Complying with data access requests: Is it permissible to charge employees for access to their personal data?
Pursuant to the Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"), an employee (or former employee) can ask that his/her employer provide him/her with copies of any personal data which relates (directly or indirectly) to them. This is known as a "data access request" ("DAR").
DARs can be made in respect of any personal data where it would be practicable for the employee's identity to be directly or indirectly ascertained. This may include personnel files, disciplinary records, interview notes, appraisals and performance reports, etc. An employer who receives a DAR from an employee must comply with the request (or inform the employee in writing the reasons for its refusal or inability to comply with the request) within 40 calendar days of receiving the DAR.
In complying with the DAR, an employer can impose a fee for supplying the requested personal data or decline to supply such data unless and until the employee has paid the imposed fee. This does not mean, however, that the employer has an unrestricted discretion to impose DAR fees. Any imposed fee must not be "excessive" and should be "directly related to and necessary" for the compliance of the DAR.
Direct and necessary costs
According to the Privacy Commissioner for Personal Data, "direct and necessary costs" does not bear the same meaning as "reasonable costs". Furthermore, not all costs which are actually incurred by an employer in complying with the DAR will constitute direct and necessary costs. For instance, administrative overheads should not fall under the umbrella of direct and necessary costs. The question for the employer is whether it is possible to comply with each item requested under the employee's DAR without incurring costs for that particular item. If the employer can supply an item without incurring costs, it should not charge a fee for any costs incurred for providing that particular item.
If an employer decides to seek legal advice on its obligations to comply with a DAR, it is arguable that the costs of seeking such legal advice were reasonable. However, such costs should not be imposed as a fee on the employee as the legal advice was not a necessary cost for complying with the DAR. Rather, the legal advice was obtained for the benefit of the employer only. Similarly, although redaction costs are generally allowed, the employer should not charge a fee for any redactions made to the requested personal data, which are exempted from disclosure under any relevant legislation. This is because such costs are incurred for the protection of the employer's interests and are not directly related to and necessary for compliance with the DAR.
The costs of complying with DARs should be minimal unless the DARs are wide-ranging or complicated (i.e. covering an extensive time period, involving a massive trove of documents, requiring convoluted searches, etc.). Where costs are incurred beyond what should have been incurred as a result of an extraordinary situation created by the employer, such costs are deemed to be excessive and should not be borne by the employee. In a 2011 case, an employer incurred exorbitant costs in order to recover personal data from a laptop which it had caused to crash. Since the recovery costs would not have been incurred under normal circumstances, it was held that a corresponding fee based on such costs would be excessive.
What fees are permissible?
The employer may take into account the direct labour necessary for complying with a DAR, including costs such as time spent by its employees to find, retrieve and reproduce the requested personal data. The chargeable labour costs should be calculated at the employees' hourly rate (including fringe benefits and salary) multiplied by the number of hours spent on the matter. As a general rule, an employer should not assign managerial level employees to perform administrative tasks for the purposes of handling DARs as this task allocation will unnecessarily raise labour costs. However, an employer may charge for the costs of technical assistance which is essential for complying with the DARs (e.g. technical assistance for duplicating video footage). Alternatively, an employer may wish to charge a "flat-rate fee" for complying with all DARs. This is permissible to the extent that the flat-rate fee imposed is lower than the direct and necessary costs for compliance with the DAR.
The costs of photocopying the documents containing the requested data are also direct and necessary costs. Generally speaking, the photocopying charge imposed at HK$1 per page will not be considered excessive.
It is important for an employer to bear in mind that the right to impose a DAR fee should not be exercised for the purpose of deterring employees from making DARs. An employer who fails to comply with a DAR without a reasonable explanation commits an offence which could result in a fine of up to HK$10,000. Where an employee believes that they have been charged excessively for compliance with their DARs, he/she may lodge a complaint with the Privacy Commissioner's Office. Ultimately, the burden rests on the employer to justify the imposed fee and how it relates to the costs incurred.
Howse Williams Bowers is an independent law firm which combines the in-depth experience of its lawyers with a forward thinking approach.
Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; and financial services/corporate regulatory and compliance.
As an independent law firm we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.
Disclaimer: The information contained in this article is intended to be a general guide only and is not intended to provide legal advice. Please contact email@example.com if you have any questions about the article.