Proper Handling of Data Correction Request by Data Users 1

Similar documents
Legal assistance for civil claims under the Personal Data (Privacy) Ordinance

Number 5 of Vehicle Registration Data (Automated Searching and Exchange) Act 2018

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

BERMUDA COMPANIES AND LIMITED LIABILITY COMPANY (BENEFICIAL OWNERSHIP) AMENDMENT ACT : 41

BERMUDA COMPANIES AND LIMITED LIABILITY COMPANY (BENEFICIAL OWNERSHIP) AMENDMENT ACT : 41

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Carbon Pricing Bill A BILL. int i t u l e d

STATUTORY INSTRUMENTS. S.I. No. 110 of 2019

PROJET DE LOI ENTITLED. The Protection of Investors. (Bailiwick of Guernsey) Law, 2018 ARRANGEMENT OF SECTIONS

Privacy policy. 1.1 We are committed to safeguarding the privacy of our website visitors.

Great Leighs Primary School. Data Protection and Freedom of Information Policy. Adopted: April Review Date: April 2018.

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

Data Protection Policy. Revisions and Editions Log

CONSUMER REPORTING ACT

North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

Practice Circular on Protection of Personal Data - Questions and Answers (Q&As)

Access to Personal Information Procedure

Data Protection Policy

Terms and Conditions GDPR Ready Data

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

Policies and Procedures

AIA Australia Limited

Data Protection Policy. Malta Gaming Authority

Registration Authority Registration & Licensing Handbook

St. Paul s C of E Primary School

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

European College of Business and Management Data Protection Policy

THE MEDICAL COUNCIL OF HONG KONG

closer look at Rights & remedies

Statutory Policy No 7 DATA PROTECTION POLICY

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

THE STATUTES OF THE REPUBLIC OF SINGAPORE ENERGY CONSERVATION ACT (CHAPTER 92C)

Health Records and Information Privacy Act 2002 No 71

European Data Protection Supervisor Your personal information and the EU administration: What are your rights?

Papua New Guinea Consolidated Legislation

ARTICLE 29 Data Protection Working Party

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

Birmingham and Solihull Mental Health NHS Foundation Trust

BERMUDA PUBLIC ACCESS TO INFORMATION REGULATIONS 2014 BR 79 / 2014

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

Factsheet on the Right to be

Privacy. Purpose. Scope. Policy. Appendix A

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

Model Non-Collusion Clauses and Non-Collusive Tendering Certificate

Supplement No. 12 published with Gazette No. 22 of 24th October, DORMANT ACCOUNTS LAW. (2011 Revision)

SCHEDULE 3 - UNADDRESSED MAIL SERVICE TERMS AND CONDITIONS

REHABILITATION OF OFFENDERS BILL, 2017 EXPLANATORY NOTES

Data Protection Act 1998

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

BERMUDA 2004 : 32 OMBUDSMAN ACT 2004

Data Protection Act 1998 Policy

NIGERIAN COMMUNICATIONS ACT (2003 No. 19)

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

DATA PROTECTION (JERSEY) LAW 2005

DATA PROTECTION POLICY STATUTORY

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

PRIZE PROMOTIONS AROUND THE WORLD. Hong Kong

Financial Advisory and intermediary Service ACT 37 of (English text signed by the President)

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

NATIONAL VETTING BUREAU BILL 2011 PRESENTED BY THE MINISTER FOR JUSTICE, EQUALITY AND DEFENCE

TERMS OF REFERENCE INSURANCE & FINANCIAL SERVICES OMBUDSMAN SCHEME INCORPORATED

BERMUDA CHARITIES ACT : 2

HEALTH INFORMATION ACT

1. (1) This Act may be cited as the Anti-Money Laundering and Anti-Terrorism Financing (Amendment) Act 2013.

