1. What is a Data Access Request (“DAR”)
In the course of business dealings, your company may have collected, held, processed or used the personal data of employees or other individuals. These people are entitled to request your company to supply them with a copy of the personal data held (the “requestor”). This is called a data access request (“DAR”) and is a core right contained in the Personal Data (Privacy) Ordinance (“Ordinance”).
2. Complying with a DAR
a. When your company receives a DAR, it should:
(i) ascertain the identity of the requestor;
(ii) assess whether it holds the relevant personal data; and
(iii) respond within the statutory time limit.
b. A requestor is not entitled under a DAR to access data which is not personal data or personal data not belonging to him. To constitute personal data of an individual, the data must firstly relate directly or indirectly to the individual. Secondly, it must be possible from such data to directly or indirectly determine the identity of the individual.
For example, in a performance appraisal report where the appraising officer states his opinion about the aptitude and performance of the appraisee, such opinion will constitute the personal data of the appraisee. On the contrary, recorded opinion about the performance of a property management company expressed by an owner during an owners’ meeting will generally not constitute the personal data of that owner.
Holding relevant Personal Data?
c. If your company holds the relevant personal data, it should supply a copy of the requested data in an intelligible form and within 40 calendar days after receiving the
DAR, unless specific exemption applies. If the Privacy Commissioner concludes that there is a breach of the Ordinance after investigation, he may serve an enforcement notice on the data user concerned directing it take steps to remedy the situation and where appropriate, to prevent any recurrence. Non-compliance of an enforcement notice is an offence which may result in a fine and imprisonment.
d. If your company does not hold the requested data, it is still required to inform the requestor in writing within the 40-day time limit that it does not hold the data.
e. If your company has already destroyed the requested data it is required to inform the requestor that it no longer holds the data. To avoid any suspicion of bad faith, your company may explain the reason for destroying the data to the requestor.
Should you provide “All personal data”?
f. Where the description of the requested data is too generic, especially where there have been extensive dealings between your company and the requestor during which a large amount of personal data has been generated, your company should seek clarification from the requestor . If the requestor fails to supply the information reasonably requested for locating the requested data, your company is entitled to refuse to comply with the DAR.
g. Having said that, your company may not simply rely on the fact that the request is made in too broad or generic terms to refuse to comply with a DAR. If you are aware of and can reasonably locate the requested data without any further specification from the requestor, the data user should comply with the DAR.
3. Charge for Complying with a DAR
a. Your company may impose a fee for complying with a DAR which should not be excessive, and should not charge a fee on a commercial basis. It should clearly inform the requestor what fee, if any, will be charged as soon as possible and in any event not later than 40 days after receiving the DAR.
b. Fees that will be considered excessive or not directly related to and necessary for the compliance of a DAR could include fees that exceed the cost of compliance, e.g. costs of seeking legal advice in relation to the Ordinance or inclusion or your company’s administrative or office overheads.
The Commissioner’s office has provided examples on fees that may be charged for complying with a DAR in its Guidance Note. Your company may charge the direct costs attributable to the time spent by its staff and the actual out-of-pocket expenses for locating, retrieving and reproducing the requested data for complying with a DAR. For example, if a clerical assistant has spent five hours on retrieving and photocopying the requested data in the course of handling a DAR, the calculation of the labour costs incurred is the hourly rate of his remuneration (including salary and fringe benefits) multiplied by five. Your company may charge for the labour cost attributable to the time spent on extracting or editing the requested data, provided that such tasks are directly related to and necessary for compliance with the DAR.
4. Refusing to Comply with a DAR
a. Your company should refuse to comply with a DAR if:-
i. it is not supplied with sufficient information to identify the requestor;
ii. it cannot comply with the request without disclosing the personal data of a third party; or
iii. where compliance with the request is prohibited under the Ordinance or any other regulation.
b. Your company may refuse to comply with a DAR if the request is not made in writing using either the Chinese or English language.
c. Your company is obliged to give written notice and reasons for refusal to the requestor within 40 days from receiving the DAR and is also required to keep a log entry containing the particulars of the reasons for the refusal of the DAR for four years.