Under the Personal Data (Privacy) Ordinance (the “PDPO”), a data subject has a right to make a “data access request” (“DAR”) to ascertain whether a data user holds his personal data and if so, to request for a copy of the data. Failure to handle a DAR in accordance with the PDPO without reasonable excuse may constitute an offence.
The Privacy Commissioner for Personal Data (the “Commissioner”) has issued a new guidance note regarding the proper handling of a DAR and the charges for a DAR.
Under the PDPO, a data user has to inform a data subject on or before the first use of such data regarding his rights to access and correct his personal data and the name/post and the address of the responsible persons handling the request. Usually, the aforesaid information is included in the Personal Information Collection Statement which is provided to the data subject on or before the collection of his personal data.
Generally speaking, a DAR is a request made by a data subject to request the data user to inform him whether the data user holds his personal data, and if the data user does, to provide him with a copy of such data. Examples include requests made by employees for copies of their performance appraisal reports.
A requestor is not entitled under a DAR to access data which is not personal data or personal data not belonging to him. To constitute personal data of an individual, the data must be:-
(i) relating directly or indirectly to the individual;
(ii) reasonably practicable from such data to directly or indirectly ascertain the identity of the individual; and
(iii) in a form in which access to or processing of the data is reasonably practicable.
Usually, a DAR is made on the Data Access Request Form specified by the Commissioner (the “DAR Form”). If a requestor does not use the DAR Form for making his DAR, such request may be refused. However, the new guidance note strongly advises a data user to comply with the request even if it is not made under the DAR Form provided that the request substantially sets out the scope and details of the requested personal data. This is because the refusal to comply with the request based on such ground is purely technical and the requestor may simply lodge another DAR using the DAR Form.
When a data user receives a DAR, it should ascertain the identity of the requestor and assess whether it holds the relevant personal data. The data user should inform the requestor whether it holds the relevant personal data within 40 calendars days after receiving the DAR, and if it does, it should also supply a copy of the requested data to the requestor in an intelligible form at the same time.
A data user should refuse to comply with a DAR if:-
(i) it is not supplied with satisfactory information as would enable the data users to identify the requestor;
(ii) it cannot comply with the request without disclosing the personal data of a third party; or
(iii) where compliance with the request is for the time being prohibited under the PDPO or other legislations.
If the data use refuses to comply with a DAR, it should give written notice and reasons for refusal to the requestor within 40 days from the receipt of the DAR. It is also required to keep a log entry containing the particulars of the reasons for the refusal of the DAR for 4 years.
Under the PDPO, a data user may impose a fee for complying with a DAR, and it should clearly inform the requestor the relevant fee imposed as soon as possible and in any event not later than 40 days after the receipt of the DAR. A data user is entitled to refuse to comply with a DAR unless and until the fee imposed has been paid.
Fees imposed must be direct and necessary to the request and must not be excessive. Under the new Guidance Note, the following fees will be considered as excessive or not directly related to and necessary for the compliance of a DAR,
(i) fees that exceed the cost of compliance;
(ii) the costs amount to more than they would have been incurred under normal circumstances had it not been for the extraordinary situations created by the data user;
(iii) the costs for the data user in seeking legal advice or the costs for its consultant or staff to study the requirement under the PDPO;
(iv) the data user’s administrative or office overheads; and
(v) the redaction costs of personal data exempted from disclosure under any relevant exemption.
A data user may take into account the direct costs attributable to the time spent by its staff and the actual out-of-pocket expenses for locating, retrieving and reproducing the requested data for complying with a DAR. The costs of photocopying the documents containing the requested data are direct and necessary costs. Under the new Guidance Note, the photocopying charge imposed at HK$1 per page will be considered not excessive. In addition, for administrative convenience, some data users who keep records in a digital format and operate standard procedures for retrieving such records may impose a flat-rate fee. According to the new Guidance Note, charging a flat-rate fee is permissible provided that the fee imposed is lower than the direct and necessary costs for complying with a DAR and in any event not excessive under normal circumstances.
In view of the new guidance note, it is advisable for data users to review their current policies with respect to DAR such that the requirements under PDPO can be complied with.
The mere fact that the DAR is not made pursuant to a specified form does not automatically means that a data user has no duty to comply with the same provided that the DAR clearly sets out the scope of details of the requested personal data.