shall be deemed to hold the data, and the provisions of this Ordinance (including this

section) shall be construed accordingly.

10.81

In other words, where a data access request is refused pursuant to section 20(3)(d),

there is an alternative for the requestor to make a request to the party that ultimately

controls the use of the data (even if it does not physically hold such data).

20

Section

20(3)(d) might not afford the data user valid grounds to refuse compliance with a data

access request simply because there exists a duty of confidence between the data user

and the party that ultimately controls the use of the data. Confidentiality is not a reason

stipulated in the Ordinance to permit a data user to refuse to comply with a data

access request. A party who ultimately controls the use of the data to prohibit

compliance with the data access request will be deemed to hold the data by virtue of

section 18(4) and has to observe the rights and obligations under the Ordinance.

10.82

The decision given in AAB No. 26/2013 concerns the application of sections 18(4) and

20(3)(d). The complainant in this case made a data access request to her prospective

employer for the reference letter collected from her former employer. The prospective

employer refused to comply with her data access request on the grounds that the

reference letter was obtained after an assurance had been given to her former

employer that “all information provided [would] be kept strictly confidential”. The

prospective employer sought to rely upon section 20(3)(d) of the Ordinance. The AAB

emphasised that confidentiality is not a reason stipulated in the Ordinance for a data

user to refuse to comply with a data access request. Hence, under section 18(4) and

section 20(3)(d), either the former employer or the prospective employer must comply

with the data access request in accordance with the Ordinance. The AAB allowed the

appeal and directed the Commissioner to further investigate the case and to enquire

with the complainant’s former employer to ascertain its position with regard to section

18(4). If the former employer did prohibit the prospective employer from complying with

the data access request, section 18(4) would be applicable to the former employer,

who could direct the prospective employer to supply the complainant with the

requested data in compliance with her data access request. If it did not so prohibit the

supply of the data, section 20(3)(d) would not apply to extricate the prospective

employer.

10.83

Also of interest to readers is paragraph (ea) of section 20(3) which permits a data user to

refuse to comply with a data access request if it is entitled under the Ordinance or other

ordinances not to comply with the request. This provision was introduced by the

Amendment Ordinance to address the possible conflict which may arise when a person

is bound to observe a statutory duty to keep confidential certain information specified

under the applicable laws.

Steps To Take in Refusing To Comply with a Data Access Request

10.84

Where a data user is entitled, on one of the grounds provided in section 20, to refuse to

comply with a data access request, it does not mean that the data user can thereby

20

The data user who refuses to comply with a data access request under section 20(3)(d) is required to notify the

requestor the name and address of the other data user under section 21(1)(c).