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

COUNCIL OF THE EUROPEAN UNION. Brussels, 7 July 2005 (28.07) (OR. nl) 10900/05 LIMITE CRIMORG 65 ENFOPOL 85 MIGR 30

CONDITIONS OF TENDERING (E-SUBMISSION)

(28 February 2014 to date) FINANCIAL ADVISORY AND INTERMEDIARY SERVICES ACT 37 OF 2002

Terms of Business

HSBC Secure Pay Terms and Conditions

JSE DATA AGREEMENT (JDA) GENERAL TERMS AND CONDITIONS

LAW ON REGISTERS OF ELECTORS

BUSINESS FRANCHISE LICENCES (TOBACCO) ACT 1987 No. 93

VIRGIN ISLANDS COMPANY MANAGEMENT (AMENDMENT) ACT, 2006 ARRANGEMENT OF SECTIONS

CENTRAL BANK OF BAHRAIN. Form 2: Application for Authorisation of Controller (Application for authorisation of controller in the Kingdom of Bahrain)

ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT, ACT NO. 25 OF 2002 [ASSENTED TO 31 JULY 2002] [DATE OF COMMENCEMENT: 30 AUGUST 2002]

TURKS AND CAICOS ISLANDS POLITICAL ACTIVITIES ORDINANCE (Ordinance 22 of 2012) PRELIMINARY

Consolidated text PROJET DE LOI ENTITLED. The Protection of Investors. (Bailiwick of Guernsey) Law, 2018

TRADE MARKS RULES, 1996 (as amended)

Chapter 1. Introduction

recommendation to buy any products or services featured and you should seek appropriate independent advice.

Information Management Unit. Data Protection Policy for Schools BURNT TREE PRIMARY SCHOOL. Date Issued: September 30th 2015

PRACTICE NOTE 4/2015

Freedom of Information Act 2000 (Section 50) Decision Notice

Data Protection Policy

COMPANIES BILL Unofficial version. As amended in Report Stage (Dáil) on 25 th March and 2 nd April 2014

Queensland FREEDOM OF INFORMATION ACT 1992

Privacy in relation to VET Student Loans

Provider Contract for the Provision of Legal Aid Services and Specified Legal Services

Papua New Guinea Consolidated Legislation

MEEKER COUNTY GUIDELINES AND PROCEDURES FOR MINNESOTA GOVERNMENT DATA PRACTICES ACT

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Please contact the UOB Call Centre at (toll free if calls are made from within Singapore) if you need any assistance.

Article 1. Federal Data Protection Act (BDSG)

Commercial Agents and Private Inquiry Agents Act 2004 No 70

Medical Information Disclaimer. provided by SEQ Legal

COMMON TERMS AND CONDITIONS FOR CASH MANAGEMENT PRODUCTS & SERVICES

FREEDOM OF INFORMATION

Transcription:

