Back

Document disagreements as to whether personal data is complete and accurate.


CONTROL ID
06952
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a privacy dispute resolution program., CC ID: 12526

This Control has the following implementation support Control(s):
  • Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement., CC ID: 06954


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Without prejudice to the generality of sections 23(1)(c) and 25(2), if a data user, subsequent to the receipt of a data correction request but before complying with the request pursuant to section 24 or refusing to comply with the request pursuant to section 25, discloses to a third party the person… (Part 5 Division 2 Section 22(3), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • where pursuant to section 24 the data user refuses to comply with section 23(1) in relation to a data correction request, particulars of the reasons for the refusal; (Part 5 Division 3 Section 27(2)(c), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • the data user is not satisfied that the personal data to which the request relates is inaccurate; (Amended 18 of 2012 s. 2) (Part 5 Division 2 Section 24(3)(b), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • the data user is not supplied with such information as the data user may reasonably require to ascertain in what way the personal data to which the request relates is inaccurate; (Amended 18 of 2012 s. 2) (Part 5 Division 2 Section 24(3)(c), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • the data user is not satisfied that the correction which is the subject of the request is accurate; or (Part 5 Division 2 Section 24(3)(d), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • in such a way that that data cannot be used by a person (including the data user and a third party) without the note being drawn to the attention of, and being available for inspection by, that person; and (Amended 18 of 2012 s. 2) ( (Part 5 Division 2 Section 25(2)(b)(i)(B), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • of the matters in respect of which the opinion is considered by the requestor to be inaccurate; and (Part 5 Division 2 Section 25(2)(b)(i)(A), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • the data user is not satisfied that the correction which is the subject of the data correction request is accurate, complete, not misleading or up-to-date; or (Part II Division 4 36. (1) (d), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • make a note, whether annexed to the personal data or elsewhere— (Part II Division 4 37. (2) (a), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • of the matters in respect of which the expression of opinion is considered by the requestor to be inaccurate, incomplete, misleading or not up-to-date; and (Part II Division 4 37. (2) (a) (i), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • in such a way that the personal data cannot be used by any person without the note being drawn to the attention of and being available for inspection by that person; and (Part II Division 4 37. (2) (a) (ii), Personal Data Protection Act 2010, Act 709, As at 15 June 2016)
  • Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications serv… (Article 44-2(1), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • A recordkeeper shall take reasonable steps, when requested by the concerned individual, to attach a statement to any record containing personal information that the recordkeeper is not willing to correct, delete, or add to after a request by the individual. (§ 14 Prin. 7(3)(a), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The recordkeeper shall take reasonable steps to attach a statement by the individual to a record, when requested by the concerned individual, when no decision or recommendation has been made to amend the record request under provisions of the law. (§ 14 Prin. 7(3)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The credit reporting agency or credit provider must take reasonable steps to include a statement from the individual of the additions, deletions, or corrections sought inside of 30 days after the request. (§ 18J(2)(b), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The credit reporting agency or credit provider may refer a statement provided under section 18j(2) that is of undue length to the information commissioner for an appropriate reduction and the altered statement is to be included in the credit information file or credit report. (§ 18J(3), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • An organization must take reasonable steps to attach a statement to any personal information that the individual asks for when the individual and the organization disagree on as to whether it is complete, accurate, and up-to-date. (Sched 3 § 6.6, Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The organization should document disagreements as to if the personal information is complete and accurate. (Table Ref 6.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Statement of disagreement. The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement of di… (§ 164.526(d)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Rebuttal statement. The covered entity may prepare a written rebuttal to the individual's statement of disagreement. Whenever such a rebuttal is prepared, the covered entity must provide a copy to the individual who submitted the statement of disagreement. (§ 164.526(d)(3), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A consumer may file a brief statement about the nature of the dispute, if the consumer credit reporting agency determines the dispute is irrelevant or frivolous, the dispute is not resolved, or information is reinserted into the file. The agency may limit the statement to 100 words if it provides as… (§ 1785.16(f), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)
  • A person may not provide information that is under dispute for accuracy or completeness to a credit reporting agency absent including a notice that the information is disputed by the consumer. (§ 1785.25(c), Consumer Credit Reporting Agencies Act, California Civil Code 17851-1785.6)