Hong Kong Privacy Commissioner Publishes Guidance on the Handling of Data Access Requests and the Charging of Access Fees

The Hong Kong Privacy Commissioner for Personal Data recently issued a guidance note titled "Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users" to provide data users with guidance on how to comply with data access requests  as well as how to calculate the fees to be charged in connection with such Access Requests. The Guidance Note was in part a response to the increasing number of complaints received by the Commissioner relating to Access Requests in recent years, approximately 10 per cent of which concerned excessive Access Fees.

Access Requests/Data Access Form

An "Access Request" is any written request (in English or Chinese) made by an individual data subject or a relevant person on behalf of such individual (i.e. a parent/guardian of a data subject under 18 years of age; a person appointed by a court to manage the affairs of a data subject; a person authorised in writing by the data subject to make such request)  to be informed of whether the data user holds personal data about the individual, and if so, to be provided with copies of such data.

An Access Request should be made using the Data Access Form published by the Commissioner (available here).  Failure to submit an Access Request using the correct Form may result in the data user refusing to comply with the Access Request. 

Compliance with Access Requests  

The Guidance Note contains the following recommendations for data users when responding to an Access Request:

• Data users should ascertain the identity of the Requestor and seek proof of identification if necessary. If the Requestor is not the data subject, request a written authorisation signed by the data subject, or evidence of the parental/guardian relationship or appointment by court. If the identity of the individual, or the relationship between the Requestor and the individual, cannot be ascertained, the data user should refuse to comply with the Access Request.

• The copies provided should be intelligible and readily comprehensible (e.g. where the data user makes use of codes to represent categories of personal data, such codes should clearly be explained). The copies should be in the language specified in the Access Request, or if the data is only held in a language other than that specified in the Access Request, it is recommended that the true cop(y/ies) of the requested data be supplied.

• Before providing the requested data, the data user should ensure that all information relating to third parties is redacted. If the data user cannot supply the requested information without disclosing a third party’s identity, this may be a ground for refusing to comply with the Access Request.

• Data users should provide copies of the requested data within 40 calendar days from receipt of the Access Request (except in a number of limited circumstances as set out below). 

• Where it is not possible to supply the requested data within 40 days (e.g. where a large amount of data is held and it will take longer to locate the requested data), the data user should notify the Requestor in writing within the 40 day period setting out the reasons, and should comply with the Access Request as soon as practicable after providing such notice to the Requestor.

Refusal to Comply with Access Request

A data user may refuse to comply with an Access Request in the event that:

• the Access Request is not made in writing using the Form (in English or Chinese). However, the Commissioner strongly recommends complying with all written Access Requests that contain the necessary information, even where they are not made in the correct Form;

• the data user is unable to ascertain the identity of the Requestor/is not satisfied as to the relationship between the individual data subject and the Requestor. If in doubt the data user may request identity proof;

• the data user cannot comply with such Access Request without disclosing the personal data of any third party;

• the data user does not hold the requested data/does not hold such data in a form that is capable of being accessed and retrieved (e.g. where the data has been deleted or where there is no written record of the data);

• the description of personal data requested is too generic, such that it is practically impossible for the data user to locate the requested data. The level of detail required will vary from case to case (e.g. a bank with an established record keeping system should be able to locate all personal data of a particular customer by searching using their name/account number, but such description may be too generic in other cases resulting in it not being reasonably practicable to locate the requested data). If a data user is able to locate the requested data without further clarification from the Requestor, the data user should comply with the Access Request irrespective of whether the request is phrased in vague terms;

• the disclosure is prohibited under the Ordinance;

• the Requestor has already made 2 or more similar Access Requests and it is unreasonable for the data user to comply with the Access Request in the circumstances;

• another party controls the use of the requested data so as to prohibit the data user from complying with the Access Request; and

• One of the exemptions specified in the Ordinance applies (e.g. information relating to certain employment-related circumstances; information relating to the awarding of a contract, award, scholarship or other benefit; personal references; information which is subject to legal professional privilege).

Where a data user refuses to comply with an Access Request (for the reasons set out above), written notice of such refusal (including reasons) must be provided to the Requestor within 40 days of receipt of the Access Request. If the data user cannot provide the requested data because it is held by a third party, the notice should include the name and address of the other data user. Data users are required to keep a log book setting out details of any refusal to comply with an Access Request (including reasons for such refusal), and such records must be retained for a minimum of 4 years.

Access Fees

Data users are entitled under the Ordinance to charge reasonable fees to Requestors in connection with complying with Access Requests. The Guidance Note makes it clear that the fees charged should be directly related to and necessary for complying with the Access Request. If it is possible to comply with the Access Request without incurring a particular cost incorporated in an Access Fee, that portion of the Access Fee shall be deemed excessive. The burden lies with the data user to explain the composition of Access Fees (and to demonstrate that the Access Fee is not excessive), and the Commissioner recommends that data users provide written explanations of the breakdown of Access Fees to the Requestor where such fees are substantial.

The Guidance Note sets out that reasonable photocopying costs (e.g. HK$1 per page) and reasonable labour costs incurred for the time spent locating and retrieving the data, shall generally be considered to be directly related to the Access Request and are therefore generally chargeable as part of an Access Fee. On the other hand, administration overheads and the cost of obtaining legal advice to clarify the requirements under the Ordinance, are considered excessive as they do not directly relate to the retrieval of the requested data.

Access Fees ought to be reasonable and not excessive. In terms of labour costs, a data user can generally multiply the hours spent by a clerical employee locating/retrieving the data by that employee’s hourly rate. The Guidance Note warns against assigning professional or managerial staff to retrieve the requested data, as the associated costs would likely be deemed excessive in most cases.  

Access Fees are often nominal. By way of example, the Commissioner previously held that an Access Fee of HK$200 charged by a bank was excessive, and noted that time spent by the data user redacting data or considering the personal data to be disclosed is for the data user’s own protection and benefit, and should therefore not be incorporated in an Access Fee.

The Guidance Note makes it clear that data users may charge a flat-fee rate for Access Requests, provided that the fee charged is less than the direct and necessary costs of complying with the Access Request.

Implications for Business

With a view to complying with the requirements discussed above, organisations may wish to establish detailed guidelines and procedures for the handling of Access Requests (including calculating Access Fees), to ensure that such requests are dealt with promptly and efficiently, and in accordance with the Ordinance.  Organisations should also review their personal information collection statements to ensure that such statements notify customers of their data access/correction rights, as required under the Ordinance.

Failure to comply with the requirements in the Ordinance relating to Access Requests and Access Fees without reasonable excuse may constitute an offence and render the data user liable to a maximum fine of HK$10,000. In 2008, a doctor was fined HK$1,000 for failing to comply with an Access Request, which was the first conviction under such provisions since the Ordinance was introduced. Access Requests/Access Fees have clearly come onto the Commissioner’s radar in recent years, and despite the penalties for non-compliance not being significant, data users may suffer reputational damage in the event of a complaint.

Authored by Gabriela Kennedy.