Subject Access Request (Hong Kong)

Subject Access Request Hong Kong — a formal written letter exercising the statutory right of access to personal data under Section 18 of the Personal Data (Privacy) Ordinance (Cap. 486). The letter requires a data user — any organisation or individual that collects, holds, processes, or uses personal data about the requester — to confirm whether it holds such data and, if so, to provide a copy in an intelligible form within the 40-day statutory response period imposed by Section 19(1) of Cap. 486.

The Personal Data (Privacy) Ordinance (Cap. 486) is the principal privacy statute in Hong Kong. Enacted in 1996 and significantly strengthened by the Personal Data (Privacy) (Amendment) Ordinance 2021, Cap. 486 establishes six Data Protection Principles (DPPs) that govern how all organisations must handle personal data about individuals: DPP1 governs the purpose and means of collection; DPP2 addresses accuracy and retention; DPP3 restricts use to the original collection purpose unless the data subject consents; DPP4 imposes data security obligations; DPP5 requires openness about data policies and practices; and DPP6 establishes the individual's right of access to their own data and the right to request correction of inaccurate data. A subject access request is the primary mechanism through which individuals exercise their DPP6 rights in Hong Kong.

The Office of the Privacy Commissioner for Personal Data (PCPD) is the independent statutory body established under Cap. 486 to oversee the enforcement of data privacy rights in Hong Kong. The PCPD publishes guidance on making data access requests, provides a prescribed form (OPS003) that may optionally be used, investigates complaints from individuals whose access rights have been denied or ignored, and issues enforcement notices under Section 50 of Cap. 486 requiring non-compliant data users to provide access. Failure to comply with an enforcement notice is a criminal offence punishable by fine and imprisonment under Cap. 486.

The 2021 amendments to Cap. 486 enhanced the regulatory framework in several important ways. Mandatory data breach notification obligations were introduced for data users, requiring prompt disclosure to both the PCPD and affected data subjects when a breach involving sensitive personal data occurs. New criminal offences for doxxing — the unauthorised disclosure of personal data including photographs and identifying information to intimidate or cause harm — were enacted. The PCPD's investigation and enforcement powers were substantially expanded. These changes reflect a broader trend in Hong Kong toward greater protection of individual data privacy rights, and they are relevant context for any individual exercising their access rights under Section 18 of Cap. 486.

The 2021 Amendment Ordinance also introduced mandatory data breach notification requirements, which are relevant context for individuals who have been notified of a breach affecting their personal data and wish to exercise their access rights to understand exactly what data was affected. Under the amended framework, where a data user becomes aware of a data breach involving sensitive personal data — including financial information, medical records, biometric data, or HKID numbers — they must notify both the PCPD and the affected data subjects as soon as practicable. Following a breach notification, exercising a subject access request under Section 18 of Cap. 486 enables the affected individual to obtain a thorough picture of all data held about them, identify whether additional categories of data beyond those mentioned in the breach notice were affected, and assess the full scope of potential harm.

A Subject Access Request Hong Kong is needed whenever an individual in Hong Kong wishes to exercise their statutory right under Section 18 of Cap. 486 to obtain a copy of personal data held about them by an organisation, and wants to do so through a formal written mechanism that triggers the 40-day statutory response obligation. Common situations in Hong Kong where submitting a subject access request is practically useful include: requesting employment records from a current or former employer — performance appraisals, disciplinary records, email correspondence, HR file notes, and personal data used in hiring or promotion decisions; obtaining financial data held by banks licensed under the Banking Ordinance (Cap. 155), credit card companies, insurance companies, and licensed money lenders regulated under Cap. 163; accessing medical records held by private hospitals, specialist clinics, and healthcare providers in Hong Kong, where the relevant industry guidelines on medical records access supplement the PDPO framework; reviewing information held by schools, universities, and educational institutions about current or former students; discovering what data telecommunications companies, internet service providers, and technology platform operators hold about the requester's usage, location, and personal profile; investigating suspected misuse of personal data — for example, where the requester has received unsolicited direct marketing communications from an organisation they did not provide their details to, suggesting possible unauthorised data transfer; and obtaining data relevant to legal proceedings or dispute resolution.

