The Personal Data (Privacy) Ordinance (PDPO) provides every data subject, among other things, the right to access their personal data held by a data user. By making a data access request (DAR), a data subject can ascertain from the data user whether it holds their personal data and to obtain a copy of that data.
In the employment context, the data subject is the employee and the data user is the employer. It is not unusual for an employee to make a DAR to seek information in respect of their employment before or during a complaint or legal proceeding against their employer. This may sometimes be done as a way to fish for information and/or to cause inconvenience to the employer.
So what should an employer do when they receive a DAR? Is it mandatory for the employer to respond to a DAR and/or to provide all the documents requested?
The Obligation to Respond to a DAR
A data user must comply with a DAR within 40 calendar days (not working days) after receiving the request unless one of the limited number of exceptions apply, e.g., the request is not made in the statutory prescribed form. Failing to comply with a valid DAR without a reasonable explanation may result in a fine of up to HK$10,000. Also, the Privacy Commissioner for Personal Data (the Commissioner) may investigate the contravention and serve an enforcement notice on the data user prescribing, among other things, remedial actions to be taken by the data user. If the data user fails to comply with the enforcement notice, the data user commits an offence punishable by imprisonment and a maximum fine of HK$50,000 on the first conviction and a heavier penalty for a repeated offence.
What Should an Employer Do upon Receipt of a DAR?
In an employment relationship, the personal data collected of an employee may be extensive, particularly if the employment spans many years. After carrying out a search for the requested data, the data user will then have to read the data to see if it responds to the DAR (for example whether any of the data is exempted from disclosure) and to redact personal data of any third person. This can be tedious and time consuming.
So before carrying out the search, an employer should carefully consider the validity of a DAR made by an employee. There may be grounds for not providing the requested data.
The purpose of a DAR is for the data subject (e.g., an employee) to ascertain whether a data user holds their personal data and ensure that such personal data are correct. The employee is entitled to a copy of the personal data requested, but not a copy of every document upon which there is a reference to him/her. A DAR should not be used to supplement or replace the rights of discovery in legal proceedings nor to add to any wider action for discovery for the purpose of discovering the identity of a wrongdoer.
An employee cannot request that the employer provide a list of all personal data it holds so that they can choose the items they want. It is the obligation of the data subject to identify the data requested. An employer needs to exercise all due diligence to locate the data rather than to conduct a more onerous thorough search.
If the description of the requested data in the DAR is too generic and the employee fails to supply information reasonably required by the employer to locate the requested data, then the employer may refuse to comply with the DAR. A request for "all personal data" may be too broad depending on the circumstances. Employers should seek clarification from the employee if the type and scope of the data requested in a DAR is unclear. That said, if an employer is aware of and can reasonably locate the requested data without any further specification from the employee, it should comply with the DAR.
An employer can also consider if other permissible exceptions under the PDPO apply, such as privileged documents or data that are the subject of an ongoing "relevant process" defined under section 55 of the PDPO. If an employee is undergoing a disciplinary process for the purpose of determining whether disciplinary action should be taken which has an avenue for appeal, then personal data which is the subject of that process need not be provided until the completion of the appeal.
It is important to note that even with valid grounds for objecting, the employer must still respond to the DAR by noting the objection and the reason for not providing the data within 40 days upon receipt of the DAR.
Employers Can Charge for Complying with a DAR
An employer may impose a fee for complying with a DAR, but the Commissioner's guidance is that the fee should not be excessive or charged on a commercial basis. A simple comparison of the flat-rate fees charged by different organisations does not assist in determining whether or not the fee is excessive.
An employer may take into account the direct costs attributable to the time spent (i.e., labour costs) and actual out-of-pocket expenses for locating, retrieving and reproducing the requested data in determining the fees. The labour costs should be calculated with reference to the staff assigned for handling the DAR. Computer operating time costs may be charged if the costs are incurred to replace the labour costs to be incurred by undertaking the relevant work processes manually.
While the cost of compliance will vary depending on the scope and the complexity of the DAR, the Commissioner's view is that in most circumstances the cost of compliance will be nominal. The Commissioner considers that a data user should not charge for its costs in seeking legal advice, its staff studying the requirements under the PDPO, its administrative or office overheads or its costs to redact personal data exempted from disclosure.
However, even if the fee reflects the employer's direct and necessary costs and is not excessive, the employee might not pay the fee after the work has been done. The consequence is that the employer does not have to provide the data to the employee in response to the DAR, but the employer's time and resources have already been wasted.
Takeaway for Employers
An employee may make a DAR to seek access to information from their employer in relation to their employment. Common examples of DAR include requests for copies of the appraisal reports, internal investigations reports (e.g., investigations of discrimination or harassment complaints, disciplinary and grievance procedures) and records of termination decisions. The employee may then use the information obtained to formulate their claims against the employer. As such, employers should be careful about what they record in writing in relation to an employee in any internal process and investigation. Employers may also consider whether it can rely on any permissible exceptions under the PDPO when preparing such records, e.g., protecting a document by privilege.
Employers must process any DAR received in accordance with the requirements under the PDPO. Where appropriate, training should be provided to those who handle DARs to ensure they know the relevant obligations (and exceptions) and comply with them.
The Commissioner has recently updated its "Guidance Note on Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users" (https://www.pcpd.org.hk/english/publications/files/DAR_e.pdf), which contains some general guidance on the proper handling of DARs.