Exercising Your Data Access Rights Under the Personal Data (Privacy) Ordinance

PDF (1.1MB)

PDF (4.2MB)

The Personal Data (Privacy) Ordinance ("the Ordinance") was brought into force in December 1996 to protect the privacy interests of individuals in relation to their personal data. Under the Ordinance, every individual has the right to request another party, e.g. a government department or a company, to confirm whether it holds his or her personal data and to request a copy of any such data. Such requests are called data access requests.

Common examples of individuals making data access requests include patients requesting copies of their medical records, employees requesting copies of their employment-related records, such as performance appraisal reports, and credit applicants requesting copies of their credit reports.

To assist individuals to make data access requests, a Data Access Request Form (No.OPS003) was first issued on 1 December 1999 and then amended on 1 April 2008 by the Privacy Commissioner for Personal Data.

The following are some frequently asked questions and answers to assist individuals in making data access requests.

Q1. How should I make a data access request?

A1. You should complete the Data Access Request Form (Form OPS003) as amended by the Privacy Commissioner. By providing the information as required in the Form, you will assist the party concerned to process your data access request as quickly as possible. If you do not use this Form, the party concerned may refuse to comply with your data access request. The completed Form should be sent directly to the data user to whom the data access request is made, and not to the Privacy Commissioner.

Q2. Apart from completing the Form, what other information or documents should I provide?

A2. The party concerned may ask you to provide your identity proof, such as your identity card or other identifying documents, e.g. a staff card, medical card or student card for verification of your identity. Further, it may also require you to provide further information to enable the location of the data you requested. In some cases, you may be required to fill in a form specified by the party concerned. However, it is not a mandatory requirement. (If you wish to make a data access request on behalf of another individual, please see Q&A 10 below as well.)

Q3. When completing the Form, what aspects should I pay attention to?

A3. You should complete all parts of the Form and, as far as possible, state specifically and clearly the requested personal data. This will assist the party concerned in complying with your data access request as quickly as possible, and will help to avoid any subsequent disputes. If the party concerned is not supplied with the information reasonably required to locate the data requested, it may refuse to comply with your data access request pursuant to section 20(3)(b) of the Ordinance. The last page of this pamphlet contains a sample of a completed Form for reference.

Q4. Can I request the party concerned for "all of my personal data"?

A4. The description of the data requested by you is too general. You should clearly specify the data requested, e.g. medical reports, appraisal reports, job application forms, etc. and shall state the date of data collection. Please note that if the party concerned is not supplied with sufficient information to locate your personal data, it may refuse to comply with your data access request pursuant to section 20(3)(b) of the Ordinance.

Q5. Can I request the party concerned for a copy of a specified document?

A5. Under section 19 of the Ordinance, the party concerned is obligated only to supply you with a copy of your personal data, and not a copy of the document in which the data is contained. The party concerned may edit out from the document information which is not your personal data.

Q6. Can the party concerned charge me for a fee to comply with my data access request?

A6. Yes. The Ordinance allows the imposition of a fee for complying with a data access request but the fee charged shall not be "excessive". In general, the party concerned may recover the labour costs and actual out-of-pocket expenses involved in complying with your data access request insofar as they relate to the location, retrieval and reproduction of the data requested. The labour costs should be restricted to the normal salary of clerical or administrative staff handling the location, retrieval or reproduction work. No fee should be charged by the party concerned for the sum incurred for obtaining legal advice or the time spent in redacting data or deciding which personal data should or should not be disclosed. If you believe that the fee charged for compliance with your data access request is excessive, you may raise the matter with the party concerned. If you are not satisfied with the explanation given, you may lodge a complaint with the Office of the Privacy Commissioner for Personal Data.

Q7. Must my data access request be complied with by the party concerned?

A7. Generally speaking, the party concerned shall comply with your data access request, otherwise it may commit an offence under the Ordinance and is liable on conviction to a fine at level 3. However, there are circumstances specified in the Ordinance under which the party concerned should refuse to comply with a data access request. These are.

There are also circumstances under which the party concerned may refuse to comply with a data access request. These are:

Q8. How long will it take for my data access request to be processed by the party concerned?

A8. In general, the party concerned is required to comply with your data access request not later than 40 days after receiving it. If the party concerned has valid grounds to refuse to comply with your request, it should also reply to you with reasons within 40 days. If the party concerned is unable to comply with the request within 40 days of its receipt due to certain reasons (e.g. data being stored overseas), it should also inform you of the situation within the same 40-day period and comply with the request as soon as practicable thereafter.

Q9. I do not know whether the party concerned holds the data requested by me. Does the party concerned need to reply to me after receiving my data access request?

A9. Choices are provided in the amended Form OPS003 for you to request the party concerned:

(i) to inform you if it holds the data requested;
(ii) to supply you with a copy of the data requested;
(iii) to comply with (i) and (ii).

You just need to tick your choice and the party concerned will reply to you accordingly.

Q10. Must I make a data access request by myself or can I authorize another individual to make a data access request on my behalf?

A10. Apart from making a data access request yourself, you can authorize another person in writing to make a data access request on your behalf. The party concerned may require the authorized person to produce your identity proof and your authorization. Where the requestor is a minor under the age of 18, a person with parental responsibility for the individual can make a data access request on his/her behalf. In addition, where an individual is incapable of managing his/her own affairs, a person appointed by the court to manage his/her affairs can make a data access request on his/her behalf. In the two latter situations, the person who makes the request on behalf of another individual may be required by the party concerned to provide identity proof of the individual whose personal data are sought and proof of his/her relationship with that individual.

Q11. Can I request the party concerned, when complying with my data access request, to provide me with a copy of the requested data in a language of my choice?

A11. You may make such a request and space is provided in the Form for you to do this. However, if the language in which the data are held is not the language specified in the request, the party concerned may choose to provide a copy of the personal data requested in the form of a copy of the original document without providing a translation.

Q12. Can I request the party concerned, when complying with my data access request, to provide me with a copy of the requested data in a specified form? e.g. can I request the relevant data to be supplied on a floppy disk?

A12. You may make such a request and space is provided in the Form for you to do this. However, if it is not reasonably practicable for the party concerned to supply the copy in the form specified by you, it may provide the copy in another form. For example, if the personal data are on an audiotape and it is not reasonably practicable to make a hard copy transcript at your request, the party concerned may provide a copy of the tape.

Q13. What can I do if I find that my personal data provided in response to a data access request are inaccurate?

A13. You can request for correction of the relevant personal data. This is a data correction request under the Ordinance. Similar to data access requests, the party receiving a data correction request shall also respond within 40 days. If your request is complied with, the party should provide you with a copy of the corrected data. If not, the party should inform you why this has not been done.

Q14. Is there a prescribed form for making a data correction request?

A14. No, you can simply make your request in writing and provide all the supporting documentation you may have to show that the data concerned are inaccurate, and specify how the data should be corrected.

[This pamphlet is for general reference only. It does not provide an exhaustive guide to the relevant provisions of the Personal Data (Privacy) Ordinance. Readers should refer to the provisions of the Ordinance for a complete and definitive statement of the law.]

© Office of the Privacy Commissioner for Personal Data, Hong Kong April 2008

Reproduction of all or any part of this publication is permitted on the conditions that it is done for a non-profit making purpose and due acknowledgement of this work is made as the source.

Back to top