| This is the text of the Hong Kong Personal Data (Privacy) Ordinance, with hypertext (click and jump) links to all paragraph and section cross references, and to the definitions of all terms defined in the Ordinance. For information about the conventions adopted in setting this out, please refer to the separate page. |  |
 |
 |  this part |  | |
PART V
ACCESS TO AND CORRECTION OF PERSONAL DATA
18. Data access request
(1) An individual, or a relevant person on behalf of an
individual, may make a request—
(a) to be informed by a data user whether the data user holds
personal data of which the individual is the data
subject;
(b) if the data user holds such data, to be supplied by the
data user with a copy of such data.
(2) A data access request under both paragraphs of subsection (1)
shall be treated as being a single request, and the provisions of
this Ordinance shall be construed accordingly.
(3) A data access request under paragraph (a) of subsection (1)
may, in the absence of evidence to the contrary, be treated as being
a data access request under both paragraphs of that subsection, and
the provisions of this Ordinance (including subsection (2) ) shall be
construed accordingly.
(4) A data user who, in relation to personal data—
(a) does not hold the data; but
(b) controls the use of the data in such a way as to prohibit
the data user who does hold the data from complying
(whether in whole or in part) with a data access request
which relates to the data,
shall be deemed to hold those data, and the provisions of this
Ordinance (including this section) shall be construed accordingly.
19. Compliance with data access request
(1) Subject to subsection (2) and sections 20 and 28(5), a data
user shall comply with a data access request not later than 40 days
after receiving the request.
(2) A data user who is unable to comply with a data access
request within the period specified in subsection (1) shall—
(a) before the expiration of that period—
(i) by notice in writing inform the requestor that the
data user is so unable and of the reasons why the
data user is so unable; and
(ii) comply with the request to the extent, if any, that
the data user is able to comply with the request;
and
(b) as soon as practicable after the expiration of that
period, comply or fully comply, as the case may be, with
the request.
(3) A copy of the personal data to be supplied by a data user in
compliance with a data access request shall—
(a) be supplied by reference to the data at the time when the
request is received except that the copy may take account
of—
(i) any processing of the data—
(A) made between that time and the time when the
copy is supplied; and
(B) that would have been made irrespective of the
receipt of the request; and
(ii) subject to subsection (5), any correction to the
data made between that time and the time when the
copy is supplied;
(b) where any correction referred to paragraph (a)(ii) has
been made to the data, be accompanied by a notice stating
that the data have been corrected pursuant to that
paragraph (or words to the like effect); and
(c) as far as practicable, be—
(i) intelligible unless the copy is a true copy of a
document which—
(A) contains the data; and
(B) is unintelligible on its face;
(ii) readily comprehensible with any codes used by the
data user adequately explained; and
(iii) in—
(A) subject to sub-subparagraph (B), the language
specified in the request or, if no language is
so specified, the language in which the request
is made (which may be the Chinese or English
language in either case);
(B) a language other than the language specified in
the request or, if no language is so specified,
the language in which the request is made, if,
but only if—
(I) the language in which the data are held
is not the language specified in the
request or, if no language is so
specified, the language in which the
request is made, as the case may be; and
(II) subject to section 20(2)(b), the copy is
a true copy of a document which contains
the data;
(iv) without prejudice to the generality of subparagraph
(iii) but subject to subsection (4), be in the
form, or one of the forms, if any, specified in the
request;
(v) where subparagraph (iv) is not applicable, in such
form as the data user thinks fit.
(4) Where—
(a) a data access request specifies the form or forms in
which a copy of the personal data to be supplied in
compliance with the request is or are sought; and
(b) the data user concerned is unable to supply the copy in
that form or any of those forms, as the case may be,
because it is not practicable for the data user to do so,
then the data user shall—
(i) where there is only one form in which it is
practicable for the data user to supply the copy,
supply the copy in that form accompanied by a
notice in writing informing the requestor that that
form is the only form in which it is practicable
for the data user to supply the copy;
(ii) in any other case
(A) as soon as practicable, by notice in writing
inform the requestor—
(I) that it is not practicable for the data
user to supply the copy in the form or
any of the forms, as the case may be,
specified in the request;
(II) of the forms in which it is practicable
for the data user to supply the copy; and
(III) that the requestor may, not later than 14
days after the requestor has received the
notice, specify in writing one of the
forms referred to in sub-subparagraph
(II) in which the copy is to be supplied;
and
(B) as soon as practicable, supply the copy—
(I) in the form specified in the response, if
any, to the notice referred to in
subparagraph (A);
(II) if there is no such response within the
period specified in subparagraph
(A)(III), supply the copy in any one of
the forms referred to in subparagraph
(A)(II) as the data user thinks fit.
