(1) A data controller may refuse to comply with a request made under section 52 where —
(a) the data controller is not supplied with such information as the data controller may reasonably require in order to satisfy the data controller as to the identity of the person making the request, and to locate the information which the person seeks; or
(b) compliance with such request will be in contravention with his or her confidentiality obligation imposed under this Act or any other enactment.
(2) Where a data controller cannot comply with a request made under section 52 without disclosing personal data relating to another person, the data controller may refuse the request unless —
(a) the other individual has consented to the disclosure of his or her personal data to the person making the request; or
(b) the data controller obtains the written approval of the Commissioner.
(3) In determining for the purposes of subsection (2)(b) whether it is reasonable for the Commissioner to approve a request without the consent of the other individual concerned, regard must be had, in particular, to —
(a) any duty of confidentiality owed to the other individual;
(b) any steps taken by the data controller with a view to seeking the consent of the other individual;
(c) whether the other individual is capable of giving consent; and
(d) any express refusal of consent by the other individual.
(4) Where a data controller has previously complied with a request made under section 52 by a data subject or relevant person, the data controller is not obliged to comply with a subsequent identical or similar request under section 52 by that data subject or relevant person unless a reasonable interval has elapsed between compliance with the previous request and the making of the current request.
(5) In determining, for the purposes of subsection (4), whether request under section 52 are made at reasonable intervals, regard must be had to —
(a) the nature of the data;
(b) the purpose for which the data is processed; and
(c) the frequency with which the data is altered.
(6) Where a data controller does not comply with a request made under section 52 by a data subject or relevant person, the data controller shall notify the Commissioner and the data subject or relevant person, of the non-compliance. (Inserted by Act 2 of 2015)