Personal Data (Privacy)
Ordinance
A Guide For Data Users. No. 2
Compliance With Data Access And Correction Requests
SECTION 7
Non-Compliance
with Data Correction Request
7.1 A data user shall refuse to comply with
a data correction request from a data subject if he is not
provided with sufficient information to identify the
data subject. In the case of a data correction request submitted
by a person on behalf of the data subject (a relevant person),
he shall refuse the request if he is not provided with sufficient
information to identify the data subject, or the relevant
person, or to be satisfied that the relevant person is properly
authorised to seek correction.
[section 24(1) of the Ordinance.]
7.2 If an individual, who submits a data correction request
following a data access request, is the same individual
that submitted the data access request, the data user
cannot refuse to comply with such a data correction request
for the reason of having insufficient information to identify
the data subject, or the relevant person. However, in the
case of a relevant person the data user should still ensure
that such a person has been properly authorised to make the
correction.
[section 24(2) of the Ordinance.]
Data User May Refuse
7.3 A data user may refuse to comply with a data correction
request if :
- the request is not in writing in Chinese or English;
- he is not satisfied that the personal data are inaccurate;
- he is not provided with sufficient information to ascertain
that the personal data are inaccurate;
- he is not satisfied that the correction provided in the
request is accurate; or
- any other data user controls the processing of the personal
data concerned in such a way that prohibits the data user
receiving the data correction request from complying with
the request.
[section 24(3) of the Ordinance.]
SECTION
8
Notification
of Non-Compliance with Data Correction Request
8.1 If a data user refuses to comply with a data correction
request for any of the reasons set out in the above paragraphs,
he must inform the data subject concerned by notice in writing
with reasons of the refusal within 40 days of receiving the
request. If he refuses to comply with a data correction request
because another data user controls the use of the personal
data concerned in such a way that prohibits him from complying
with the request, the notice of refusal must include the name
and address of the other data user concerned.
[section 25(1) of the Ordinance.]
8.2 If a data correction request involves the correction
of the personal data which is an expression of opinion
or an unverifiable fact and the data user is not
satisfied that the opinion or unverifiable fact is inaccurate,
the data user may refuse to make the correction. In such circumstances,
the data user is required to make a note of the data
subject proposed "correction". This should be annexed to the
data concerned in such a way that it is drawn to the attention
of, or made available for inspection by, any person (including
the data user or a third party) who may use such data in future.
The data user must also attach a copy of the note to the notice
of refusal.
[section 25(2) & (3) of the Ordinance.]
8.3 Refusals to comply with a data correction request and
the reasons must be entered into the log book referred to
in section 10 below.