(5) Subparagraph (ii) of paragraph (a) and paragraph (b) of
subsection (3) shall expire on the 1st anniversary of the appointed
day.
20. Circumstances in which data user shall or may
refuse to comply with data access request
(1) A data user shall refuse to comply with a data access request—
(a) if the data user is not supplied with such information as
the data user may reasonably require
(i) in order to satisfy the data user as to the
identity of the requestor;
(ii) where the requestor purports to be a relevant
person, in order to satisfy the data user—
(A) as to the identity of the individual in
relation to whom the requestor purports to be
such a person; and
(B) that the requestor is such a person in relation
to that individual;
(b) subject to subsection (2), if the data user cannot comply
with the request without disclosing personal data of
which any other individual is the data subject unless the
data user is satisfied that the other individual has
consented to the disclosure of the data to the requestor;
or
(c) in any other case, if compliance with the request is for
the time being prohibited under this Ordinance.
(2) Subsection (1)(b) shall not operate—
(a) so that the reference in that subsection to personal data
of which any other individual is the data subject
includes a reference to information identifying that
individual as the source of the personal data to which
the data access request concerned relates unless that
information names or otherwise explicitly identifies that
individual;
(b) so as to excuse a data user from complying with the data
access request concerned to the extent that the request
may be complied with without disclosing the identity of
the other individual, whether by the omission of names,
or other identifying particulars, or otherwise.
(3) A data user may refuse to comply with a data access request if—
(a) the request is not in writing in the Chinese or English
language;
(b) the data user is not supplied with such information as
the data user may reasonably require to locate the
personal data to which the request relates;
(c) the request follows 2 or more similar requests made by—
(i) the individual who is the data subject in respect
of the personal data to which the request relates;
(ii) one or more relevant persons on behalf of that
individual; or
(iii) any combination of that individual and those
relevant persons,
and it is unreasonable in all the circumstances for the
data user to comply with the request;
(d) subject to subsection (4), any other data user controls
the use of the data in such a way as to prohibit the
first-mentioned data user from complying (whether in
whole or in part) with the request;
(e) the form in which the request shall be made has been
specified under section 67 and the request is not made in
that form; or
(f) in any other case, compliance with the request may for
the time being be refused under this Ordinance, whether
by virtue of an exemption under Part VIII or otherwise.
(4) Subsection (3)(d) shall not operate so as to excuse a data
user from complying with the data access request concerned—
(a) in so far as the request relates to section 18(1)(a), to
any extent;
(b) in so far as the request relates to section 18(1)(b), to
any extent that the data user can comply with the request
without contravening the prohibition concerned.
21. Notification of refusal to comply
with data access request
(1) Subject to subsection (2), a data user who pursuant to
section 20 refuses to comply with a data access request shall, as
soon as practicable but, in any case, not later than 40 days after
receiving the request, by notice in writing inform the requestor—
(a) of the refusal;
(b) subject to subsection (2), of the reasons for the
refusal; and
(c) where section 20(3)(d) is applicable, of the name and
address of the other data user concerned.
(2) Where—
(a) a data user has pursuant to section 20 refused to comply
with a data access request; and
(b) the refusal also relates to section 18(1)(a) by virtue of
section 63,
then the data user may, in the notice under subsection (1) concerned,
in place of the matters of which the data user is required to inform
the requestor under that subsection, inform the requestor that the
data user has no personal data the existence of which he is required
to disclose to the requestor (or words to the like effect).
22. Data correction request
(1) Subject to subsection (2), where—
(a) a copy of personal data has been supplied by a data user
in compliance with a data access request; and
(b) the individual, or a relevant person on behalf of the
individual, who is the data subject considers that the
data are inaccurate,
then that individual or relevant person, as the case may be, may make
a request that the data user make the necessary correction to the
data.
(2) A data user who, in relation to personal data—
(a) does not hold the data; but
(b) controls the processing of the data in such a way as to
prohibit the data user who does hold the data from
complying (whether in whole or in part) with section
23(1) in relation to a data correction request which
relates to the data,
shall be deemed to be a data user to whom such a request may be made,
and the provisions of this Ordinance (including subsection (1)) shall
be construed accordingly.
(3) Without prejudice to the generality of sections 23(1)(c) and
25(2), if a data user, subsequent to the receipt of a data correction
request but before complying with the request pursuant to section 24
or refusing to comply with the request pursuant to section 25,
discloses to a third party the personal data to which the request
relates, then the user shall take all practicable steps to advise the
third party that the data are the subject of a data correction
request still under consideration by the user (or words to the like
effect).
