Rights of data subjects and others
Right of access to personal data
35. (1) A data controller shall
(a) inform an individual who is the data subject of the processing
of the individual’s personal data by the data controller or another
person on behalf of the data controller;
(b) give to the data subject, a description of
(i) the personal data of which that individual is the data
subject;
(ii) the purpose for which the data is being or is to be
processed; and
(iii) the recipient or class of recipients to whom the data
may be disclosed;
(c) communicate in an intelligible form to the data subject
(i) information which constitutes personal data of
which that individual is the subject;
(ii) information which is available to the data controller
as to the source of the data; and
(d) inform the individual who is the data subject of the logic or
rationale behind the decision that was made based on the processing
where the processing constitutes the sole basis for the taking of a
decision which significantly affects that individual.
(2) Where the data constitutes a trade secret, the provision of data related
to the logic or rationale involved in any decision taken does not apply.
(3) A data controller shall not comply with a request under subsec- tion (1)
unless the data controller is supplied with the data that the data controller may
reasonably require to identify the person making the request and to locate the
data which that person seeks.
(4) Where a data controller is unable to comply with the request without
disclosing data related to another individual who may be identi- fied from the
information, the data controller shall not comply with the request unless
(a) the other individual consents to the disclosure of the data
to the person who makes the request, or
(b) it is reasonable in all the circumstances to comply with the request
without the consent of the other individual.
(5) A reference to data related to another individual in subsection (4)
includes a reference to data which identifies that individual as the source of the
data requested.
(6) A data controller shall not rely on subsection (4)(b) to fail to
communicate the information sought that may be communicated without the
disclosure of the identity of the individual concerned.
(7) The data controller may make the communication under subsection (6)