Tricky – but welcome – changes to the Access and Correction Obligation
By Lyn Boxall, Director, Lyn Boxall LLC
Taking a look at the access component first. The tweak to the correction component is at the end of this paper.
Currently, an organisation is under an obligation to provide an individual with:
(a) personal data about the individual that is in the possession or under the control of the organisation and
(b) information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request
An organisation is not required to provide an individual with the individual's personal data or other information in respect of the matters specified in the Fifth Schedule to the Personal Data Protection Act, the PDPA. These are generally matters of convenience from the organisation's perspective - for example, an organisation is not required to provide opinion data kept solely for an evaluative purpose, but may choose to do so. Similarly, an organisation is not required to respond to a request if the request is unreasonable, if the information is trivial or if the request is otherwise frivolous or vexatious.