Page:Personal Data Protection Act 2012.pdf/23

24 : about that collection, use or disclosure on behalf of the organisation. PART V ACCESS TO AND CORRECTION OF PERSONAL DATA Access to personal data

21.—(1) Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with—
 * (a) personal data about the individual that is in the possession or under the control of the organisation; and
 * (b) information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request.

(2) An organisation is not required to provide an individual with the individual’s personal data or other information under subsection (1) in respect of the matters specified in the Fifth Schedule.

(3) An organisation shall not provide an individual with the individual’s personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to—
 * (a) threaten the safety or physical or mental health of an individual other than the individual who made the request;
 * (b) cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
 * (c) reveal personal data about another individual;
 * (d) reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or
 * (e) be contrary to the national interest.