Personal Data (Privacy) Law in Hong Kong – A Practical Guide on Compliance

data access request; and

(b) the individual, or a relevant person on behalf of the individual, who is the data

subject considers that the data is inaccurate,

then that individual or relevant person, as the case may be, may make a request that

the data user make the necessary correction to the data.

11.3

It should be noted that a data correction request applies only to personal data, a copy

of which has been provided to the requestor pursuant to an earlier data access

request.

In other words, a data correction request must be preceded by a data access

request.

11.4

It also follows that where a data access request has been properly refused by a data

user (for example, pursuant to an applicable exemption under Part 8 of the Ordinance),

no subsequent data correction request can be made under Part 5 of the Ordinance in

respect of the data in question.

11.5

Notwithstanding the above technical requirements, when a data user is satisfied that

the personal data held by it is inaccurate, it should ensure compliance with DPP2(1) by

taking all practicable steps to correct the personal data having regard to the purpose

for which it is to be used.

Who Can Make and How to Make a Data Correction Request?

11.6

Similar to a data access request, section 22(1) allows a data correction request to be

made by a data subject or by “a relevant person on behalf of” the data subject, the

meaning of which has been discussed in paragraphs 10.14 to 10.18 in Chapter 10.

11.7

Where the data access request is made by a relevant person on behalf of the data

subject, it does not follow that the relevant person must have the authority to request for

correction of the personal data of the data subject. Section 22(1A) makes it clear that:

(1A) If a person is a relevant person in relation to an individual only because the person has

been authorized in writing by the individual to make a data access request on behalf of the

individual, the person is not entitled to make a data correction request.

11.8

A data user should be mindful of the grounds provided under section 24(1)(b) that it shall

refuse to comply with a data correction request when it is not satisfied with the identity

of the relevant person. Section 24(1)(b) provides as follows:

24(1) Subject to subsection (2), a data user shall refuse to comply with section 23(1) in

relation to a data access request if the data user is not supplied with such information as

the data may reasonably require –

AAB No.5/2005

, a data access request and a data correction request were made by a student against an academic

institution for personal data held by it. The academic institution did not hold the personal data requested and asked the

student to address his request to another data user. The AAB agreed with the Commissioner’s view that the academic

institution was not a data user. Since no personal data was supplied to the student by the academic institution, there

was no personal data that could be the subject of correction as requested by the student in his data correction request.