PCPD - A Guide for Data Users -- No. 2 -- Compliance with Data Access and Correction Requests

Investigation Report / Inspection Report

Publications and Videos
Leaflet & Form

Personal Data (Privacy) Ordinance
A Guide For Data Users. No. 2
Compliance With Data Access And Correction Requests

SECTION 4

Notification of Non-Compliance with Data Access Request

4.1 If a data user declines to comply with a data access request for any of the reasons set out in the above paragraphs, he must inform the data subject concerned by notice in writing with the reasons of the refusal within 40 days of receiving the request. If he refuses to comply with a data access request because another data user controls the use of the personal data concerned in such a way that prohibits him from complying with the request, he is required, in the notice to the data subject, to provide the name and address of the other data user concerned.

[section 21(1) of the Ordinance.]

4.2 If a data user refuses to comply with a data access request because of an applicable exemption provided for in section 57 - Security, etc. in respect of Hong Kong, or section 58 - Crimes, etc. of the Ordinance, and the data are also exempt from the requirement to confirm whether or not the data user holds personal data relating to that data subject because the interest protected by that exemption would be likely to be prejudiced by such confirmation, then the data user may in the notice to the data subject adopt wording along the lines of "I have no personal data the existence of which I am required to disclose to you".

[section 21(2) of the ordinance.]

4.3 Refusals to comply with data access requests and the reasons for refusal must be entered into a log book. Further details on the log book to be kept by data users are given in section 10 below.

SECTION 5

The Right of Data Correction

5.1 Following the supply by a data user of a copy of personal data in compliance with a data access request, the data subject is entitled to ask for correction of the personal data concerned if he considers that the data are inaccurate. This is done by means of a data correction request to the data user. Such a request may also be made by a properly authorised relevant person.

[section 22(1) of the Ordinance.]

5.2 If a data user, following the receipt of a data correction request but before complying or not with the request, discloses to a third party the personal data to which the request relates, then the data user should, if it is practicable to do so, advise the third party concerned that the data are being considered for correction.

[section 22(3) of the Ordinance.]

SECTION 6

Compliance with Data Correction Request

6.1 If a data user is satisfied that personal data which are subject to a data correction request are inaccurate, he is required to make the necessary correction and supply the data subject with a copy of the corrected personal data within 40 days of receiving the request. If a data user is unable to comply with a data correction request in whole or in part within the 40 day reply period, he must within such period inform the data subject in writing that he is unable to do so and give the reasons why. He must then fully comply with the request as soon as reasonably practicable after the expiry of the 40 day reply period.

[section 23(1) (a) &(b) and 23(2) of the Ordinance.]

6.2 If the personal data of a data correction request have been disclosed to a third party during the past 12 months before the day of correction of the data and the data user has no reasons to believe that such a third party has ceased using those data, he should supply such a third party with a copy of the corrected personal data and a written notice of the reasons for the correction. This requirement does not apply where the third party has obtained the data concerned by inspection of a public register without receipt of a certified copy.

[section 23(1) (c) & 23(3) of the Ordinance.]