|
Amendment of section 4 (right of access) of Principal Act.
|
5.—Section 4 of the Principal Act is amended—
|
| |
(a) in subsection (1), by the substitution of the following paragraphs for paragraphs (a) and (b):
|
| |
“(a) Subject to the provisions of this Act, an individual shall, if he or she so requests a data controller by notice in writing—
|
| |
(i) be informed by the data controller whether the data processed by or on behalf of the data controller include personal data relating to the individual,
|
| |
(ii) if it does, be supplied by the data controller with a description of—
|
| |
(I) the categories of data being processed by or on behalf of the data controller,
|
| |
(II) the personal data constituting the data of which that individual is the data subject,
|
| |
(III) the purpose or purposes of the processing, and
|
| |
(IV) the recipients or categories of recipients to whom the data are or may be disclosed,
|
| |
(iii) have communicated to him or her in intelligible form—
|
| |
(I) the information constituting any personal data of which that individual is the data subject, and
|
| |
(II) any information known or available to the data controller as to the source of those data unless the communication of that information is contrary to the public interest,
|
| |
and
|
| |
(iv) where the processing by automatic means of the data of which the individual is the data subject has constituted or is likely to constitute the sole basis for any decision significantly affecting him or her, be informed free of charge by the data controller of the logic involved in the processing,
|
| |
as soon as may be and in any event not more than 40 days after compliance by the individual with the provisions of this section and, where any of the information is expressed in terms that are not intelligible to the average person without explanation, the information shall be accompanied by an explanation of those terms.
|
| |
(b) A request under paragraph (a) of this subsection that does not relate to all of its subparagraphs shall, in the absence of any indication to the contrary, be treated as relating to all of them.”,
|
| |
(b) by the insertion of the following subsection after subsection (4):
|
| |
“(4A) (a) Where personal data relating to a data subject consist of an expression of opinion about the data subject by another person, the data may be disclosed to the data subject without obtaining the consent of that person to the disclosure.
|
| |
(b) Paragraph (a) of this subsection does not apply—
|
| |
(i) to personal data held by or on behalf of the person in charge of an institution referred to in section 5(1)(c) of this Act and consisting of an expression of opinion by another person about the data subject if the data subject is being or was detained in such an institution, or
|
| |
(ii) if the expression of opinion referred to in that paragraph was given in confidence or on the understanding that it would be treated as confidential.”,
|
| |
(c) in subsection (8)(a), by the insertion after “in the interests of data subjects” of “or in the public interest”, and
|
| |
(d) by the insertion of the following subsections after subsection (8):
|
| |
“(9) The obligations imposed by subsection (1)(a)(iii) (inserted by the Act of 2003) of this section shall be complied with by supplying the data subject with a copy of the information concerned in permanent form unless—
|
| |
(a) the supply of such a copy is not possible or would involve disproportionate effort, or
|
| |
(b) the data subject agrees otherwise.
|
| |
(10) Where a data controller has previously complied with a request under subsection (1) of this section, the data controller is not obliged to comply with a subsequent identical or similar request under that subsection by the same individual unless, in the opinion of the data controller, a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
|
| |
(11) In determining for the purposes of subsection (10) of this section whether the reasonable interval specified in that subsection has elapsed, regard shall be had to the nature of the data, the purpose for which the data are processed and the frequency with which the data are altered.
|
| |
(12) Subsection (1)(a)(iv) of this section is not to be regarded as requiring the provision of information as to the logic involved in the taking of a decision if and to the extent only that such provision would adversely affect trade secrets or intellectual property (in particular any copyright protecting computer software).
|
| |
(13) (a) A person shall not, in connection with—
|
| |
(i) the recruitment of another person as an employee,
|
| |
(ii) the continued employment of another person, or
|
| |
(iii) a contract for the provision of services to him or her by another person,
|
| |
require that other person—
|
| |
(I) to make a request under subsection (1) of this section, or
|
| |
(II) to supply him or her with data relating to that other person obtained as a result of such a request.
|
| |
(b) A person who contravenes paragraph (a) of this subsection shall be guilty of an offence.”.
|