Section 32

the data user is not supplied with such information as he may reasonably require—

in order to satisfy himself as to the identity of the requestor; or

as to the identity of the data subject in relation to whom the requestor claims to be the relevant person; and

that the requestor is the relevant person in relation to the data subject;

the data user is not supplied with such information as he may reasonably require to locate the personal data to which the data access request relates;

the burden or expense of providing access is disproportionate to the risks to the data subject’s privacy in relation to the personal data in the case in question;

the data user cannot comply with the data access request without disclosing personal data relating to another individual who can be identified from that information, unless—

that other individual has consented to the disclosure of the information to the requestor; or

subject to subsection (3), any other data user controls the processing of the personal data to which the data access request relates in such a way as to prohibit the first-mentioned data user from complying, whether in whole or in part, with the data access request;

providing access would constitute a violation of an order of a court;

providing access would disclose confidential commercial information; or

such access to personal data is regulated by another law.

In determining for the purposes of subparagraph (1)(d)(ii)

whether it is reasonable in all the circumstances to comply with the data access request without the consent of the other individual, regard shall be had, in particular, to—

Paragraph (1)(e) shall not operate so as to excuse the data user from complying with the data access request under subsection 30(2) to any extent that the data user can comply with the data access request without contravening the prohibition concerned.

Notification of refusal to comply with data access request