Guidance Note Proper Handling of Data Correction Request by Data Users Introduction Under the Personal Data (Privacy) Ordinance (Chapter 486) (the Ordinance ), a data user is required to ensure that the personal data it holds is accurate 1. If a data subject (or a relevant person 2 on behalf of that data subject) has obtained a copy of his personal data held by a data user by way of a data access request ( DAR ) 3 and subsequently detects any inaccuracy in relation to his personal data, he (or his relevant person ) may make a data correction request ( DCR ) 4 to that data user. Failure to handle a DCR in accordance with the requirements under the Ordinance without reasonable excuse may constitute an offence and render the offender liable on conviction to a fine. This guidance note uses a step-by-step approach with case studies to provide general guidance to data users on the proper handling of DCRs. It should be read in conjunction with the guidance note on Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users 5 issued by the Privacy Commissioner for Personal Data, Hong Kong (the Commissioner ). The Four Steps of Assessing and Handling a DCR If a data user receives a request for correction of personal data, it should follow the following four steps to assess and handle the request:- Step 1 : To assess whether the request is a DCR as defined under the Ordinance; Step 2 : To verify the identity and authority of the requestor; Step 3 : To assess the content of the DCR; and Step 4 : To decide to comply with or to refuse to comply with the DCR. Step 1 : To assess whether the request is a DCR as defined under the Ordinance A DCR under the Ordinance applies only to personal data, a copy of which has been provided to the requestor pursuant to an earlier DAR 6 and the requestor finds it to be inaccurate and requests for correction. Common examples of DCR include requests by credit service users for correction of their credit data recorded in their credit reports 7 and requests by employees for correction of employment-related data held by employers. Case Study 1 : An employer complained of its employee s poor attendance. In response to the employee s query, the employer provided the employee with a copy of his attendance record in support of its complaint. The employee alleged a number of inaccuracies and requested the human resources department for correction of the same, but his request was not accepted. He therefore lodged a complaint with the Commissioner for the employer s failure to comply with his DCR. Given that the attendance record which the employee relied on for his correction request was not obtained by way of an earlier DAR, the request made by the employee was not a DCR as defined under the Ordinance, hence the employer was not required to handle the request in accordance with the procedural requirements relating to a DCR. 1 Data Protection Principle 2(1) in Schedule 1 to the Ordinance provides that all practicable steps shall be taken by a data user to ensure that personal data is accurate having regard to the purpose (including any directly related purpose) for which the personal data is or is to be used. 2 As defined under section 2(1) and section 17A of the Ordinance 3 Section 18 of the Ordinance 4 Section 22 of and Data Protection Principle 6(e) in Schedule 1 to the Ordinance 5 The guidance note can be downloaded from www.pcpd.org.hk//english/resources_centre/publications/files/dar_e.pdf 6 A requestor is not entitled under the Ordinance to make a DCR to a data user without having first made a DAR to obtain a copy of his / her personal data and checked the accuracy of such data. If a DAR has been refused by a data user lawfully, the requestor is not entitled to make a DCR. 7 Specifically, a credit reference agency shall comply with the relevant provisions of the Code of Practice on Consumer Credit Data issued by the Commissioner in handling DCRs in relation to consumer credit data. Proper Handling of Data Correction Request by Data Users 1

Note : even if no valid DCR is received, a data user is still obliged under Data Protection Principle 2(1) to ensure the accuracy of a data subject s personal data in its possession. Step 2 : To verify the identity and authority of the requestor A data user should verify the identity and authority of a DCR requestor so as to prevent the personal data from unauthorised changes. A data user should have already verified the identity of a DAR requestor before complying with the DAR. If a DCR is subsequently submitted by the same requestor, it is generally not necessary to verify the identity of the same person again 8. However, if a DAR is not submitted by the data subject himself but a relevant person authorised in writing by the data subject to make the DAR, that relevant person is not entitled to make a DCR based solely on that authorisation for the DAR 9. The data user should ask the requestor to furnish a written authorisation signed by the data subject for the DCR. A relevant person is not restricted to a natural person. A non-natural person such as a law firm or an organisation can be authorised as a relevant person. If a data user is not supplied with the reasonably required information to ascertain the identity of the data subject or the relevant person, the data user should refuse to comply with the DCR 10 (for detail please refer to Step 4 below). Case Study 2 : Is a parent entitled to make a DAR and a DCR as a relevant person for his minor child? Under section 18(1) of the Ordinance, a DAR can be made by the data subject himself or a relevant person on behalf of that data subject. A father submitted a DAR to the school of his daughter in order to obtain the address of his ex-wife and their daughter. The DAR appeared to the Commissioner not to have been submitted on behalf of the daughter, and the school should not provide the father with the requested data. Since a DCR can only be made subsequent to a data user s compliance with a DAR, a parent cannot be a relevant person of his minor child in a DCR if he is found not to be making a DCR on behalf of the minor child. Step 3 : To assess the content of the DCR After verifying the identity and authority of the requestor, a data user should assess whether or not the personal data requested for correction is inaccurate 11, before deciding whether to comply with or to refuse to comply with the request. In this assessment, a data user should differentiate between verifiable matters and expression of opinion in the data concerned, as they require different treatment by the data user. Verifiable matters refer to facts that can be proved with objective reality, record and data for ascertaining their accuracies (e.g. attendance record of an employee, school grades as available on a student s transcript). Case Study 3 : A student submitted a DCR to his school for correction of his date of birth in the school record. As the school discovered that the inaccuracy was caused by the student s wrongful submission in his initial registration which involved no error of the school s, the school refused to correct the data. The student lodged a complaint with the Commissioner. The Commissioner took the view that the Ordinance is to ensure accuracy of a data subject s personal data, and therefore the fundamental consideration to comply with a DCR is the accuracy of the data concerned. The student would not lose his right to data correction simply because the inaccurate data was submitted by him. The accuracy of date of birth can be verified by record and hence is a verifiable matter. After the Commissioner s intervention, the school verified the student s correct date of birth with his Hong Kong Identity Card and birth certificate and corrected the said record accordingly. 8 Section 24(2) of the Ordinance 9 Section 22(1A) of the Ordinance 10 Section 24(1) of the Ordinance 11 Inaccurate, in relation to personal data, is defined under section 2(1) of the Ordinance to mean incorrect, misleading, incomplete or obsolete. Proper Handling of Data Correction Request by Data Users 2

