8. Grounds limiting compliance with request for access

8.—

1. Where a data controller—

(a) reasonably requires further information in order to satisfy himself as to the identity of an individual who makes a request under section 6 and to locate the information which that individual seeks; and

(b) has informed the individual of that requirement, the data controller is not obliged to comply with the request unless the further information is supplied to the data controller.

2. Where a data controller cannot comply with a request under section 6 without disclosing information relating to another individual who can be identified from that information, the data controller is not obliged to comply with the request unless—

(a) the other individual consents to the disclosure of the information; or

(b) it is reasonable in all the circumstances to comply with the request without the consent of the other individual and the data controller has notified that other individual of the data controller’s intention to comply with the request.

3. In subsection (2), the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request, and that subsection shall not be construed as excusing a data controller from communicating only so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

4. For the purposes of subsections (2) and (3), another individual can be identified from the information being disclosed if that other individual can be identified from that information alone or from that information and other information which, in the reasonable belief of the data controller, is likely to be in, or come into, the possession of the data subject making the request. (5) In determining for the purposes of subsection (2)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to—

(a) any duty of confidentiality owed to the other individual;

(b) any steps taken by the data controller with a view to seeking the consent of the other individual;

(d) any express refusal of consent by the other individual.

6. Where a data controller has previously complied with a request made under section 6 by an individual, the data controller is not obliged to comply with a subsequent identical or similar request under that section by the individual unless a reasonable interval has elapsed between compliance with the previous request and the making of the subsequent request.

7. In determining for the purposes of subsection (6) whether requests under section 6 are made at reasonable intervals, regard shall be had to the nature of the personal data, the purpose for which the personal data are processed and the frequency with which the personal data are altered.

8. Section 6(2)(d) shall not be regarded as requiring the provision of information as to the logic for any decision if, and to the extent that, the information constitutes a trade secret. (9) Where personal data requested under section 6—

(a) is not in the custody or control of the data controller, the data controller shall in writing so inform the individual making the request; or

(b) are personal data which the data controller is entitled to refuse to disclose to the data subject by virtue of any provision of this Act, the data controller shall in writing inform the individual making the request that the disclosure is refused and identify the relevant provision relied on for the refusal, within thirty days after receiving the request.

<-- Contents page