Table of Contents Table of Contents
Previous Page  134 / 192 Next Page
Show Menu
Previous Page 134 / 192 Next Page
Page Background


The Commissioner took the view that in a data access request intended to be made

under the Ordinance (whether under section 18(1)(a), 18(1)(b) or both), the requestor

should at least state or make reference to terms such as “personal data”, “Personal

Data (Privacy) Ordinance”, “Cap 486”, “data access request”, etc. In order to prevent

or reduce the risk of misunderstanding, the Commissioner has, since December 1999,

pursuant to his power to specify forms under section 67(1) of the Ordinance, specified a

Data Access Request Form


by which data access requests are to be made.


The Data Access Request Form, by design, aims to make clear, both to the requestor

and the data user, the following essential matters:

• the fact that a data access request is made under the Ordinance;

• the particular provision(s) under which such request is made (i.e. paragraph (a) or (b)

of section 18(1), or both);

• the precise scope of the data to which the request relates (in this regard, the data

subject is guided to frame his request as specifically as possible);

• how to handle (including the time for compliance with) such a request, and the

possible consequences of failure to do so.


It is to be noted that failure to use the Data Access Request Form does not of itself

render the data access request invalid nor does it exonerate the data user from

responding to it in a manner prescribed by the Ordinance though it may afford the data

user grounds under section 20(3)(e) to refuse compliance with it. Even if a request is not

made by using the Data Access Request Form prescribed by the Commissioner, data

users are still encouraged to comply with such a request if it substantially contains the

details required, as the use of the prescribed form is merely a technical requirement.


In AAB No. 20/2014, the AAB took the view that a letter written by the complainant to a

bank, requesting the bank to either retain certain CCTV footage until the complainant

agrees to destroy the same or provide him with a copy of the CCTV footage, may not

amount to a data access request made pursuant to section 18(1) of the Ordinance. The

AAB had taken into account that the “request” was not made in the specified form and

the letter itself did not contain the substance to qualify as a valid data access request.


The requestor in making a data access request must provide true and accurate

information to the data user. A requestor who does not do so may commit an offence

under section 18(5) and (6) of the Ordinance:

(5) A person commits an offence if the person, in a data access request, supplies any

information which is false or misleading in a material particular for the purposes of

having the data user –

(a) inform the person whether the data user holds any personal data which is the

subject of the request; and

(b) if applicable, supply a copy of the data.

(6) A person who commits an offence under subsection (5) is liable on conviction to a fine


Available on the Website: