Practice Note: How to Handle a Data Access Request (DAR)
I. WHAT IS A DATA ACCESS REQUEST (DAR)?
According to s.18 of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”), an individual may make a request to a data user as to whether the data user holds personal data of the individual, and if so, to provide the individual a copy of such data.
A data user, who supplies false or misleading materials upon the DAR, the person will commit a criminal offence, and is liable on conviction to a fine at level 3 and to imprisonment for 6 months: ss. 18(5) and (6) of the PDPO.
II. COMPLIANCE WITH DAR
Under the PDPO, a data user must comply with a DAR within 40 calendar (not working) days after receiving the request by either: -
(1) inform the individual in writing that the data user holds the personal data and supply a copy of the same to the individual; or
(2) inform the individual that the data user does not hold the personal data requested.
In the event that the data user cannot comply with the ’40-day time limit’, the data user should before the expiration of that period: -
(1) notify the individual in writing that the data user is unable to provide and the reasons of it; and
(2) comply to the extent of which the data user is able to comply with the DAR, and
(3) fully comply with the DAR as soon as practicable after the expiration of that period.
The data user should also provide a copy of the requested personal data to the individual that is intelligible as far as practicable, and readily comprehensible with any codes used by the data user adequately explained.
In addition, the data user should use the language in which the DAR is specified to respond it, or use the language in which the data is held.
See: s.19 of the PDPO.
III. THE OPS003 FORM
The Privacy Commissioner for Personal Data, Hong Kong (“PCPD”) has published a standard Data Access Request Form (OPS003).
The OPS003 Form expressly states that the individual is not entitled to access data which is not personal data or personal data not belonging to the individual. It also reminds the individual (i.e. the requestor) that the data user may refuse to comply with the individual’s request if the individual has not supplied with such information as may be reasonably required to locate the requested data.
The OPS003 Form has 7 parts. The first 3 parts concern the particulars of the data user, data subject and the requestor. Part 4 of the OPS003 Form concerns the description of the requested data, and date around which or period within which the requested data was collected etc.
Part 5 of the OPS003 Form concerns the personal data which are not required by the requestor (e.g. letters to the data user from the data subject, or newspaper clippings concerning the data subject).
Under Part 6 of the OPS003 Form, the requestor can elect to request the data user to inform whether the data user holds the requested personal data and/or supply the copy of the requested personal data, subject to exclusions stated in Part 5 of the OPS003 Form. Part 7 of the OPS003 Form concerns the preferred manner of which the copy of the requested personal data is sent by the data user.
Parts 8 and 9 of the POS003 Form concern the payment of fee, documents required by the data user and the use of personal data provided in the OPS003 Form.
IV. Section 20 Exemptions
Under s.20(1) of the PDPO, a data user shall refuse to comply with a DAR request in the following circumstances: -
(1) if the data user is not supplied with such information as the data user may reasonably require in order to satisfy the data user as to the identity of the requestor;
(2) if the data user is not supplied with such information as the data user may reasonably require where the requestor purports to be a relevant person, in order to satisfy the data user regarding the identity of the individual in relation to whom the requestor purports to be such a person; and
(3) if the data user cannot comply with the request without disclosing personal data of which any other individual is the data subject unless consent to disclosure of the data is given by the others.
There are circumstances where the data user may refuse a DAR, such as those in the following circumstances: -
(1) the request is not in writing in the Chinese or English language;
(2) the individual has not supplied with such information as may be reasonably require to locate the personal data to which the request relates;
(3) the request follows 2 or more similar requests made by the individual, relevant person(s) or both;
(4) other data user controls the use of the personal data in such a way that will prohibit the data user to comply with the DAR;
(5) if the DAR is not made under the OPS003 Form (but the data user is strongly advised to respond to the DAR if it substantially contains the scope and details of the requested data because reliance of this ground of refusal is merely technical and the individual may lodge request using the OPS003 Form);
(6) the data user may refuse to answer the DAR if the data user is entitled to do so under the PDPO or any other HK laws; and
(7) compliance with the request may for the time being be refused under the PDPO, whether by virtue of an exemption under Part 8 of the PDPO or otherwise.
The data user is required to inform the individual about the refusal, with reasons attached, before the 40-day time limit.
V. DAR Flowchart
For a comprehensive DAR Flowchart, please see below Appendix I.
For more information regarding how to handle a Data Access Request, please contact ADG at firstname.lastname@example.org or Tel: +852 3725 4806.