 |
Exercising Your Data Access Rights
Under the Personal Data (Privacy) Ordinance
The Personal Data (Privacy) Ordinance ("the Ordinance")
was brought into force in December 1996 to protect the privacy interests
of individuals in relation to their personal data. Under the Ordinance,
every individual has the right to request another party, e.g. a government
department or a company, to confirm whether it holds his or her personal
data and to request a copy of any such data. Such requests are called data
access requests.
Common examples of individuals making data access requests
include patients requesting copies of their medical records, employees
requesting copies of their employment-related records, including performance
appraisal reports, and applicants for credit requesting copies of their
credit reports.
To assist individuals to make data access requests,
the Privacy Commissioner for Personal Data has issued a Data Access Request
Form (No.OPS003).
Below are some frequently asked questions and answers
to assist individuals in making data access requests.
|
|
How should I make a
data access request?
|
|
A1.
|
You should make use of the Data Access Request
Form (No.OPS003) issued by the Privacy Commissioner. By providing the information
specified in the form you will assist the party concerned to process your
request with minimum delay. If you do not use this Form, the party concerned
may refuse to comply with your request. |
| Q2.
|
Apart from the Form,
what other information or documents do I have to provide ? |
| A2. |
You may be asked by the party concerned to show
proof of your identity such as your identity card or other identifying
documents such as a staff card, medical card or student card. You may also
be asked to provide further information to enable the location of the data.
In some cases, you may be asked to fill in a standard form of the party
concerned, although it is not mandatory to do this. (If you wish to make
a data access request on behalf of someone else, see Q&A 7 below as
well.) |
|
|
What areas should I
pay attention to when filling in the Form? |
|
A3.
|
You should fill in all parts of the form and
be as specific as possible in describing the data to which the request
relates. This will assist the party concerned to comply with your request
as quickly as possible, and will help to avoid any subsequent disputes. |
|
|
Can I be charged a
fee for compliance with my data access request? |
|
A4.
|
Yes, under the Ordinance, a fee can be charged
for complying with a data access request. However, the fee must not be
"excessive". That is, the party concerned should not charge more than the
direct cost of complying with your request. If you believe that the fee
charged for compliance with your data access request is excessive, you
should raise the matter with the party concerned. If you are not satisfied
with the explanation given, you may lodge a complaint with the Privacy
Commissioner's Office (PCO). |
|
|
Must my data access
request be complied with? |
|
A5.
|
Generally, your data access request must be
complied with. However, there are circumstances specified in the Ordinance
under which the party concerned should refuse to comply with
a data access request. These are:
-
when it is not supplied with sufficient information to identify you; or
-
if the personal data sought under the data access request comprise personal
data of another individual and the party concerned cannot comply with the
request without disclosing the personal data of that other individual.
On the other hand, if the party concerned is satisfied that the other individual
has consented to the disclosure, it should comply with the request. In
addition, if the party concerned can comply with the request without disclosing
the identity of other individual, for example by omitting the names or
other identifying particulars, it should do so.
There are also circumstances under which the party concerned
may refuse to comply with a data access request. These are
if:
-
the request is not in writing in Chinese or English;
-
the party is not provided with sufficient information to
locate the data requested;
-
the request follows two or more similar requests;
-
another party controls the use of the personal data in a
way that prohibits the party receiving the request from complying with
it;
-
the request is not made in the Privacy Commissioner's specified
form, i.e. Form OPS003 mentioned above; or
-
there is an applicable exemption from the requirement to
comply with an access request provided for in the Ordinance, e.g. if the
personal data are held for the purpose of the detection of crime and compliance
with the request would be likely to prejudice that purpose, the party concerned
may refuse to comply. (For the complete and definitive statement of this
and other exemptions reference should be made to the Ordinance.)
|
|
|
How long will it take
for my data access request to be processed? |
|
A6.
|
In general, a party is required to comply with
a data access request no later than 40 days after receipt of the request.
Even if the party concerned is unable to comply with the request within
this period or has valid grounds to refuse to comply, it should reply to
you within 40 days, setting out the reasons. If the party is unable to
comply with the request within 40 days of its receipt, it should comply
with it as soon as practicable thereafter. |
|
|
Must I make the data
access request myself or can I authorise another individual to make a data
access request on my behalf? |
|
A7.
|
Apart from making a data access request yourself,
you can authorize another person in writing to make a data access request
on your behalf. The authorized person may be required by the party concerned
to produce proof of your identity as well as your authorization. Where
the requester is a minor, i.e. a person who is under 18, a person with
parental responsibility for the individual can make a data access request
on the minor¡¦s behalf. In addition, where an individual is incapable of
managing his/her own affairs, a person appointed by the court to manage
those affairs can make a data access request on behalf of him or her. In
the two latter situations, the person who makes the request on behalf of
another individual may be required by the party concerned to provide proof
of the identity of the individual whose personal data are sought as well
as proof of his/her relationship with that individual. |
|
|
Can I ask for a copy
of personal data supplied in response to my data access request to be in
a language of my choice? |
|
A8.
|
You may make such a request and space is provided
in the form for you to do this. However, if the language in which the data
are held is not the language specified in the request, the party concerned
may choose to provide the copy of the personal data requested in the form
of a copy of an original document without providing a translation. |
|
|
Can I specify the form
in which I wish to receive a copy of personal data to be provided in compliance
with my data access request, e.g. can I ask for the copy to be provided
on a floppy disk? |
|
A9.
|
You may make such a request and space is provided
in the form for you to do this. However, if it is not reasonably practicable
for the party concerned to supply the copy in the form specified by you,
it may provide the copy in another form. For example, if the personal data
are on an audio tape and you ask for a hard copy transcript and it is not
reasonably practicable to provide the transcript, the party concerned may
provide a copy of the tape. |
|
|
What can I do if I
find out that my personal data provided in response to a data access request
are inaccurate? |
|
A10.
|
You can ask for correction of the personal data.
This is called a data correction request. Similar to data access requests,
there is a general requirement on parties receiving data correction requests
to respond within 40 days of the request. If the request is complied with,
the party should provide you with a copy of the corrected data. If not,
the party should inform you why this has not been done. |
|
|
Is there a special
form for making a data correction request? |
|
A11.
|
No, you should simply make your request in writing
and provide whatever information, including supporting documentation, you
may have in order to show that the data concerned are inaccurate, and how
the data should be corrected. |
[This pamphlet is for general reference only. It does not provide
an exhaustive guide to the relevant provisions of the Personal Data (Privacy)
Ordinance. Readers should refer to the provisions of the Ordinance for
a complete and definitive statement of the law.]
Office of the Privacy Commissioner for Personal Data, Hong Kong
August 1999
Reproduction of all or any part of this publication is permitted on
the conditions that it is done for a non-profit making purpose and due
acknowledgement of this work is made as the source.
|
