Fees for Data Access Requests for Medical Records


In Hong Kong, the collection, handling, storage and processing of sensitive personal data–including medical records–of individuals (referred to as “data subjects”) is restricted and controlled by the Personal Data (Privacy) Ordinance (Cap. 486 of the Laws of Hong Kong).

Under section 28 of the Personal Data (Privacy) Ordinance, a data user (i.e. a party who, either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data) may, amongst other things, impose a fee for complying with a data subject’s data access request or data correction request as long as the fee is permitted by the Ordinance and is not excessive.  The ordinance does not itself provide any guidance on what would be considered “excessive”.

The decision handed down by the Administrative Appeals Board (AAB) on 16 May 2017 in Wong Shu Ling Shirl v Privacy Commissioner for Personal Data (Administrative Appeal No. 42/2016) sheds some light on the thought process involved in determining whether a data access request fee is excessive or not.  The case concerns an appeal made by a patient to the AAB relating to her request to a private medical clinic for copies of her medical records. The medical clinic had sought to charge her HK$100 for complying with her data access request, which she refused to pay on the ground that it was excessive.  The patient was aggrieved that, following the completion of an investigation by the Privacy Commissioner into the HK$100 fee, the Privacy Commissioner had ruled that such fee was not excessive and, therefore, no enforcement notice was required to be served on the clinic.

In the above case, a bone of contention was whether it was necessary for a medical doctor to review the appellant’s medical records before complying with her data access request.  It was the appellant’s position that the involvement of a doctor was unjustified and that her medical records could simply have been provided by the clinic’s administrative staff whose costs were below the HK$100 fee the clinic wished to charge.  The appellant also argued that even if the AAB were to allow for the cost of the doctor’s work to be claimed by the clinic in complying with her data access request, the actual costs should be found to be below HK$100.  The clinic had argued that a doctor would need at least 2 minutes to review the appellant’s records at the cost of HK$83.30 (based on the HK$250 clinic’s consultation fee for doctors).

Referring to an earlier decision of the AAB in Commissioner of Correctional Services v Privacy Commissioner for Personal Data (AAB Decision No. 37/2009), the AAB indicated that “…whether a fee purportedly imposed is excessive or not is to be considered according to the circumstances of each case” and that “the word “excessive” should be construed as confining the fee only to cover those costs which are directly related to and necessary for complying with a [data access request]”.  The AAB concluded that the cost of the doctor’s review of the medical records was directly related to and necessary for the data access request because the medical records contained sensitive personal information that needs to be handled with particular care.  Additionally, the HK$100 fee was found not to be excessive.  The appellant’s appeal was therefore dismissed.  

The law recognises that the fees charged by data users for data access to medical records (or indeed any records containing personal data within the meaning of the Personal Data (Privacy) Ordinance) will vary depending on the circumstances and the request itself.  For data users such as medical clinics, disputes may be minimised by conducting regular reviews of all data access request fees to ensure that they are commensurate with the actual costs of complying with the requests and that such costs are directly related to and necessary for compliance with the requests.  Wong Shu Ling Shirl v Privacy Commissioner for Personal Data also demonstrates that, in the event of a dispute arising, data users should be prepared to provide an itemised breakdown of the fees and to show that they are not excessive in the circumstances.

Eddie Look / Caroline de Souza

For more information on the Personal Data (Privacy) Ordinance and its implications for you or your business, please contact:

Eddie Look
Partner | E-mail
Tim Drew
Partner | E-mail
Edmond Leung
Partner | E-mail
River Stone
Partner | E-mail
Pádraig Walsh
Partner | E-mail

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.