|
Right of access.
|
4.—(1) (a) Subject to the provisions of this Act, an individual shall, if he so requests a data controller in writing—
|
| |
(i) be informed by the data controller whether the data kept by him include personal data relating to the individual, and
|
| |
(ii) be supplied by the data controller with a copy of the information constituting any such data,
|
| |
as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section; and, where any of the information is expressed in terms that are not intelligible to the average person without explanation, the information shall be accompanied by an explanation of those terms.
|
| |
(b) A request for the information specified in subparagraph (i) of subsection (1) (a) of this section shall, in the absence of any indication to the contrary, be treated as including a request for a copy of the information specified in subparagraph (ii) of the said subsection (1) (a).
|
| |
(c) (i) A fee may be payable to the data controller concerned in respect of such a request as aforesaid and the amount thereof shall not exceed such amount as may be prescribed or an amount that in the opinion of the Commissioner is reasonable, having regard to the estimated cost to the data controller of compliance with the request, whichever is the lesser.
|
| |
(ii) A fee paid by an individual to a data controller under subparagraph (i) of this paragraph shall be returned to him if his request is not complied with or the data controller rectifies or supplements, or erases part of, the data concerned (and thereby materially modifies the data) or erases all of the data on the application of the individual or in accordance with an enforcement notice or an order of a court.
|
| |
(2) Where pursuant to provision made in that behalf under this Act there are separate entries in the register in respect of data kept by a data controller for different purposes, subsection (1) of this section shall apply as if it provided for the making of a separate request and the payment of a separate fee in respect of the data to which each entry relates.
|
| |
(3) An individual making a request under this section shall supply the data controller concerned with such information as he may reasonably require in order to satisfy himself of the identity of the individual and to locate any relevant personal data or information.
|
| |
(4) Nothing in subsection (1) of this section obliges a data controller to disclose to a data subject personal data relating to another individual unless that other individual has consented to the disclosure:
|
| |
Provided that, where the circumstances are such that it would be reasonable for the data controller to conclude that, if any particulars identifying that other individual were omitted, the data could then be disclosed as aforesaid without his being thereby identified to the data subject, the data controller shall be obliged to disclose the data to the data subject with the omission of those particulars.
|
| |
(5) Information supplied pursuant to a request under subsection (1) of this section may take account of any amendment of the personal data concerned made since the receipt of the request by the data controller (being an amendment that would have been made irrespective of the receipt of the request) but not of any other amendment.
|
| |
(6) (a) A request by an individual under subsection (1) of this section in relation to the results of an examination at which he was a candidate shall be deemed, for the purposes of this section, to be made on—
|
| |
(i) the date of the first publication of the results of the examination, or
|
| |
(ii) the date of the request,
|
| |
whichever is the later; and paragraph (a) of the said subsection (1) shall be construed and have effect in relation to such a request as if for “40 days” there were substituted “60 days”.
|
| |
(b) In this subsection “examination” means any process for determining the knowledge, intelligence, skill or ability of a person by reference to his performance in any test, work or other activity.
|
| |
(7) A notification of a refusal of a request made by an individual under and in compliance with the preceding provisions of this section shall be in writing and shall include a statement of the reasons for the refusal and an indication that the individual may complain to the Commissioner about the refusal.
|
| |
(8) (a) If and whenever the Minister considers it desirable in the interests of data subjects to do so and by regulations so declares, the application of this section to personal data—
|
| |
(i) relating to physical or mental health, or
|
| |
(ii) kept for, or obtained in the course of, carrying out social work by a Minister of the Government, a local authority, a health board or a specified voluntary organisation or other body,
|
| |
may be modified by the regulations in such manner, in such circumstances, subject to such safeguards and to such extent as may be specified therein.
|
| |
(b) Regulations under paragraph (a) of this subsection shall be made only after consultation with the Minister for Health and any other Minister of the Government who, having regard to his functions, ought, in the opinion of the Minister, to be consulted and may make different provision in relation to data of different descriptions.
|