Insurance company imposed excessive fee on a customer’s data access request
Background
The complainant submitted a data access request (the “Request”) to his insurance company (the “Company”), requesting a copy of his personal data that the Company had obtained during the process of handling his claim, including a medical report that the Company had obtained from a third party. The Company then imposed a fee of over HKD $1,400 for complying with the Request (the “Fee”), and indicated that the Fee was the price that the medical service provider charged to the Company. The complainant considered that the Fee was excessive, thus lodged a complaint with the PCPD.
Outcome
According to the principles laid down by the Administrative Appeals Board in Administrative Appeal No. 37/2009, a data user is allowed to charge a requestor only for costs which are “directly related to and necessary for” complying with a data access request. A data user should not charge a fee on a commercial basis. Any fees that exceed the costs of compliance would be considered excessive.
The Company explained that in accordance with its guidelines, a flat rate was to be charged for complying with a data access request. In this case, due to an inadvertent human mistake, the relevant staff member had deviated from the guidelines in mistakenly quoting the Fee, being the fee charged by the medical provider to the Company for obtaining the relevant record. The Company had taken follow-up actions, which included adjusting the Fee imposed for complying with the Request. In addition, the Company had also revised its relevant guidelines to elaborate on the requirements under the PDPO, and state that the fee to be imposed for complying with a data access request should not be calculated based on the prices charged by a medical service provider to the Company. The updated guidelines were circulated to the relevant staff members.
Lesson learnt
A data user may impose a fee for complying with a data access request which should not be excessive, and should not charge a fee on a commercial basis. Any fee that exceeds the costs of compliance will be considered excessive. Data users should be aware that “direct and necessary” is not the same as “reasonable”. A data user should consider whether it is possible to comply with the data access request without incurring the individual item of cost. If the answer is “yes”, the data user should not include in the charge the cost incurred for that particular item. Data users may also make reference to the guidance note “Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users” published by the PCPD.
(Uploaded in April 2025)