materially inaccurate having regard to the purpose (including any directly

related purpose) for which the data is or is to be used by the third party; and

(ii) that data was inaccurate at the time of such disclosure, that the third party –

(A) is informed that the data is inaccurate; and

(B) is provided with such particulars as will enable the third party to rectify the

data having regard to that purpose.

6.2

The requirement under DPP2(1) is not an absolute one. As mentioned in the previous

Chapters, the word “practicable” as used throughout the Ordinance is defined in

section 2(1) to mean “reasonably practicable”. It follows that the duty of a data user

under DPP2(1) is to take all reasonably practicable steps in ensuring (as opposed to, say,

guaranteeing) the accuracy of all personal data held by it. Indeed, the fact that DPP2(1)

does not impose an absolute standard is understandable, given the inevitability of

human error.

6.3

As for the meaning of the word “accurate”, this can be inferred from the definition of

“inaccurate” in section 2(1) which, in relation to personal data, means the data is

“incorrect, misleading, incomplete or obsolete”.

6.4

In this connection, however, it is also relevant to note that DPP2(1)(a) speaks of personal

data being accurate “having regard to the purpose for which (it) is to be used”. The

Commissioner is fully cognizant of the fact that the standard of accuracy varies

according to the circumstances and there is no hard and fast rule to be universally

applied. For instance, a greater degree of care would need to be taken to ensure the

accuracy of such data, the inaccuracy of which may involve serious consequences, as

opposed to data concerning trivial matters.

6.5

The mere fact that the personal data kept by a data user is found to be inaccurate by

the data subject does not necessarily result in a breach of DPP2(1)(a). In AAB No.

12/2008, which deals with a complaint by an employee about the inaccurate personal

records provided by her employer in compliance with her data access request, the AAB

considered that

[The requirement of DPP2(1)(a)] does not mean that data held by the data user must be

correct in all respects. The requirement is this: provided that the data user has taken all

practicable steps to ensure the personal data kept by him is accurate, it is no breach of this

requirement if the data is subsequently found to be incorrect by the data subject. If that

happens, the data subject may, pursuant to section 22 of the Ordinance, ask the data user to

correct the inaccuracies. Thus, there is no contravention of a requirement of the Ordinance

where the personal data kept by the data user is inaccurate but it would be a contravention if

the data user refused to correct the inaccuracies when the data subject lodged a data

correction request with him.

6.6

If the result of an investigation reveals that the error committed was attributed to some

identifiable defect in the data handling system or procedures of the data user, the

Commissioner is likely to form the view that there is contravention of DPP2(1). By way of

remedial action, the Commissioner will normally require the data user to take

appropriate steps to improve its data handling system or procedures, with a view to

preventing recurrence of similar inaccuracies in the future.