You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a ‘subject access request’.
How to access your data
You can make a subject access request to find out what data is held and how it is used. You may make a subject access request before exercising your other
information rights.
You can make a subject access request verbally or in writing. If you make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence. It will also provide clear evidence of your actions.
To exercise your right of access, follow these steps:
Step 1
- Identify where to send your request.
- Think about what personal data you want to access.
Step 2
- Make your request directly to the organisation.
- State clearly what you want.
You might not want all the personal data that the organisation holds about you. It may respond more quickly if you explain this and identify the specific data you want.
When making a subject access request, include the following information:
- Your name and contact details.
- Any information used by the organisation to identify or distinguish you from other people with the same name (account numbers etc).
- Any details or relevant dates that will help it identify what you want.
For example, you may want to ask for:
- your personnel file
- emails between ‘person A’ and ‘person B’ (say from 1 June 2018 to 1 Sept 2018)
- CCTV camera data situated at ‘location E’ on, say, 23 May 2017 from 11am to 5pm records detailing the transfer of your data to a third party.
Letter template
[Your full address]
[Phone number]
[The date]
[Name and address of the organisation]
Dear Sir or Madam
Subject access request
[Your full name and address and any other details to help identify you and the data you want.]
Please supply the data about me that I am entitled to under data protection law relating to: [give specific details of the data you want, for example:
- my personnel file
- emails between ‘person A’ and ‘person B’ (from 1 June 2017 to 1 Sept 2017)
- my medical records (between 2014 and 2017) held by ‘Dr C’ at ‘hospital D’
- CCTV camera situated at (‘location E’) on 23 May 2017 between 11am and 5pm
- copies of statements (between 2013 and 2017) held in account number xxxxx.]
If you need any more data from me, or a fee, please let me know as soon as possible. It may be helpful for you to know that data protection law requires you to respond to a request for data within one calendar month.
If you do not normally deal with these requests, please pass this letter to your DataProtection Officer, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113.
Yours faithfully
[Signature]
Step 3
- Keep a copy of your request.
- Keep any proof of postage or delivery.
When to re-submit a request
You can ask an organisation for access more than once. However, it may be able to refuse access if your request is, as the law says, ‘manifestly unfounded or excessive’.
If you are thinking of resubmitting a request, you should think about whether:
- it is likely that your data has changed since your last request
- enough time has passed for it to be reasonable to request an update on
how your data is being used, or - the organisation has changed its activities or processes recently.
What to do if the organisation does not respond or you are dissatisfied with the outcome
If you are unhappy with how the organisation has handled your request, you should first make a complaint to it.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise that you seek independent legal advice first.
What organisations should do
If an organisation reasonably needs more information to help it find your data or identify you, it has to ask you for the information it needs. It can then wait until it has all the necessary information before dealing with your request.
When it responds to your request, the organisation should provide you with a copy of your data. It may do this electronically. If you need your data in another format, you must ask if this is possible.
- You are also entitled to be told the following things:
- What it is using your data for.
- Who it is sharing your data with.
- How long it will store your data, and how it made this decision.
- Information on your rights to challenge the accuracy of your data, to have it deleted, or to object to its use.
- Your right to complain to the ICO.
- Information on where your data came from.
- Whether your data is used for profiling or automated decision making and how it is doing this.
- If it has transferred your data to a third country or an international organisation, what security measures it took..
When can the organisation say no?
An organisation may refuse your subject access request if your data includes information about another individual, except where:
- the other individual has agreed to the disclosure, or
- it is reasonable to provide you with this information without the other individual’s consent.
In deciding this, the organisation will have to balance your right to access your data against the other individual’s rights regarding their own information.
The organisation can also refuse your request if it is ‘manifestly unfounded or excessive’.
In any case the organisation will need to tell you and justify its decision. It should also let you know about your right to complain to the ICO, or through the
courts.
How long should the organisation take?
An organisation has one month to respond to your request. In certain circumstances it may need extra time to consider your request and can take up to an extra two months. If it is going to do this, it should let you know within one month that it needs more time and why. For more on this, see our guidance on Time Limits.
Can the organisation charge a fee for this?
A copy of your personal data should be provided free. An organisation may charge for additional copies. It can only charge a fee if it thinks the request is ‘manifestly unfounded or excessive’. If so, it may ask for a reasonable fee for administrative costs associated with the request.