Case Notes

(AAB Appeal No. 27 of 2024)

Fee imposed for complying with data access request – whether excessive – whether higher than the lowest fee the data user imposes for complying with the request in other form – section 28(3) and 28(4) of the PDPO

Coram:
Ms Jay MA Suk-lin (Deputy Chairman)
Mr William CHAN Chun-ho (Member)
Ms TSAI Ching-yu (Member)

Date of Decision: 16 December 2024

The Complaint

The Appellant was a candidate of a public examination. According to the administrating body of the examination (the Administrator), starting from 2023, the data access requestor would not be provided with a hard copy of the requested data. Instead, the Administrator would issue an email to the requestor with a password and a link for downloading the requested personal data, including marking records and examination scripts. The Appellant considered that, in view of the change in the form of provision of requested data, the fee imposed for accessing the data should be reduced. However, the fee imposed by the Administrator for the first data access application was reduced by only HK$20, whereas the fee for accessing the data of each additional subject remained unchanged. The Appellant thus lodged a complaint with the Privacy Commissioner against the Administrator for imposing excessive fees for accessing marking records and examination scripts, in violation of section 28(3) of the PDPO which stipulates that no fee imposed for complying with a data access request shall be excessive.

In addition, the Appellant also complained against the Administrator for violating section 28(4) of the PDPO by choosing to comply with data access requests by providing hard copies of the data at a higher cost and calculating the fees imposed on that basis before 2023, when it was able to provide electronic copies of the requested data.

The Privacy Commissioner’s Decision

Upon investigation, the Privacy Commissioner found that the fees imposed by the Administrator for complying with data access requests were lower than the necessary and directly related costs incurred in complying with the data access request. Such costs included labour costs, computer operating time costs and other costs. As such, the Privacy Commissioner found that the fees imposed by the Administrator for complying with data access requests were not excessive and the Administrator had not contravened section 28(3) of the PDPO.

Further, the Privacy Commissioner found that the relevant requirement under section 28(4) of the PDPO is premised on the fact that a data user may provide a copy of the personal data to which a data access request relates in one of two or more forms. As the Administrator could only provide copies of the relevant data in one form (that is, in the form of hard copies) in the relevant period, the Privacy Commissioner considered that section 28(4) of the PDPO was not applicable and the Administrator had not contravened the relevant requirement.

The Appeal

The AAB confirmed the Privacy Commissioner’s decision and dismissed the appeal on the following grounds:-

1. The Privacy Commissioner’s investigation against the Administrator was adequate. During the investigation, the Privacy Commissioner sought and obtained information on the steps involved and costs incurred by the Administrator for complying with data access requests, and there was insufficient evidence showing that such steps and costs are not necessary or directly related.
2. The Administrator’s explanation that it was unable to provide electronic copies of marking records and examination scripts in the relevant period due to feasibility and security reasons was not unreasonable, particularly in view of the vast amount of personal data that the Administrator possessed and the Administrator’s need to exercise caution. The AAB also agreed that there was no evidence supporting the Appellant’s allegation that transmitting electronic copies of the documents by email would involve lower costs.

The AAB’s Decision

The appeal was dismissed.

(Uploaded in May 2025)