner in the course of his investigation under Part 7 of the Ordinance. With

regard to such data, section 46(1) imposes on the Commissioner and officers of the

Commissioner a duty to maintain secrecy, subject to certain exceptions provided for in

section 46(2), (3), (7) and (8), and unless any of these exceptions apply, the

Commissioner is obliged to refuse to comply with the data access request according to

section 20(1)(c).

10.75

Another example of prohibition on disclosure of information can be found in the

Securities and Futures Ordinance (Cap 571). A specified person of the Securities and

Futures Commission is bound by statutory duty

to preserve secrecy in respect of any

matter that comes to his knowledge in the performance of the functions under the

Securities and Futures Ordinance and shall not let any other person have access to the

record or document which is in his possession. Where compliance with a data access

request by a data user will result in it breaching the statutory requirements under another

ordinance, the data user may seek to rely on section 20(1)(c) to refuse compliance.

10.76

In AAB No.10/2013, the AAB examined the application of section 20(1)(c) of the

Ordinance, which was relied on by a bank in refusing to comply with a data access

See paragraphs 10.13 to 10.18 above.

Section 378 of the Securities and Futures Ordinance, Cap 571, Laws of Hong Kong.