Publications and Videos

Leaflet & Form

Personal Data (Privacy) Ordinance
A Guide For Data Users. No. 2
Compliance With Data Access And Correction Requests

SECTION 3

Non-Compliance with Data Access Request

Data User Shall Refuse

3.1 A data user shall refuse to comply with a data access request under any of the circumstances set out in paragraphs 3.2 and 3.3 below.

3.2 A data user shall refuse to comply with a data access request from a data subject if he is not provided with sufficient information to identify the data subject. In the case of a data access request submitted by a person on behalf of the data subject (a relevant person), he shall refuse the request if he is not provided with sufficient information to identify the data subject, or the person seeking the data, or to be satisfied that the person seeking the data is properly authorised to do so.

[section 20(1) (a) of the Ordinance.]

3.3 If the personal data sought under the data access request comprises personal data of another individual, and the data user cannot comply with the request without disclosing the personal data of that other individual, he shall refuse to comply with a data access request. This prohibition does not apply where the data user is satisfied that the other individual has consented to the disclosure of the data to the data subject submitting the request. This prohibition also does not apply to the extent that a data user can comply with a data access request without disclosing the identity of that other individual, for example by the omitting of names or other identifying particulars.

[section 20(1) (b) & 20(2) of the Ordinance.]

Data User May Refuse

3.4 A data user may refuse to comply with a data access request if :

1. the request is not in writing in Chinese or English;
   
   
2. he is not provided with sufficient information to locate the personal data that are being requested
   
   
3. the request follows two or more similar requests made by the data subject or a relevant person on his or her behalf and it is unreasonable for the data user to comply;
   
   
4. another data user controls the use of the personal data concerned in such a way that prohibits the data user receiving the data access request from complying with the request;
   
   
5. the data access request is not made in a form which has been specified under section 67 of the Ordinance if such a form has been specified; or
   
   
6. there is an applicable exemption from subject access provided for in Part VIII of the Ordinance.

[section 20(3) of the Ordinance.]

[Image of Previous Page] [Image of image] [Image of Next Page]

End of Page

[Annual Report] [Code of Practice/ Guideline & Explanatory Booklet] [Consultation Document/ Report] [Newsletter] [Guidance Note & Fact Sheet] [Leaflet & Form] [Opinion Survey] [Others] [Investigation Report / Inspection Report] [Information Book]

[About PCPD] [The Ordinance] [PCPD Activities] [Information Centre] [Privacy Zone for Youngsters (Games)]
[Publications & Videos] [Enquiries & Complaints] [Case Notes] [Contact Us] [Search] [Site Directory] [Graphical Version]
[Chinese Version]

Notice/Copyright 2001 Office of the Privacy Commissioner for Personal Data, Hong Kong. All rights reserved. Disclaimer