PCPD - The Privacy Commissioner issued two investigation reports on data access request fee charged by data users and the proper handling of personal data transferred by data users to their debt collection agency

Date: 24 February 2010

The Privacy Commissioner issued two investigation reports on data access request fee charged by data users and the proper handling of personal data transferred by data users to their debt collection agency

The Privacy Commissioner for the Personal Data (“the Commissioner”) is empowered under section 48(2) of the Personal Data (Privacy) Ordinance (“the Ordinance”) to publish report after completion of an investigation if it is in the public interest to do so. In exercise of such power and in the public interest he has decided to publish the following two investigation reports today (24 February). They concerned the practice adopted by a bank and a finance company respectively in relation to the handling of personal data in the course of their businesses.

(i) Data users shall not charge any fee that is excessive when complying with a data access request

Brief facts
A bank sets up a fee structure intending to charge all customers a fixed fee of $200 for complying with a data access request, i.e. copies of his/her personal data in the custody of the bank.

The law
Section 28 of the Ordinance provides that the bank as a data user shall not impose a fee for complying with a data access request that is excessive.

What fee is considered excessive? The Commissioner’s perspective
The Ordinance offers scant assistance to either the data user, the data subject or even the Commissioner in determining what amounts to an “excessive” fee. In assessing whether the fee charged by a data user is excessive or not, the Commissioner has consistently adopted the principle that to have access to one’s personal data is a human right and a data user shall only charge for the locating, retrieving, reproducing and sending the requested data to the requestor on the assumption that the works involved are done by a clerical or administrative staff. The fees charged should not include any legal fees the data user might have incurred or the cost/work involved in any redaction of the personal data of third parties when complying with a data access request.

The bank’s fixed fee structure
Having failed to satisfy the aforesaid principles, the bank was found to have imposed a fee structure that was liable to be excessive. Even though the bank had the fee structure in place, it has not actually charged or received any such fee from any customer. That being the case, the Commissioner did not find that there had been a contravention of the requirements of the Ordinance. He has however drawn the attention of the Hong Kong Monetary Authority and the Hong Kong Association of Banks to the fact that a fixed fee is not likely to be considered appropriate in every situation as the law now stands.

The Commissioner Mr. Roderick B Woo said, “The Ordinance confers on data subjects a right to make data access request. Such a right should not be deterred by the imposition of a fee that is excessive. A data user should therefore exercise prudence when charging a fee for complying with a data access request to ensure that it should not be excessive. Recognising that the fee charged for supplying a copy of the requested data varies considerably from one data user to another, the Government’s consultation document on review of the Ordinance published in August 2009 contained a suggestion that a maximum fee be set for handling a data access request as prescribed in a fee schedule under the Ordinance. This may help improve the situation if such an amendment to the Ordinance is made in due course of time.”

(ii) Finance company held responsible for acts of its debt collection agency for improper handling of personal data in debt collection activities

Brief facts
A finance company passed the loan application form which contained personal data of the relatives of the debtor to a debt collection agency with instructions to recover the debt on its behalf. The debt collection agency posted up personal particulars of such relatives in public places in relation to its pursuit of the debt.

The finance company responsible for acts of the debt collection agency
The Commissioner found that the finance company as the data user and the principal had not concerned itself with the proper handling of such personal data by its agent. While the information concerning the relatives might assist the debt collection agency to locate the debtor, the finance company should take reasonably practicable steps to ensure that the debt collection agency shall use the personal data properly.

“When personal data are transferred by a lender to a debt collection agency, the lender does not thereby exonerate itself of the duty, as a principal, to ensure compliance with the requirements of the Ordinance by the debt collection agency which acts as its agent. The lender should therefore exercise proper care and diligence to monitor and regulate the conduct of its agent in the proper handling of the personal data passed to it in the debt collection process.” said Mr. Woo.

For details of the cases background, relevant provisions of the Ordinance, findings, the Commissioner's recommendations and other comments, please refer to the Reports. Copies of the Reports can be obtained from the Commissioner's Office at 12/F., 248 Queen's Road East, Wan Chai, Hong Kong. The reports are also available for downloaded from his website (http://www.pcpd.org.hk/english/publications/invest_report.html).

END