PCO Office of the Privacy Commissioner for Personal Data, Hong Kong imagebanner image
Privacy Policy StatementSearchSite DirectoryText Only VersionChinese  
image
About PCPD
image
The Ordinance
image
PCPD Activities
image
Information Centreimage
Privacy Zone for Youngsters (Games)
image
Publications and Videos
image
Enquiries and Complaints
image
Case Notes
image
Contact Us
image
Annual ReportCode of Practice & Explanatory BookletConsultation Document/Report
NewsletterGuidance Note & Fact SheetLeaflet & FormOpinion Survey
OthersInvestigation Report / Inspection ReportInformation Book
image

Publications and Videos
Leaflet & Form
 

Personal Data (Privacy) Ordinance
A Guide For Data Users. No. 2
Compliance With Data Access And Correction Requests

SECTION 2

Compliance with Data Access Request

Timing

2.1 A data user is required to comply with a data access request within 40 days after receiving the request. If he is unable to comply with the request, in whole or in part, within the 40 day reply period, he must within such period inform the data subject in writing that he is unable to do so and give the reasons why this is so. He must also fully comply with the request as soon as reasonably practicable after the expiry of the 40 day reply period.

[section 19(1) & (2) of the Ordinance.]

Content

2.2 The copy of personal data to be supplied must be such personal data as is held at the time when the request is made. Any processing (including amending, augmenting, deleting or rearranging) of the data between the time the data access request is received and before the copy is supplied that would have been undertaken irrespective of the receipt of the request is not affected by this requirement. In other words, there is no requirement to stop normal data processing activities because a data access request has been received.

[section 19(3) (a) (i) of the Ordinance.]

2.3 For the first year of operation of the Ordinance, a data user is allowed to correct personal data, which may include erasure, between receipt of an access request for that data and supplying a copy to the requesting party. When supplying a copy of personal data that has been corrected under this provision, the data user is required to inform the data subject with a notice that such a correction has been made.

[section 19(3) (a) (ii), 19(3) (b) & 19(5) of the Ordinance.]

2.4 A copy of the personal data to be supplied should be intelligible unless it is a true copy of a document that contains the data and is unintelligible on its face. If the personal data contains any codes used by the data user, they should be adequately explained such that they are readily comprehensible by the data subject, whether or not a true copy of a document is supplied.

[section 19(3) (c) (i) & (ii) of the Ordinance.]

Language

2.5 If a data user holds the relevant personal data of a data access request in only one language and the copy to be supplied is a true copy of the document containing such data, the data user is not required to provide a copy of such data in any other language. This applies even if the data subject specifies in the data access request that he/she wishes to receive the data in another language.

2.6 If a data user holds the personal data sought under a data access request in more than one language and the data subject specifies in the data access request that he/she wishes to receive the data in one of these languages, the data user is required to provide a copy of the data in the language specified by the data subject.

2.7 Where the data user intends to supply the personal data other than in the form of a true copy of a document he should provide the data in either English or Chinese. The choice of English or Chinese should be made in accordance with any specific request by the data subject for one or other. In default of such a request, the choice should be made in accordance with the language used in the request, where this is in either Chinese or English. If the data access request is in a language other than Chinese or English, subject access may be refused (paragraph 3.4 below refers).

[section 19(3) (c) (iii) of the Ordinance.]

Form

2.8 If a data user holds the personal data sought under a data access request in one or more forms and one of the forms is a form sought by the data subject in the data access request, the data user is required to provide a copy of the data in the form specified by the data subject.

2.9 If a data user holds personal data in only one form and is unable to provide (because it is not practicable for him to do so) a copy of the relevant personal data of a data access request in a form sought by the data subject (for example, he only holds the personal data in paper file form, but the data subject seeks a copy in computerised form), the data user may provide a copy of such data in the form he is able to provide the data. A notice in writing must be attached informing the data subject that this is the only form which the data can be supplied.

2.10 If a data user can provide a copy of the personal data of a data access request in one or more forms but none is the form or forms sought by a data subject, the data user must inform the data subject, by notice in writing, of the various forms in which he can supply the data. The data user must also inform the data subject that he or she may specify within 14 days in which of those forms he or she would like the copy to be supplied. If the data user receives such a reply from the data subject, he is required to supply a copy of the data in the form specified in the reply. If he does not receive any reply within 14 days, he may supply a copy of the data in such form as he thinks fit.

[section 19(3) (c) (iv) & (v) and 19(4) of the Ordinance.]

 

 

Previous Page image Next Page

  imageNotice/ Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer