A data access request made by a customer to a dental clinic
The Complaint
The complainant submitted a data access request (“the Request”) to a dental clinic (“the Clinic”), requesting a copy of his personal data contained in the medical report pursuant to the Personal Data (Privacy) Ordinance (“the Ordinance”). The Clinic failed to comply with the Request of the complainant within the 40-day period prescribed under the Ordinance.
Outcome
The Clinic explained that it had made multiple attempts to contact the complainant by phone upon receipt of the Request, but to no avail. Also, the Clinic stated that the Request was the first-ever data access request received by the Clinic and it was unfamiliar with the relevant requirements under the Ordinance, leading to a delay in providing the complainant with a copy of the requested information.
Ten days upon the PCPD’s intervention, the Clinic informed the complainant in writing that the medical report requested in the Request was ready. The complainant paid the required fee and collected the relevant documents at the Clinic the next day.
In the present case, the PCPD noted that the complainant had provided his correspondence address in his data access request form. Therefore, the Clinic should comply with the Request within 40 days after receiving the Request in accordance with section 19(1) of the Ordinance by informing the complainant in writing that the Clinic holds the relevant information and supplying to him a copy of such information. In response to this case, the Clinic had enhanced its document processing guidelines to ensure compliance with the relevant provisions of the Ordinance governing the handling of data access requests in the future.
Lesson learnt
The legal framework established under the Ordinance was enacted to protect data subjects’ personal data privacy and it regulates individuals or organisations (i.e. data users) who collect, hold, process or use personal data. The PCPD would like to remind all data users through this case that the right to make a data access request is an important right vested in data subjects under the Ordinance and data users are required by the law to handle their data access requests properly. Asserting a lack of familiarity with the requirements under the Ordinance does not constitute a valid justification for non-compliance with data access requests. Organisations being data users should promulgate clear guidelines and operational procedures on handling data access requests and establish tracking procedures to monitor the progress of compliance with the data access requests, in order to ensure compliance with the relevant provisions of the Ordinance governing the handling of data access requests.
(Uploaded in October 2025)