PCO Office of the Privacy Commissioner for Personal Data, Hong Kong image image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Leaflet & Form

 

Exercising Your Data Access Rights Under the Personal Data (Privacy) Ordinance

This pamphlet contains some common Q & As in relation to data access requests made by individuals and assists them in understanding their data access rights under the Ordinance.

Download the Form

PDF (1.1MB)

Download the Document
PDF (4.2MB)

The Personal Data (Privacy) Ordinance ("the Ordinance") was brought into force in December 1996 to protect the privacy interests of individuals in relation to their personal data. Under the Ordinance, every individual has the right to request another party, e.g. a government department or a company, to confirm whether it holds his or her personal data and to request a copy of any such data. Such requests are called data access requests.

Common examples of individuals making data access requests include patients requesting copies of their medical records, employees requesting copies of their employment-related records, such as performance appraisal reports, and credit applicants requesting copies of their credit reports.

To assist individuals to make data access requests, a Data Access Request Form (No.OPS003) was first issued on 1 December 1999 and then amended on 1 April 2008 by the Privacy Commissioner for Personal Data.

The following are some frequently asked questions and answers to assist individuals in making data access requests.

Q1. How should I make a data access request?

A1. You should complete the Data Access Request Form (Form OPS003) as amended by the Privacy Commissioner. By providing the information as required in the Form, you will assist the party concerned to process your data access request as quickly as possible. If you do not use this Form, the party concerned may refuse to comply with your data access request. The completed Form should be sent directly to the data user to whom the data access request is made, and not to the Privacy Commissioner.

Q2. Apart from completing the Form, what other information or documents should I provide?

A2. The party concerned may ask you to provide your identity proof, such as your identity card or other identifying documents, e.g. a staff card, medical card or student card for verification of your identity. Further, it may also require you to provide further information to enable the location of the data you requested. In some cases, you may be required to fill in a form specified by the party concerned. However, it is not a mandatory requirement. (If you wish to make a data access request on behalf of another individual, please see Q&A 10 below as well.)

Q3. When completing the Form, what aspects should I pay attention to?

A3. You should complete all parts of the Form and, as far as possible, state specifically and clearly the requested personal data. This will assist the party concerned in complying with your data access request as quickly as possible, and will help to avoid any subsequent disputes. If the party concerned is not supplied with the information reasonably required to locate the data requested, it may refuse to comply with your data access request pursuant to section 20(3)(b) of the Ordinance. The last page of this pamphlet contains a sample of a completed Form for reference.

Q4. Can I request the party concerned for "all of my personal data"?

A4. The description of the data requested by you is too general. You should clearly specify the data requested, e.g. medical reports, appraisal reports, job application forms, etc. and shall state the date of data collection. Please note that if the party concerned is not supplied with sufficient information to locate your personal data, it may refuse to comply with your data access request pursuant to section 20(3)(b) of the Ordinance.

Q5. Can I request the party concerned for a copy of a specified document?

A5. Under section 19 of the Ordinance, the party concerned is obligated only to supply you with a copy of your personal data, and not a copy of the document in which the data is contained. The party concerned may edit out from the document information which is not your personal data.

Q6. Can the party concerned charge me for a fee to comply with my data access request?

A6. Yes. The Ordinance allows the imposition of a fee for complying with a data access request but the fee charged shall not be "excessive". In general, the party concerned may recover the labour costs and actual out-of-pocket expenses involved in complying with your data access request insofar as they relate to the location, retrieval and reproduction of the data requested. The labour costs should be restricted to the normal salary of clerical or administrative staff handling the location, retrieval or reproduction work. No fee should be charged by the party concerned for the sum incurred for obtaining legal advice or the time spent in redacting data or deciding which personal data should or should not be disclosed. If you believe that the fee charged for compliance with your data access request is excessive, you may raise the matter with the party concerned. If you are not satisfied with the explanation given, you may lodge a complaint with the Office of the Privacy Commissioner for Personal Data.

Q7. Must my data access request be complied with by the party concerned?

A7. Generally speaking, the party concerned shall comply with your data access request, otherwise it may commit an offence under the Ordinance and is liable on conviction to a fine at level 3. However, there are circumstances specified in the Ordinance under which the party concerned should refuse to comply with a data access request. These are.

  1. when it is not supplied with sufficient information to identify you; or

  2. if the personal data sought under the data access request comprise personal data of another individual and the party concerned cannot comply with the request without disclosing the personal data of that other individual. On the other hand, if the party concerned is satisfied that the other individual has consented to the disclosure, it should comply with the request. In addition, if the party concerned can comply with the request without disclosing the identity of that other individual, for example by omitting the names or other identifying particulars, it should do so.

