Provided below are brief illustrations of some of the acts or practices that were found to have contravened the requirements of the PD(P)O in the complaint investigations completed in 2002-03. They are selected on the basis of subject matter and demonstrate the wide variety of conduct that are subject to the requirements of the PD(P)O, including those of the data protection principles ("DPPs").

The complainant instructed a law firm to act as his "relevant person" under the PD(P)O to make a data access request to an investment company seeking access to his personal data. The company refused to comply with the request on grounds that the law firm was not properly authorized due to irregularities in the authorization letter and the request was defective and a nullity ab initio.

Under the PD(P)O, a "relevant person" making a data access request on behalf an individual can be a "person" including any body of persons, corporate or unincorporate. Accordingly, the law firm can act as the requestor for the data on behalf of the complainant. Section 20(1)(a) of the PD(P)O provides for a data user to refuse to supply the requested data when it is not sure about the identity of the requestor. However, it does not entitle the data user to refuse outright to supply the data. It can only be invoked when the data user's reasonable request for information has not been complied with by the requestor. Similar provisions are contained in section 20(3)(b) where a data user may refuse to comply with a data access request if it is not supplied with such information as it may reasonably require to locate the requested data. Where question of identity of the requestor or specification of the requested data arises, further information as may be reasonably required can be sought. Accordingly, an error or irregularity in a data access request could not render the request a nullity. It merely makes the requestor liable to the supply of further information as may be reasonably required of him.

A data user has the obligation to first seek further information from the requestor and if the request for such information is declined then the data user may exercise the right to refuse to comply with the data access request.

The complainant was a former civil servant. He had served in a government department for more than 10 years and was then transferred to another department on a different post on probation terms for two years. However his performance during the probation period was considered unsatisfactory and his service was subsequently terminated. He made a data access request to the department seeking access to his personnel file held by the department. In complying with the request, the department provided over 400 pages of documents to the complainant with certain information edited out from the copies of the documents on grounds that the edited data were matters of departmental policy that should not amount to personal data of the complainant.

Section 20(2)(b) of the PD(P)O provides that a data user may, in complying with a data access request, edit out data of third party individuals from the requested data either by the omission of names or other identifying particulars. However, on closer examination of the documents provided to the complainant, it was ascertained that they were "file minutes" relating to discussions regarding the complainant's eligibility for pension benefits. These discussions were specific matters of policy applicable to the complainant's case, i.e. termination of service. In these circumstances, the contents of the "file minutes" contained personal data of the complainant and should have been disclosed to the complainant in complying with his data access request.