request lodged by a complainant for documents containing information about, inter

alia, his foreign exchange margin trading account, which the bank had provided to the

Hong Kong Monetary Authority (“HKMA”). The complainant confirmed that he had

made a complaint to the HKMA about the acts and conduct of the bank when

handling his foreign exchange trading account. The bank argued that it was prohibited

by reason of the secrecy provisions under section 120 of the Banking Ordinance (Cap

155) from providing the complainant with the requested information which formed part

of the investigation by the HKMA. Although the AAB ultimately concluded that the

information requested concerning the transaction details (when they were not involved

in actual transactions), including cut-off rates at the time intervals specified showing

market movements, did not constitute the complainant’s personal data, the AAB

commented that the requested information originated from the bank itself and was not

something it came to know or possess or obtain in the course of investigation by the

HKMA, and therefore it would not have been in breach of the said secrecy provisions

under the Banking Ordinance even if it had chosen to disclose the same to the

complainant.

10.77

Another example is found in the case of AAB No. 233/2013 in relation to a data access

request made by a complainant against the Ombudsman for his personal data

collected by the officer-in-charge when handling his complaint against a government

department. The Ombudsman refused to comply with his data access request on the

grounds that it was bound by a duty of secrecy under the Ombudsman Ordinance,

18

the non-observance of which was an offence. The AAB considered that the statutory

duty of secrecy imposed upon the Ombudsman was sufficiently broad to cover the

disclosure of personal data in compliance with a data access request made under the

Ordinance and hence section 20(1)(c) of the Ordinance applied in the circumstances

of the case for the Ombudsman to refuse compliance with the data access request.

When May a Data User Refuse to Comply with a Data Access Request?

10.78

Having considered the provisions in the Ordinance which oblige a data user to refuse to

comply with a data access request, we turn to other situations where such refusal may

be exercised by the data user. These are provided under section 20(3) as follows:

(3) A data user may refuse to comply with a data access request if –

(a) the request is not in writing in the Chinese or English language;

(b) the data user is not supplied with such information as the data user may

reasonably require to locate the personal data to which the request relates;

(c) t h e r e q u e s t f o l l o w s 2 o r m o r e s i m i l a r r e q u e s t s m a d e b y –

(i) the individual who is the data subject in respect of the personal data to which

the request relates;

(ii) one or more relevant persons on behalf of that individual; or

(iii) any combination of that individual and those relevant persons, and it is

unreasonable in all the circumstances for the data user to comply with the

18

Section 15(1) of the Ombudsman Ordinance, Cap 397 requires the Ombudsman and its staff to maintain secrecy in

respect of all matters that come to their knowledge in the exercise of their functions.