Table of Contents Table of Contents
Previous Page  30 / 192 Next Page
Show Menu
Previous Page 30 / 192 Next Page
Page Background

Based on the above findings, the Commissioner considered that no investigation or

further investigation was necessary. On appeal, the AAB upheld the Commissioner’s

decision and ruled that:

A person who does not collect, hold, process or use the personal data is not a data user in

relation to that data. He is not obliged to comply with a data access request in relation to that



In the case of AAB No. 3/2005, a student complained against a school for failing to

comply with his data access request. The school denied that it was the data user

because it did not hold or control the requested data. The school then diverted the

request to a closely connected college, which was the data user, for processing the

request. The complainant insisted that the school had to comply with his request. The

AAB ruled that the school and the college were separate legal entities. Although the

school was closely connected to the college in that it had control over the college on

policy matters, the school was not the data user of the requested personal data in that it

did not control the collection, holding, processing or use of the requested data. The

college collected the personal data for its own use. There was no evidence that the

college had ever transferred the requested data to the school or that the school had

control over the requested data.


In AAB No.8/2005, a student filed a complaint against his school for disclosing the

examination results of an academic programme to his classmate before they were due

for release. His suspicion was fueled by the fact that he had received an email from his

classmate notifying all persons enrolled in the academic programme (of which his name

was included in the list of recipients) of the arrangements for making a trip to the

mainland to attend the graduation ceremony. The school denied that it had disclosed

the examination results as alleged, and maintained that there was no evidence to show

that the school was the data user in respect of the student’s personal data in the email

sent by his classmate. The AAB upheld the decision of the Commissioner that the school

was not the data user.


In the case of AAB No. 16/2007, the AAB considered the question whether a data user’s

control over personal data could have been vitiated when the data user was

compelled by the operation of PRC law to disclose the personal data. The AAB decided

that in such circumstances the data user retained control over the personal data; the

disclosure of the relevant information under compulsion of law did not and could not

vitiate their control.

Section 2(12)


Another point worth noting regarding the meaning of “data user” is the exclusion under

section 2(12), which provides:

A person is not a data user in relation to any personal data which the person holds,

processes or uses solely on behalf of another person if, but only if, that first-mentioned

person does not hold, process or use, as the case may be, the data for any of his own