There are also circumstances under which the party concerned may refuse to comply with a data access request. These are:

  1. the request is not in writing in Chinese or English;

  2. the party concerned is not provided with sufficient information to locate the data requested;

  3. the request follows two or more similar requests, and it is unreasonable for the party concerned to comply with the request in the circumstances;

  4. another party controls the use of the personal data in a way that prohibits the party receiving the request from complying with it;

  5. the request is not made in the Privacy Commissioner's specified form, i.e. the amended Form OPS003 mentioned above;

  6. there is an applicable exemption from the requirement to comply with a data access request provided for in the Ordinance, e.g. if the personal data are held for the purpose of the detection of crime and compliance with the request would be likely to prejudice that purpose, the party concerned may refuse to comply (For the complete and definitive statement of this and other exemptions, reference should be made to the Ordinance.); or

  7. the party concerned has not yet received the fee charged for complying with your data access request.

Q8. How long will it take for my data access request to be processed by the party concerned?

A8. In general, the party concerned is required to comply with your data access request not later than 40 days after receiving it. If the party concerned has valid grounds to refuse to comply with your request, it should also reply to you with reasons within 40 days. If the party concerned is unable to comply with the request within 40 days of its receipt due to certain reasons (e.g. data being stored overseas), it should also inform you of the situation within the same 40-day period and comply with the request as soon as practicable thereafter.

Q9. I do not know whether the party concerned holds the data requested by me. Does the party concerned need to reply to me after receiving my data access request?

A9. Choices are provided in the amended Form OPS003 for you to request the party concerned:

(i) to inform you if it holds the data requested;
(ii) to supply you with a copy of the data requested;
(iii) to comply with (i) and (ii).

You just need to tick your choice and the party concerned will reply to you accordingly.

Q10. Must I make a data access request by myself or can I authorize another individual to make a data access request on my behalf?

A10. Apart from making a data access request yourself, you can authorize another person in writing to make a data access request on your behalf. The party concerned may require the authorized person to produce your identity proof and your authorization. Where the requestor is a minor under the age of 18, a person with parental responsibility for the individual can make a data access request on his/her behalf. In addition, where an individual is incapable of managing his/her own affairs, a person appointed by the court to manage his/her affairs can make a data access request on his/her behalf. In the two latter situations, the person who makes the request on behalf of another individual may be required by the party concerned to provide identity proof of the individual whose personal data are sought and proof of his/her relationship with that individual.

Q11. Can I request the party concerned, when complying with my data access request, to provide me with a copy of the requested data in a language of my choice?

A11. You may make such a request and space is provided in the Form for you to do this. However, if the language in which the data are held is not the language specified in the request, the party concerned may choose to provide a copy of the personal data requested in the form of a copy of the original document without providing a translation.

Q12. Can I request the party concerned, when complying with my data access request, to provide me with a copy of the requested data in a specified form? e.g. can I request the relevant data to be supplied on a floppy disk?

A12. You may make such a request and space is provided in the Form for you to do this. However, if it is not reasonably practicable for the party concerned to supply the copy in the form specified by you, it may provide the copy in another form. For example, if the personal data are on an audiotape and it is not reasonably practicable to make a hard copy transcript at your request, the party concerned may provide a copy of the tape.

Q13. What can I do if I find that my personal data provided in response to a data access request are inaccurate?

A13. You can request for correction of the relevant personal data. This is a data correction request under the Ordinance. Similar to data access requests, the party receiving a data correction request shall also respond within 40 days. If your request is complied with, the party should provide you with a copy of the corrected data. If not, the party should inform you why this has not been done.

Q14. Is there a prescribed form for making a data correction request?

A14. No, you can simply make your request in writing and provide all the supporting documentation you may have to show that the data concerned are inaccurate, and specify how the data should be corrected.

[This pamphlet is for general reference only. It does not provide an exhaustive guide to the relevant provisions of the Personal Data (Privacy) Ordinance. Readers should refer to the provisions of the Ordinance for a complete and definitive statement of the law.]

© Office of the Privacy Commissioner for Personal Data, Hong Kong April 2008

Reproduction of all or any part of this publication is permitted on the conditions that it is done for a non-profit making purpose and due acknowledgement of this work is made as the source.

Back to top


  imageNotice/ Copyright © Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer

The contents of this website (including all uploaded publications) must be read subject to the Personal Data (Privacy) (Amendment) Ordinance 2012. Full Version