You have the right to get a copy of the information that is held about you. These rights are known as subject access rights.
Requests to see records and other related information are known as ‘subject access requests’. You make the request to the organisation you think is holding, using or sharing the information you want. Personal information can be contained in both paper and computer records but not all personal information is covered by the Data Protection Act.
How can I find out what is held about me?
If you want to know if a person or organisation holds information about you and what information they hold, you will need to write to that person or organisation and make a subject access request. You should ask for a copy of all the information they hold about you. If you are not sure who to write to in an organisation, address your letter to the company secretary.
It is a good idea to include your full name and address in the heading, and any other information to help identify you and the information you need. For example, if you are making a request to a previous employer, they may need the dates when you worked for them to find the information about you. In other circumstances, a reference number such as your NHS number may be needed. Be as specific as possible. It will help the organisation if you tell them exactly what information you want.
Some organisations make decisions using an automated process (for example, using a computer system to give you a credit rating). If you want them to also tell you about the logic involved in making these decisions, you should specifically ask for this in your letter.
How much does it cost?
Organisations may charge a fee of up to £10 (£2 if it is a request to a credit reference agency for information about your financial standing only).
There are special rules that apply to fees for paper based health records (the maximum fee is currently £50) and education records (a sliding scale from £1 to £50 depending on the number of pages provided).
You will have to pay a fee (if charged) for every request, so you need to specify all the information you need in your first letter, otherwise you may have to pay another fee to get information you have asked for on a different occasion.
What sort of letter should I write?
Your full address
Dear Sir or Madam
(Your full name and address and any other details to help identify you and the information you want.)
Please supply the information about me I am entitled to under the Data Protection Act 1998 relating to (give details of the information you want). (Please would you also tell me the logic involved in any automated decisions you have made about me.)
If you need any more information from me, or a fee, please let me know as soon as possible.
If you do not normally deal with these requests, please pass this letter to your Data Protection Officer or another appropriate officer.
It is best to send your request by recorded delivery or by email, and keep a copy of the request and all other correspondence. This will be important as evidence if you need to complain that the organisation has not given you the information you think you are entitled to.
How should an organisation respond to my request?
The organisation has to reply promptly, and at the most within 40 days, starting from the day they receive both the fee and the information they need to identify you and the information you need. A credit reference agency must reply within seven days to a request for a credit file.
If an organisation reasonably needs more information to help them find your information or identify you, they have to ask you for the information they need. They can then wait until they have all the necessary information as well as the fee before dealing with your request.
The organisation should give you the information in writing but they need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen. The Act does not define what disproportionate effort means but we think the following should be taken into account:
- the cost of giving you the information;
- the length of time it will take;
- how difficult it will be;
- the size of the organisation; and
- the effect on you of not having the information in permanent form.
What will be sent to me?
You are entitled to be told if any personal information is held about you and if it is, to be given:
- a copy of the information in permanent form;
- an explanation of any technical or complicated terms;
- any information the organisation has about where they got your information from;
- a description of the information, the purposes for processing the information and who the organisation is sharing the information with; and
- the logic involved in any automated decisions (if you have specifically asked for this).
How can I get a copy of my credit file?
For instructions on how to get a copy of your credit file view our credit guide.
Can the organisation withhold any information?
Yes. There are some circumstances where the information you have asked for contains information that relates to another person. Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, the organisation is entitled to withhold this information.
There are other circumstances where the organisation can withhold information under the Act. For example, if it would put at risk a criminal investigation or catching an offender. If you want more information on the circumstances when information may be withheld in this way, view our guide to data protection for organisations.
The Act covers personal information that:
- is held, or going to be held on computer;
- is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved;
- is in most health, educational, social service or housing records; or
- is other information held by a public authority.
How can I access ‘other information’ held by a public authority?
The Freedom of Information Act 2000, which applies to public authorities, amended the Data Protection Act by creating another category of personal information. This category covers personal information held about you by a public authority that is:
- partly organised, such as in a file with someone’s name on it which has been compiled in date order; or
- is ‘unstructured’ material, and is not organised in a file or any other way.
You can request access to partly-organised information using a normal subject access request as described above.
If you want access to unstructured information, you will need to describe the information you want so the authority can find it. Although the fee for access to public authority information is £10, the authority can estimate the cost of dealing with a request for unstructured information, and refuse the request if the cost is more than £450 (or £600 if it is central government).
What can I do if the organisation does not comply with my subject access request?
If you have sent all the necessary information (including any fee) and
- the organisation does not respond to your request within 40 days; or
- you are not satisfied with their response;
you should send them a reminder letter by recorded delivery (and keep a copy of the letter).
If you do not get a reply fairly quickly, or you think the information you receive is wrong or incomplete, you can:
Our assessment will tell you if it is likely that the organisation has broken the Act and may help you decide whether to take legal action. However, you can take a case to court without asking us for an assessment.
What orders can the court make?
If a court is satisfied that an organisation has not dealt with a subject access request in line with the Act, the court can order them to comply. The court also has the power to award compensation. For more information, please see Claiming compensation and Taking a case to court.