completely ignore the request. Rather, there are two steps which the data user is

required to take in relation to such refusal to comply, namely, putting a relevant entry in

its log book as required under section 27(2), and notifying the requestor in accordance

with section 21(1).

10.85

It should be noted that even though a data user may be legally entitled to refuse to

comply with a data access request, it is still obliged to give the requestor written

notification of the proscribed matter within forty days of receiving the request. Failure to

comply with this requirement will result in contravention of section 21(1).

10.86

Pursuant to section 21(1)(a) and (b), a data user who refuses to comply with a data

access request shall inform the requestor of the refusal and the reason for such refusal in

writing. The intention behind such a requirement on the part of the data user is to give

the requestor a fair chance to challenge the refusal.

10.87

In this connection, it is important also to note that where, in response to a data access

request, a data user releases to the requestor only part of the data held and withholds

the remainder of the data, the data user in effect refuses to comply with the data

access request. The notification requirements under section 21(1) also apply to that part

of the data that is withheld. In other words, in compliance with paragraph (a), the data

user is obliged to notify the requestor, with reasons, of the fact that certain requested

data is withheld.

10.88

In relation to notification under paragraph (b), one question is how specific the reasons

should be. In this regard, the notification given should at least be specific enough to

enable the requestor, if he so wishes, to challenge the refusal. In previous cases, the

Commissioner considered the notification given by a data user to be sufficient where it

mentioned the grounds relied on (e.g. “legal professional privilege”) or the exact section

number of the relevant exemption provision (in the example just quoted, “section 60”).

10.89

However, where the data user has failed to notify the requestor of the grounds relied

upon under section 20(1) and (3) to refuse compliance with the data access request,

even where valid grounds do exist to justify refusal, the data user is still regarded as

having breached section 19(1) by failing to comply with a data access request. Care

should thus be taken to ensure that where proper grounds of refusal are relied upon in

refusing compliance with a data access request, the data subject should be informed of

the same in accordance with section 21 of the Ordinance.

10.90

Prior to informing the requestor of the refusal and the reasons for refusing to comply with

the data access request, a data user is required to keep a log entry of any refusal. In

particular, section 27(1), (2)(a) and (3)(a) provide as follows:

(1) A data user shall keep and maintain a log book –

(a) for the purposes of this Part;

(b) in the Chinese or English language; . . .

(2) A data user shall in accordance with subsection (3) enter in the log book –

(a) where pursuant to section 20 the data user refuses to comply with a data access

request, particulars of the reasons for the refusal;