A subject access request is particularly valuable in litigation preparation. Personal data held by an employer, counterparty, or organisation may constitute important evidence in employment disputes before the Labour Tribunal, personal injury claims, commercial contract disputes, family proceedings, or regulatory investigations. Obtaining the data through a Section 18 subject access request — which is low-cost and formally triggers a legally mandated response within 40 days — is a practical and efficient first step before commencing formal litigation and seeking more expensive discovery orders from the District Court or Court of First Instance. If an organisation refuses to comply with the subject access request, the refusal itself can form part of the factual record submitted to the PCPD or in subsequent court proceedings.

A Subject Access Request Hong Kong under Cap. 486 should contain the following elements to constitute a valid request that triggers the data user's 40-day statutory response obligation under Section 19(1).

Requester identification: the requester's full legal name, current residential address, email address for correspondence, and HKID number or passport number to confirm identity. Organisations are entitled under Cap. 486 to verify the requester's identity before disclosing personal data, to prevent fraudulent access to another person's records. Providing HKID details upfront accelerates compliance and reduces the risk of the organisation claiming the request is invalid.

Organisation details: the full name of the data user organisation, their business address, and where known, the name and title of the data protection officer or privacy officer to whom the request should be directed.

Legal basis: an express citation of Section 18 of the Personal Data (Privacy) Ordinance (Cap. 486) as the statutory basis for the request. Citing the specific provision places the organisation on clear notice of the 40-day response obligation under Section 19(1) and the right to complain to the PCPD under Section 37 of Cap. 486 if the deadline is not met.

Data categories requested: a clear description of the categories of personal data being requested — for example, all personal data held about the requester including name, contact details, account records, transaction history, correspondence, call recordings, location data, and any other categories. A broad initial request can be narrowed if the organisation confirms the scope of data actually held before full disclosure.

Time period: the date range covered by the request — for example, all personal data held as at the date of the request, or data collected from a specified start date to the present.

Identity verification: confirmation that a copy of the requester's HKID card or passport is attached, satisfying any identity verification requirement the organisation may have under its internal data access procedures.

Preferred response format: whether the requester prefers data provided in electronic format (email attachment or secure online portal) or paper copy by post, as permitted by Section 20 of Cap. 486.

Request date: the date the letter is submitted, which starts the 40-day statutory period.

Signature: signed by the data subject with their printed name. Forms-legal.com provides this template in PDF and Word format, suitable for use with any Hong Kong data user.

Escalation reference: a clear statement that if the organisation fails to respond within the 40-day period under Section 19(1) of Cap. 486, or refuses to provide the requested data without a lawful exemption under Part VIII of Cap. 486, the requester reserves the right to file a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) under Section 37 and to apply to the District Court for an order requiring compliance.

Data correction notice: a statement that if the requester identifies any inaccurate personal data upon receiving the organisation's response, they will separately submit a data correction request under Section 22 of Cap. 486 requiring correction of the inaccurate data and notification to third parties to whom inaccurate data has been disclosed. Forms-legal.com provides this template alongside a data correction request template in PDF and Word format for all Cap. 486 personal data rights exercises in Hong Kong.

Confidentiality of response: a request that the organisation treat the subject access request and its response as confidential, disclosing details only to staff who need to process the request. This is consistent with Data Protection Principle 4 of Cap. 486 (data security) and prevents inadvertent further disclosure of personal data during the access process itself.

PCPD escalation reminder: a clear statement that if the data user fails to comply within 40 days under Section 19(1) of Cap. 486, the requester will file a complaint with the Office of the Privacy Commissioner for Personal Data (PCPD) under Section 37 without further notice, and will consider applying to the District Court for an order compelling compliance. Forms-legal.com provides this template in PDF and Word format alongside a Data Correction Request (Section 22, Cap. 486) template for thorough personal data rights management under Hong Kong law.