Case Study 4 : A complainant noted an entry of credit card default payment in his credit report. He claimed that this default payment was originated from a dispute between him and the airline company in the purchase of an air ticket which was in his view not his responsibility to pay. He therefore submitted a DCR to the issuing bank of the credit card requesting for deletion of the default payment record. The bank responded that the transaction was in fact made by the complainant beyond any dispute, and it refused to comply with his request for correction. The complainant complained with the Commissioner. The Commissioner s investigation found that the complainant was refused by the staff of the airline company to board the plane due to his late arrival, and a dispute ensued. The complainant eventually purchased an air ticket of another flight with his credit card. The dispute claimed by the complainant was between him and the airline company in relation to him being refused to board. However, his purchase of another air ticket with credit card without repayment was a verifiable and accurate fact. Hence it is not a contravention of any requirement under the Ordinance for the issuing bank to refuse to delete the record in question. Expression of opinion includes an assertion of fact which is unverifiable; or in all the circumstances of the case, is not practicable to verify 12. A document that evaluates a particular person, such as an appraisal report, is a common expression of opinion in dispute. The author of such a document would often set out a series of facts and based on those facts he would provide his comments and conclusions. Therefore, this kind of document is usually a mixture of verifiable matters and unverifiable expression of opinion. When handling a DCR in relation to this kind of document, a data user should distinguish between the verifiable matters and the unverifiable expression of opinion. Case Study 5 : A manager made the following statement in the appraisal report of an appraisee: The appraisee came late and left early during the probation period. Neither was there anything good about his performance. I recommend termination of his employment. The appraisee disagreed with the above and submitted a DCR. The Commissioner found that if the attendance record was kept and available, the appraisee came late and left early during the probation period were verifiable matters, while neither was there anything good about his performance was an expression of opinion of the manager which was not verifiable but varied from person to person. However, I recommend termination of his employment is a recommendation made by the manager that is verifiable, hence not an expression of opinion. When an expression of opinion involves a professional judgment, the Commissioner usually would not intervene any correction request 13, unless the inaccuracy is obvious, or there is compelling evidence to support that the judgment is inaccurate 14. Case Study 6 : A medical doctor diagnosed that a patient was suffering from a certain disease, and the patient considered this to be misdiagnosis and submitted a DCR to the doctor to delete the said disease from his medical record. The DCR was refused by the doctor, and the patient therefore lodged a complaint with the Commissioner. Relying on the decision of the Administrative Appeals Board, the Commissioner opined that whether a patient was suffering from a certain disease was a professional judgment made by the medical doctor. Given that the patient was unable to provide any weighty evidence to support his assertion (e.g. contrary diagnosis made by another doctor who is specialised in that particular disease), the Commissioner might refuse to deal with this request for the correction of professional medical opinion. 12 Section 25(3) of the Ordinance 13 According to the decision of the Administrative Appeal No. 42 of 2006, the Administrative Appeals Board took the view that the Commissioner would not be in a position to determine whether the opinion concerning the medical condition of a person was accurate or not. 14 According to the decision of the Administrative Appeals Board in Administrative Appeal No. 48 of 2014. Proper Handling of Data Correction Request by Data Users 3

