42.
Compliance with request for access to personal data
(1)
Subject to subsection (2) and section 43 and to the
payment of the prescribed fee, a data controller shall comply with a
request under section 41 not later than 28 days after the receipt of the
request.
(2)
Where a data controller is unable to comply with the request within the
period specified in subsection (1), he shall –
(a)
before the expiry of the specified period –
(i)
inform the data subject or the relevant person who
has made the request on behalf of the data subject, that he
is unable to comply with the request and shall, if required,
state the reasons therefor;
(ii)
endeavour to comply with the request in such time
reasonably practicable, and
(b)
as soon as practicable after the expiry of the specified period,
comply with the request.
43.
Denial of access to personal data
(1)
A data controller may refuse a request under section 41 where –
(a)
he is not supplied with such information as he may reasonably
require in order to satisfy himself as to the identity of the person
making the request, and to locate the information which the
person seeks;
(b)
compliance with such request will be in contravention with his
confidentiality obligation imposed under any other enactment.