23. Compliance with data correction request
(1) Subject to subsection (2) and section 24, a data user who is
satisfied that personal data to which a data correction request
relates are inaccurate shall, not later than 40 days after receiving
the request—
(a) make the necessary correction to those data;
(b) supply the requestor with a copy of those data as so
corrected; and
(c) subject to subsection (3), if—
(i) those data have been disclosed to a third party
during the 12 months immediately preceding the day
on which the correction is made; and
(ii) the data user has no reason to believe that the
third party has ceased using those data for the
purpose (including any directly related purpose)
for which the data were disclosed to the third
party,
take all practicable steps to supply the third party with
a copy of those data as so corrected accompanied by a
notice in writing stating the reasons for the correction.
(2) A data user who is unable to comply with subsection (1) in
relation to a data correction request within the period specified in
that subsection shall—
(a) before the expiration of that period—
(i) by notice in writing inform the requestor that the
data user is so unable and of the reasons why the
data user is so unable; and
(ii) comply with that subsection to the extent, if any,
that the data user is able to comply with that
subsection; and
(b) as soon as practicable after the expiration of that
period, comply or fully comply, as the case may be, with
that subsection.
(3) A data user is not required to comply with subsection (1)(c)
in any case where the disclosure concerned of the personal data to
the third party consists of the third party's inspection of a
register or other like document—
(a) in which the data are entered or otherwise recorded; and
(b) which is available for inspection by the public,
but this subsection shall not apply if the third party has been
supplied with a copy, certified by or under the authority of the data
user to be correct, of the data.
24. Circumstances in which data user shall or may
refuse to comply with data correction request
(1) Subject to subsection (2), a data user shall refuse to comply
with section 23(1) in relation to a data correction request if the
data user is not supplied with such information as the data user may
reasonably require—
(a) in order to satisfy the data user as to the identity of
the requestor;
(b) where the requestor purports to be a relevant person, in
order to satisfy the data user—
(i) as to the identity of the individual in relation to
whom the requestor purports to be such a person;
and
(ii) that the requestor is such a person in relation to
that individual.
(2) Subsection (1) shall not apply to a data correction request
where the requestor is the same person as the requestor in respect of
the data access request which gave rise to the data correction
request.
(3) A data user may refuse to comply with section 23(1) in
relation to a data correction request if—
(a) the request is not in writing in the Chinese or English
language;
(b) the data user is not satisfied that the personal data to
which the request relates are inaccurate;
(c) the data user is not supplied with such information as
the data user may reasonably require to ascertain in what
way the personal data to which the request relates are
inaccurate;
(d) the data user is not satisfied that the correction which
is the subject of the request is accurate; or
(e) subject to subsection (4), any other data user controls
the processing of the personal data to which the request
relates in such a way as to prohibit the first-mentioned
data user from complying (whether in whole or in part)
with that section.
(4) Subsection (3)(e) shall not operate so as to excuse a data
user from complying with section 23(1) in relation to the data
correction request concerned to the extent that the data user can
comply with that section without contravening the prohibition
concerned.
25. Notification of refusal to comply with
data correction request, etc.
(1) A data user who pursuant to section 24 refuses to comply with
section 23(1) in relation to a data correction request shall, as soon
as practicable but, in any case, not later than 40 days after
receiving the request, by notice in writing inform the requestor—
(a) of the refusal and the reasons for the refusal; and
(b) where section 24(3)(e) is applicable, of the name and
address of the other data user concerned.
(2) Without prejudice to the generality of subsection (1), where—
(a) the personal data to which a data correction request relates
are an expression of opinion; and
(b) the data user concerned is not satisfied that the opinion is
inaccurate,
then the data user shall—
(i) make a note, whether annexed to that data or
elsewhere—
(A) of the matters in respect of which the opinion
is considered by the requestor to be
inaccurate; and
(B) in such a way that those data cannot be used by
a person (including the data user and a third
party) without the note being drawn to the
attention of, and being available for
inspection by, that person; and
(ii) attach a copy of the note to the notice referred to
in subsection (1) which relates to that request.
(3) In this section, "expression of opinion" (·N¨£ªí¹F) includes an
assertion of fact which—
(a) is unverifiable; or
(b) in all the circumstances of the case, is not practicable
to verify.
26. Erasure of personal data no longer required
(1) A data user shall erase personal data held by the data user
where the data are no longer required for the purpose (including any
directly related purpose) for which the data were used unless—
(a) any such erasure is prohibited under any law; or
(b) it is in the public interest (including historical
interest) for the data not to be erased.
(2) For the avoidance of doubt, it is hereby declared that—
(a) a data user shall erase personal data in accordance with
subsection (1) notwithstanding that any other data user
controls (whether in whole or in part) the processing of
the data;
(b) the first-mentioned data user shall not be liable in an
action for damages at the suit of the second-mentioned
data user in respect of any such erasure.
27. Log book to be kept by data user
(1) A data user shall keep and maintain a log book—
(a) for the purposes of this Part;
(b) in the Chinese or English language; and
(c) such that any particulars entered in the log book
pursuant to this section are not erased therefrom before
the expiration of—
(i) subject to subparagraph (ii), 4 years after the day
on which they were so entered;
(ii) such longer or shorter period as may be prescribed,
either generally or in any particular case, by
regulations made under section 70.
(2) A data user shall in accordance with subsection (3) enter in
the log book—
(a) where pursuant to section 20 the data user refuses to
comply with a data access request, particulars of the
reasons for the refusal;
(b) where pursuant to section 21(2) the data user does not
comply with section 21(1), particulars of the prejudice
that would be caused to the interest protected by the
exemption concerned under Part VIII if the existence or
non-existence of the personal data to which the data
access request concerned relates were disclosed;
(c) where pursuant to section 24 the data user refuses to
comply with section 23(1) in relation to a data
correction request, particulars of the reasons for the
refusal;
(d) any other particulars required by regulations made under
section 70 to be entered in the log book.
(3) The particulars required by subsection (2) to be entered by a
data user in the log book shall be so entered—
(a) in the case of particulars referred to in paragraph (a)
of that subsection, on or before the notice under section
21(1) is served in respect of the refusal to which those
particulars relate;
(b) in the case of particulars referred to in paragraph (b)
of that subsection, on or before the notice under section
21(1) is served in respect of the refusal to which those
particulars relate;
(c) in the case of particulars referred to in paragraph (c)
of that subsection, on or before the notice under section
25(1) is served in respect of the refusal to which those
particulars relate;
(d) in the case of particulars referred to in paragraph (d)
of that subsection, within the period specified in
regulations made under section 70 in respect of those
particulars.
(4) A data user shall—
(a) permit the Commissioner to inspect and copy the log book
(or any part thereof) at any reasonable time; and
(b) without charge, afford the Commissioner such facilities
and assistance as the Commissioner may reasonably require
for the purposes of such inspection and copying.
28. Imposition of fees by data user
(1) A data user shall not impose a fee for complying or refusing
to comply with a data access request or data correction request
unless the imposition of the fee is expressly permitted by this
section.
(2) Subject to subsections (3) and (4), a data user may impose a
fee for complying with a data access request.
(3) No fee imposed for complying with a data access request shall
be excessive.
(4) Where pursuant to section 19(3)(c)(iv) or (v) or
19(4)(ii)(B)(II) a data user may comply with a data access request by
supplying a copy of the personal data to which the request relates in
one of 2 or more forms, the data user shall not, and irrespective of
the form in which the data user complies with the request, impose a
fee for complying with the request which is higher than the lowest
fee the data user imposes for complying with the request in any of
those forms.
(5) A data user may refuse to comply with a data access request
unless and until any fee imposed by the data user for complying with
the request has been paid.
(6) Where—
(a) a data user has complied with a data access request by
supplying a copy of the personal data to which the request
relates; and
(b) the data subject, or a relevant person on behalf of the data
subject, requests the data user to supply a further copy of
those data,
then the data user may, and notwithstanding the fee, if any, that the
data user imposed for complying with that data access request, impose
a fee for supplying that further copy which is not more than the
administrative and other costs incurred by the data user in supplying
that further copy.
29. Service and language of certain notices
Without prejudice to the generality of section 68, where pursuant
to a data access request or data correction request a data user is
required to, or may, inform a requestor of any matter by notice in
writing, then the requestor shall be deemed not to be so informed
unless and until the requestor is served with the notice—
(a) in the language in which the request is made if that
language is Chinese or English;
(b) in any other case, in the Chinese or English language as the
data user thinks fit.
|  this part | | |
Contents
[Prelim. & definitions]
[Admin.]
[Codes of practice]
[Returns & register]
[Data access & correction]
[Matching & transfers]
[Complaints, etc.]
[Exemptions]
[Offences]
[Forms, fees, etc.]
[Sched 1: Data protection principles]
[Sched 2: Finances]
[Sched 3: Prescribed information]
[Sched 4: Other ordinances]
[Sched 5: Prescribed matters]
[Sched 6: Warrants]
|
For consulting on compliance with the Personal Data (Privacy) Ordinance or creative help with business planning, information technology, project management and the Internet please contact us. |