By Simon Berry and Daisy Shen

Questions often arise about the scope of a data user’s obligations to respond to data subject access requests.  Hong Kong’s Privacy Commissioner for Personal Data offers some guidance in a recently issued Guidance Note (Guidance on Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users).

The Guidance Note addresses, among other matters/questions:

  • What constitutes a data access request (a “DAR”);
  • Steps for complying with a DAR;
  • Acceptable charges for complying with a DAR (i.e. how to calculate a DAR fee); and 
  • Circumstances where  a data user may withhold the requested data and steps to be taken when refusing to comply with a DAR.

DAR is a right vested in data subjects under the Personal Data (Privacy) Ordinance (Chapter 486 of the laws of Hong Kong). This right enables an individual to know whether a data user holds his personal data and to obtain a copy of that data. It ties in with a further right under the Ordinance for data subjects to request a correction by the data user if their personal data are found to be inaccurate.

Failure to handle a DAR in accordance with the statutory requirements without reasonable excuse may constitute an offence rendering the offender liable to a fine on conviction. The first conviction for non-compliance with DAR was issued by The Kowloon City Magistrates’ Courts of Hong Kong in 2008 (the Ordinance came into force on 20 December 1996). That conviction has been followed by an increase in the number of DAR-related complaints in recent years. The recent Guidance Note is widely seen as a response to the ongoing concerns about compliance with access requirements.

Organizations subject to the Ordinance would be wise to have procedures in place designed to assure proper responses to DARs.  In addition to a timely response (generally within 40 days), it is important to confirm the eligibility of the requestor to receive the data, provide appropriate data based on the request, and assure that any charges assessed are in accordance with the those permitted by the Ordinance. The Guidance Note provides specific direction on all of these topics.