Furthermore, where the issues behind a DCR of an expression of opinion could be more appropriately dealt with by means other than the DCR, the Commissioner may refuse to investigate into such a complaint by the requestor of the DCR. For example, an employee who disputes the grounds of termination upon which his employment is terminated should seek redress through the Labour Tribunal or other legal channels, instead of making a DCR to correct the employer s allegation of unsatisfactory performance against him in his letter of termination 15. Step 4 : To decide to comply with or to refuse to comply with the DCR A data user should consider the accuracy of each and every item in a DCR, and it is not uncommon for a DCR to be partly complied with and partly refused. If a data user discovers that the data being requested for correction is inaccurate, it should comply with the DCR without a fee 16, and compliance with a DCR should be completed within 40 calendar days (not working days) of the receipt of the DCR with a copy of the corrected 17 data supplied to the requestor 18. If a data user is unable to fully comply with a DCR within 40 days (e.g. the data to be corrected is voluminous), it should comply with the DCR to the extent, if any, that the data user is able to comply 19, and notify the requestor in writing the reason(s) for non-compliance within the 40-day period. The data user is required to comply fully with the DCR as soon as practicable thereafter 20. A data user may refuse to comply with a DCR if: the data correction request is not made in Chinese or English writing 21 ; it is unable to verify the identity and authority of the requestor 22 ; it is not satisfied that the personal data to which the DCR relates is inaccurate 23 ; it is not provided with sufficient information to ascertain that the data is inaccurate 24 ; or it is not satisfied that the correction provided in the DCR is accurate 25. If decides to refuse to comply with a DCR, a data user is obliged to give written notice and reasons for the refusal to the requestor of the receipt of the DCR 26. The Ordinance does not allow a refusal to be delayed 27. Where the personal data to which a DCR relates is an expression of opinion and the data user is not satisfied that the opinion is inaccurate, the data user should make a note of the said data, in such a way that the note will be available to and attention will be drawn to a person who intends to use the data 28. The data user should also attach a copy of the note to the notice of refusal to be served on the requestor of the DCR 29. Case Study 7 : The complainant in Case Study 4 suggested to the Commissioner that the issuing bank of his credit card should add a note to the default payment record, indicating that the default payment record was disputed. The Commissioner opined that, the requirement to add a note applies only to expression of opinion where a requestor and a data user held different opinions. Given that the transaction in question is a verifiable matter, which was also verified and confirmed to be accurate, the requirement to add a note would not be applicable. 15 In Administrative Appeal No. 22/2000, it was held that if an employee disputes the grounds upon which his employment is terminated, he should seek redress, not through the Office of the Privacy Commissioner for Personal Data, Hong Kong, but through other legal channels, such as taking his case to the Labour Tribunal. 16 Section 28(1) of the Ordinance 17 Correction, in relation to personal data, is defined under section 2(1) of the Ordinance to mean rectification, erasure or completion. 18 Section 23(1) of the Ordinance 19 Section 23(2)(a) of the Ordinance 20 Section 23(2)(b) of the Ordinance 21 Section 24(3)(a) of the Ordinance. However, there is no prescribed format or form for a DCR. 22 Section 24(1) of the Ordinance 23 Section 24(3)(b) of the Ordinance 24 Section 24(3)(c) of the Ordinance 25 Section 24(3)(d) of the Ordinance 26 Section 25(1)(a) of the Ordinance 27 The Ordinance allows compliance with a DAR to be delayed as long as a data user has taken the prescribed actions under section 19(2)(a) of the Ordinance. However, there is no similar provision under the Ordinance in relation to the refusal of a DCR, therefore all notices of refusal to comply with DCRs must be given within 40 days. 28 Section 25(2) of the Ordinance 29 Section 25(2)(ii) of the Ordinance Proper Handling of Data Correction Request by Data Users 4

