Data Access Requests :
Refusals and other responses

Below is one of twelve hypertext checklists in our
HyperTexpert Privacy Compliance Kit

 

Main Ordinance reference: Section 20

 

You must refuse a data access request if . . .

      the person making the request claims to be the data subject but you have not seen good enough evidence of this

      the person making the request claims to be a 'relevant person' with authority to make a data access request for the data subject but you have not seen good enough evidence of the validity of the authorisation, or of its applicability to the requestor

      you cannot comply without revealing some information about another individual when:
    • that individual has not consented
    • that individual's identity is explicitly stated in the data concerned (an implied identity is not a valid cause of refusal)
    • you are unable to obliterate, conceal or delete the data about the other individual
        

You may refuse a data access request if . . .

      the request is not in Chinese or English

      the request is not in writing

      with the information given, to find the person's record would take an unreasonable effort

      this is the third such request for this data and it is unreasonable to expect you to meet the request;

      you cannot comply because you don't control the data.

      the requestor didn't use the proper form

      the data are exempt (under Part VIII of the Ordinance) . . . see the Expert in our Privacy Compliance Kit
        

Either way, . . .

      for a guide to possible responses, see our Privacy Compliance Kit . . .

    of example responses
    Pending Positive Partial Negative Refusal

      You must note the refusal in the data users logbook (see Ordinance Section 27 for details).

This is the third request for this individual's data

. . . and it is unreasonable to expect you to meet the request.

There is no definition of the period of time over which the repetition might be measured, but this is not intended as a 'two strikes and you're out' policy. It is a protection against nuisance requests. If the data have changed since the last request, then in a dispute, the Commissioner's office is likely to regard the request as one which is not 'similar' (see 20(3)(c))

 
        

If you do not control the data and you cannot comply

In this case, you are excused from providing the data; You must still say whether you hold personal data about the individual and provide any data that you can; (see 20(3)(d) and 20(4)).
 
        

Any form specified by the Commissioner as required for data access requests has not been used

At the time of writing (November 1996 - 2008), the Commissioner has not specified any form. This reason for not complying does not stretch to any form that a data user may wish to specify. A written note in any legible format, giving the required information and identification has to be treated as adequate. You may choose to make a form available to help requestors to provide all the required information, evidence of identity or authorisation and fee, at the first attempt, but you cannot insist on its use.
 
 

Above is one of twelve checklists and memory-joggers included in our HyperTexpert Privacy Compliance Kit

Other than the Ordinance text, this material, including hypertext links and all HTML code is
 © Copyright G&A Management Consultants Limited, Hong Kong, 1996 - 2008
           
For consulting on compliance with the Personal Data (Privacy) Ordinance
or creative help with business planning, information technology, project
management and the Internet please contact us.