How Hong Kong companies should deal with data subject access requests

Out-Law Guide | 21 Dec 2022 | 7:52 am | 3 min. read

Data subject access requests (DARs) are an important aspect of data management. In Hong Kong Special Administrative Region (SAR), companies which can handle DARs properly will be able to demonstrate their respect for customers’ personal data privacy and gain trust from their customers.

Failing to handle a DAR in accordance with the requirements under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) without reasonable excuse may constitute an offence and this may render the offender liable on conviction to a fine.

A DAR is an individual's request to a company possessing their personal data to provide the individual with a copy of that data. This request is made based on an individual’s right of access which allows an individual to learn what the company knows about them and how the personal data is being used. Companies are required to deal with these requests promptly in accordance with local legislation and regulations. 

What are the legal bases for making data subject access request?

In Hong Kong SAR, the right to make a DAR is set out in section 18 and Data Protection Principle 6 of the PDPO. Such requests have to be made within a reasonable time and in a reasonable manner.

What should a company do when it receives a DAR?

The company should first ascertain the identity of the requestor and then assess whether the company in fact holds the relevant personal data. The company should also check whether the type and scope of the data requested in the DAR is clear enough to allow the company to comply with the request.

Are there identity verification requirements?

The company should ascertain the identity of the requestor, for example by checking proof of identity if needed. The company should explain to the requestor and refuse to comply with the DAR if it cannot ascertain the requestor’s identity.

What information can be accessed?

Individuals may ask whether the company holds their personal data and ask the company to supply them with a copy of that data. An individual may not access data which is not personal data or personal data which does not belong to that individual. For example, in a performance appraisal report where the appraising officer states their opinion about the aptitude and performance of the appraisee, this opinion will constitute the personal data of the appraisee. Data that is collected anonymously without reference or linkage to an individual directly or indirectly will not be considered as personal data.

What are the timeframes for compliance?

A company should respond to a DAR within 40 calendar days of receipt. If it is not able to supply the data requested during that period, it should notify the requestor within that period and comply with the request as soon as practicable.

A DAR may be considered incomplete if the data requested is so unclear that further clarification is required before the DAR could be complied with. The time to comply with a DAR does not start to run until a complete DAR is received. Different timeframes apply under similar legislation across the Asia Pacific region.

Can fees be charged?

A company may impose a fee for complying with a DAR. However, this fee should not be excessive. The company should clearly inform the requestor what fee, if any, will be charged as soon as possible, and in any event not later than 40 days after receiving the request. 

It is possible that a company may refuse to comply with a DAR unless and until the relevant fee for complying with the DAR has been paid. A reasonable fee can only be charged for complying with the DAR but not to make the application in the first place.

Are there format requirements for the request?

The Office of the Privacy Commissioner for Personal Data (PCPD) has provided a standard request form Data Access Request Form (Form OPS003). However, many companies adopt their own DAR forms.

Are there format requirements for the response?

The copy of the requested data to be supplied to the requestor should be intelligible as far as practicable, unless the copy is a true copy of the document and is unintelligible on its face. Other responses or confirmations from companies should be set out in writing to avoid unnecessary confusion.

What if the description of requested data is unclear?

If the description of the requested data is too generic, especially where there have been extensive dealings between the company and the requestor during which a large amount of personal data has been generated, it is reasonable for the company to seek clarification from the requestor. 

In these circumstances, especially when the requested information is “all personal data”, it will be useful if the company can provide an exhaustive list of the requestor’s data it holds and clarify with the individual the scope of the request. This will facilitate the handling of the request.

Are there general exceptions or reasons for refusing a request?

Section 20 of the PDPO provides possible reasons for refusing an access request. Companies may refuse compliance if:

  • the company is not supplied with sufficient information to satisfy the company as to the identity of the requestor;
  • the request cannot be complied without disclosing personal data of a third party; or
  • compliance with a request is prohibited by law.

Section 20 also provides that companies may refuse compliance when the request is not made in writing in Chinese or English; when there is insufficient information to locate the data; when the request follows two or more similar requests and it is unreasonable to comply; or when another third party controls the use of the data which prohibits compliance with the request. 

Co-written by Sara Chan of Pinsent Masons.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.