Case Study 8 : In Case Study 5, neither was there anything good about his performance was an evaluative statement impracticable to be verified, and was therefore an expression of opinion under the Ordinance. If the employer was not satisfied that this statement was inaccurate, it should add a note to this statement indicating the appraisee s contrary opinion. On the other hand, I recommend termination of his employment was a particular recommendation made by the manager and was a verifiable matter. That is, it was not an expression of opinion as defined under the Ordinance, and it was not necessary for the employer to add a note to this recommendation. A data user is required to keep a log book recording the particulars of the reasons for the refusal of DCR for four years 30. Matters to Note When a Third Party is Involved in a DCR When carrying out Step 3 (i.e. to assess the contents of the DCR), if the data in question held by the data user was provided by a third party, the data user may consult the third party for the accuracy of such data so as to decide whether to comply with the DCR. Case Study 9 : A person obtained his consumer credit report by way of a DAR from a credit reference agency. He noted that his correspondence address contained therein was incorrect and submitted a DCR to the agency. How should the agency handle the request? The consumer credit agency should consult the credit provider who had contributed the data in question. If no written confirmation or correction was received from the credit provider, the agency should delete or otherwise amend the data in question as requested within 40 days from the receipt date of the DCR 31. When carrying out Step 4 (i.e. to decide whether to comply with or to refuse to comply with the DCR), if a data user is satisfied that there is data inaccuracy and has decided to comply with the DCR, and the inaccurate data has been disclosed to a third party during the past 12 months before the day of correction of the data in compliance with the DCR, the data user should ascertain whether the third party has ceased using that data 32. If the data user has no reason to believe that the third party has ceased using the data for the purpose it was disclosed, the data user should take all practicable steps to supply such third party with a copy of the corrected personal data and a written notice of the reasons for the correction 33, 34. When carrying out Step 4, where there is another data user that controls the processing of the data in such a way as to prohibit the data user from complying with the DCR, the data user should inform the requestor of the name and address of the other data user concerned in its notification of refusal to comply with the DCR to the requestor 35. Case Study 10 : A group company instructs one of its subsidiaries to manage all routine human resources matters within the whole group, without granting power to that subsidiary for making changes to the personnel files in its possession without the group company s approval. If one of the employees of the group finds data inaccuracy in his personnel file and submit a DCR to the said subsidiary, the subsidiary should inform that employee of the responsible department or staff when notifying him of their refusal due to their absence of power of making changes. If a data user needs to disclose personal data subject to a DCR to a third party before it decides whether to comply with or to refuse to comply with the DCR, it should take all practicable steps to advise the third party concerned that the data is being considered for correction 36. 30 Section 27 of the Ordinance 31 Clause 3.19 of the Code of Practice on Consumer Credit Data issued by the Commissioner 32 According to the decision of Administrative Appeal No. 2/2011, whether the third party is still using the inaccurate data should be given a reasonably wide construction. To justify using, the third party does not have to retrieve the inaccurate data to look at it and specifically rely on it. It suffices if the inaccurate data may still have an effect or influence on that third party s decision-making or other action which impacts on the data subject. 33 Section 23(1)(c) of the Ordinance 34 Unless the disclosure consists of the third party s inspection of a register or other like document which is available for public inspection (except where the third party has been supplied a copy certified correct by the data user), see section 23(3) of the Ordinance. 35 Sections 24(3)(e) and 25(1)(b) of the Ordinance 36 Section 22(3) of the Ordinance Proper Handling of Data Correction Request by Data Users 5

Enquiry Hotline : (852) 2827 2827 Fax : (852) 2877 7026 Address : 12/F, Sunlight Tower, 248 Queen s Road East, Wanchai, Hong Kong Email : enquiry@pcpd.org.hk Copyright This publication is licensed under a Creative Commons Attribution 4.0 International (CC BY 4.0) licence. In essence, you are free to share and adapt this publication, as long as you attribute the work to the Office of the Privacy Commissioner for Personal Data, Hong Kong. For details, please visit creativecommons.org/licenses/by/4.0. Disclaimer The information and suggestions provided in this publication is for general reference only. It does not provide an exhaustive guide to the application of the Personal Data (Privacy) Ordinance (the Ordinance ). For a complete and definitive statement of law, direct reference should be made to the Ordinance itself. The Privacy Commissioner for Personal Data (the Commissioner ) makes no express or implied warranties of accuracy or fitness for a particular purpose or use with respect to the information and suggestions set out in this publication. The information and suggestions provided will not affect the functions and powers conferred upon the Commissioner under the Ordinance. First published in December 2012 (First Revision) Proper Handling of Data Correction Request by Data Users 6

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback