The Personal Data Protection Regulations 2014 ("Regulations") set out some new details about compliance with the Access & Correction and Transfer obligations of the Personal Data Protection Act 2012 ("PDPA"). I'm just going to address the Access & Correction obligations in this post.
Access & Correction
Form of providing personal data:
Upon receiving an access request, the organisation must provide the applicant with a copy of the personal data and use/disclosure information, but if this is impracticable, it must allow the applicant a reasonable opportunity to examine the personal data and use/disclosure information, or provide it in another form requested by the applicant that is acceptable to the organisation.
The organisation needs to comply with access or correction requests within 30 days of receiving the request. If it can't, it must inform the applicant in writing of when it will respond to the request within those 30 days. Best practice is also to provide an explanation for why it can't respond within 30 days.
Refusal to confirm/deny existence of personal data:
The organisation can refuse to confirm or deny the existence, use or disclosure of personal data in response to an access request if investigations or proceedings (and any related appeals) have not been completed. This prevents tipping off individuals about ongoing investigations or proceedings.
Reasonable fees can be charged for access requests. To do so, the organisation must provide the applicant with a written estimate of the fee, or written notice of any increase in the fee. The organisation doesn't need to respond to an access request if the applicant refuses to pay the fee. The fee shouldn't be unreasonable or have the effect of being obstructive, and keep in mind that the Commission may review the fee (or increased fee). Fees cannot be charged for correction requests.
That's it for the Access & Correction updates from the Regulations. Post on the Regulation's Transfer updates coming soon.
Associate Director, Bernard & Rada Law Corporation
The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.
You should contact your lawyer for legal advice if you need legal assistance.