Under the terms of Data Protection legislation, individual access to personal data, of which that individual is the data subject, must be permitted providing:
- the request is made in writing;
- a specified fee is paid for each individual search;
- the data controller is supplied with sufficient information to satisfy him or her self as to the identity of the person making the request;
- the person making the request provides sufficient and accurate information about the time, date and place to enable the data controller to locate the information which that person seeks, (it is recognised that a person making a request is unlikely to know the precise time. Under those circumstances it is suggested that within one hour of accuracy would be a reasonable requirement);
- the person making the request is only shown information relevant to that particular search and which contains personal data of her or him self only, unless all other individuals who may be identified from the same information have consented to the disclosure.
- in the event of the data controller complying with a request to supply a copy of the data to the subject, only data pertaining to the individual should be copied, (all other personal data which may facilitate the identification of any other person should be concealed or erased).
The data controller is entitled to refuse an individual request to view data under these provisions if insufficient or inaccurate information is provided, however every effort should be made to comply with subject access procedures and each request should be treated on its own merit.
In addition to the principles contained within the Data Protection legislation, the data controller should be satisfied that the data is:
- not currently and, as far as can be reasonably ascertained, not likely to become, part of a 'live' criminal investigation;
- not currently and, as far as can be reasonably ascertained, not likely to become, relevant to civil proceedings;
- not the subject of a complaint or dispute which has not been actioned;
- the original data and that the audit trail has been maintained;
- not removed or copied without proper authority;
- for individual disclosure only (i.e. to be disclosed to a named subject).