The complainant instructed a law firm to act as his "relevant person" under the PD(P)O to make a data access request to an investment company seeking access to his personal data. The company refused to comply with the request on grounds that the law firm was not properly authorized due to irregularities in the authorization letter and the request was defective and a nullity ab initio.
Under the PD(P)O, a "relevant person" making a data access request on behalf an individual can be a "person" including any body of persons, corporate or unincorporate. Accordingly, the law firm can act as the requestor for the data on behalf of the complainant. Section 20(1)(a) of the PD(P)O provides for a data user to refuse to supply the requested data when it is not sure about the identity of the requestor. However, it does not entitle the data user to refuse outright to supply the data. It can only be invoked when the data user’s reasonable request for information has not been complied with by the requestor. Similar provisions are contained in section 20(3)(b) where a data user may refuse to comply with a data access request if it is not supplied with such information as it may reasonably require to locate the requested data. Where question of identity of the requestor or specification of the requested data arises, further information as may be reasonably required can be sought. Accordingly, an error or irregularity in a data access request could not render the request a nullity. It merely makes the requestor liable to the supply of further information as may be reasonably required of him.
A data user has the obligation to first seek further information from the requestor and if the request for such information is declined then the data user may exercise the right to refuse to comply with the data access request.