Out-Law Guide 3 min. read
21 Dec 2022, 7:52 am
Data subject access requests (DARs) are an important aspect of data management. In Hong Kong Special Administrative Region (SAR), companies which can handle DARs properly will be able to demonstrate their respect for customers’ personal data privacy and gain trust from their customers.
Failing to handle a DAR in accordance with the requirements under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) without reasonable excuse may constitute an offence and this may render the offender liable on conviction to a fine.
A DAR is an individual's request to a company possessing their personal data to provide the individual with a copy of that data. This request is made based on an individual’s right of access which allows an individual to learn what the company knows about them and how the personal data is being used. Companies are required to deal with these requests promptly in accordance with local legislation and regulations.
In Hong Kong SAR, the right to make a DAR is set out in section 18 and Data Protection Principle 6 of the PDPO. Such requests have to be made within a reasonable time and in a reasonable manner.
The company should first ascertain the identity of the requestor and then assess whether the company in fact holds the relevant personal data. The company should also check whether the type and scope of the data requested in the DAR is clear enough to allow the company to comply with the request.
The company should ascertain the identity of the requestor, for example by checking proof of identity if needed. The company should explain to the requestor and refuse to comply with the DAR if it cannot ascertain the requestor’s identity.
Individuals may ask whether the company holds their personal data and ask the company to supply them with a copy of that data. An individual may not access data which is not personal data or personal data which does not belong to that individual. For example, in a performance appraisal report where the appraising officer states their opinion about the aptitude and performance of the appraisee, this opinion will constitute the personal data of the appraisee. Data that is collected anonymously without reference or linkage to an individual directly or indirectly will not be considered as personal data.
A company should respond to a DAR within 40 calendar days of receipt. If it is not able to supply the data requested during that period, it should notify the requestor within that period and comply with the request as soon as practicable.
A DAR may be considered incomplete if the data requested is so unclear that further clarification is required before the DAR could be complied with. The time to comply with a DAR does not start to run until a complete DAR is received. Different timeframes apply under similar legislation across the Asia Pacific region.
A company may impose a fee for complying with a DAR. However, this fee should not be excessive. The company should clearly inform the requestor what fee, if any, will be charged as soon as possible, and in any event not later than 40 days after receiving the request.
It is possible that a company may refuse to comply with a DAR unless and until the relevant fee for complying with the DAR has been paid. A reasonable fee can only be charged for complying with the DAR but not to make the application in the first place.
The Office of the Privacy Commissioner for Personal Data (PCPD) has provided a standard request form Data Access Request Form (Form OPS003). However, many companies adopt their own DAR forms.
The copy of the requested data to be supplied to the requestor should be intelligible as far as practicable, unless the copy is a true copy of the document and is unintelligible on its face. Other responses or confirmations from companies should be set out in writing to avoid unnecessary confusion.
If the description of the requested data is too generic, especially where there have been extensive dealings between the company and the requestor during which a large amount of personal data has been generated, it is reasonable for the company to seek clarification from the requestor.
In these circumstances, especially when the requested information is “all personal data”, it will be useful if the company can provide an exhaustive list of the requestor’s data it holds and clarify with the individual the scope of the request. This will facilitate the handling of the request.
Section 20 of the PDPO provides possible reasons for refusing an access request. Companies may refuse compliance if:
Section 20 also provides that companies may refuse compliance when the request is not made in writing in Chinese or English; when there is insufficient information to locate the data; when the request follows two or more similar requests and it is unreasonable to comply; or when another third party controls the use of the data which prohibits compliance with the request.
Co-written by Sara Chan of Pinsent Masons.