Fees for Data Access Requests for Medical Records

In Hong Kong, the collection, handling, storage and processing of sensitive personal data–including medical records–of individuals (referred to as “data subjects”) is restricted and controlled by the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong).

Under section 28 of the Personal Data (Privacy) Ordinance, a data user (i.e. a party who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data) may, amongst other things, impose a fee for complying with a data subject’s data access request or data correction request as long as the fee is permitted by the Ordinance and is not excessive.  The ordinance does not itself provide any guidance on what would be considered “excessive”.

The decision handed down by the Administrative Appeals Board (AAB) on 16 May 2017 in Wong Shu Ling Shirl v Privacy Commissioner for Personal Data (Administrative Appeal No. 42/2016) sheds some light on the thought process involved in determining whether a data access request fee is excessive or not.  The case concerns an appeal made by a patient to the AAB relating to her request to a private medical clinic for copies of her medical records. The medical clinic had sought to charge her HK$100 for complying with her data access request, which she refused to pay on the ground that it was excessive.  The patient was aggrieved that, following the completion of an investigation by the Privacy Commissioner into the HK$100 fee, the Privacy Commissioner had ruled that such fee was not excessive and, therefore, no enforcement notice was required to be served on the clinic.

In the above case, a bone of contention was whether it was necessary for a medical doctor to review the appellant’s medical records before complying with her data access request.  It was the appellant’s position that the involvement of a doctor was unjustified and that her medical records could simply have been provided by the clinic’s administrative staff whose costs were below the HK$100 fee the clinic wished to charge.  The appellant also argued that even if the AAB were to allow for the cost of the doctor’s work to be claimed by the clinic in complying with her data access request, the actual costs should be found to be below HK$100.  The clinic had argued that a doctor would need at least 2 minutes to review the appellant’s records at the cost of HK$83.30 (based on the HK$250 clinic’s consultation fee for doctors).

Referring to an earlier decision of the AAB in Commissioner of Correctional Services v Privacy Commissioner for Personal Data (AAB Decision No. 37/2009), the AAB indicated that “…whether a fee purportedly imposed is excessive or not is to be considered according to the circumstances of each case” and that “the word “excessive” should be construed as confining the fee only to cover those costs which are directly related to and necessary for complying with a [data access request]”.  The AAB concluded that the cost of the doctor’s review of the medical records was directly related to and necessary for the data access request because the medical records contained sensitive personal information that needs to be handled with particular care.  Additionally, the HK$100 fee was found not to be excessive.  The appellant’s appeal was therefore dismissed.  

The law recognises that the fees charged by data users for data access to medical records (or indeed any records containing personal data within the meaning of the Personal Data (Privacy) Ordinance) will vary depending on the circumstances and the request itself.  For data users such as medical clinics, disputes may be minimised by conducting regular reviews of all data access request fees to ensure that they are commensurate with the actual costs of complying with the requests and that such costs are directly related to and necessary for compliance with the requests.  Wong Shu Ling Shirl v Privacy Commissioner for Personal Data also demonstrates that, in the event of a dispute arising, data users should be prepared to provide an itemised breakdown of the fees and to show that they are not excessive in the circumstances.

Eddie Look / Caroline de Souza

For more information on the Personal Data (Privacy) Ordinance and its implications for you or your business, please contact:

Eddie Look
Partner | E-mail
Tim Drew
Partner | E-mail
Edmond Leung
Partner | E-mail
River Stone
Partner | E-mail
Pádraig Walsh
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.


与泰德威律师事务所在电邮沟通之前(或通过其他方式), 请阅读此连结內的免责声明及此连结內的隐私政策。免责声明和隐私政策亦列于本网站的注脚內。 在您收到我们的书面声明确认我们将代表您处理该案件之前,您不应向我们发送任何有关该案件的机密资料。 于我们接受代理该案件后, 我们将接受您发送有关该案件的机密资料, 之后我们可以亳无障碍地交换机密资料。 感谢您对泰德威律师事务所的关注。


Please note:

Before you contact Tanner De Witt by email (or otherwise), please read the Disclaimer at this link. and our Privacy Policy at this link. The Disclaimer and Privacy Policy is also at the footer of this website. Until we have informed you in writing that we represent you as a client you should not send us any confidential information. We will only accept your confidential information when we confirm we represent you as a client, and then we can exchange confidential information freely. Thank you for your interest in Tanner De Witt.

Disclaimer and Privacy Policy