The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Find out how to request your personal information

Can I access my personal information?

You have the right to get a copy of the information that is held about you. This is known as a subject access request.

This right of subject access means that you can make a request under the Data Protection Act to any organisation processing your personal data. The Act calls these organisations ‘data controllers’.

You can ask the organisation you think is holding, using or sharing the personal information you want, to supply you with copies of both paper and computer records and related information.

Organisations may charge a fee of up to £10 (£2 if it is a request to a credit reference agency for information about your financial standing only).

There are special rules that apply to fees for paper based health records (the maximum fee is currently £50) and education records (a sliding scale from £1 to £50 depending on the number of pages provided).

However, it is important to remember that not all personal information is covered and there are ‘exemptions’ within the Act which may allow an organisation to refuse to comply with your subject access request in certain circumstances.

How do I make a request?

To make a subject access request, follow these steps:

1) Plan ahead

It will save you time if you do the following before writing your request:

  • Find out the right department and the right person to send the request to. Calling an organisation’s helpline or checking their privacy notice or policy on their website may help you find this out.
  • Check about the costs and fees in advance.
  • Make sure you know all the information you need. Organisations are entitled to charge a fee for every request, so you may have to pay another fee to get information you have not included in your original request.

2) Write to the organisation

When requesting your personal information from an organisation, you should include the following information:

  • your full name, address and contact telephone number;
  • any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique ID's etc);
  • details of the specific information you require and any relevant dates, for example:
    - your personnel file;
    - emails between ‘A’ and ‘B’ (between 1/6/11 and 1/9/11);
    - your medical records (between 2006 & 2009) held by Dr ‘C’ at ‘D’ hospital;
    - CCTV camera situated at (‘E’ location) on 23/5/12 between 11am and 5pm;
    - copies of statements (between 2006 & 2009) held in account number xxxxx .

It may also be helpful to include:

  • a reference to the 40-day deadline that applies when dealing with requests to provide personal information;
  • a reference to the Data Protection Act 1998 and subject access requests; and
  • reference to the assistance that the Information Commissioner’s Office can provide.

You also have the right to ask about any logic involved in any automated decisions made about you.

Alternatively, you may wish to use the template below:

(Printable word version of template letter)

[Your full address]
[Phone number]
[The date]

[Name and address of the organisation]

Dear Sir or Madam

Subject access request

[Your full name and address and any other details to help identify you and the information you want.]

Please supply the information about me I am entitled to under the Data Protection Act 1998 relating to: [give specific details of the information you want, for example

  • your personnel file;
  • emails between ‘A’ and ‘B’ (between 1/6/11 and 1/9/11);
  • your medical records (between 2006 & 2009) held by Dr ‘C’ at ‘D’ hospital;
  • CCTV camera situated at (‘E’ location) on 23/5/12 between 11am and 5pm;
  • copies of statements (between 2006 & 2009) held in account number xxxxx).]

If you need any more information from me, or a fee, please let me know as soon as possible.

It may be helpful for you to know that a request for information under the Data Protection Act 1998 should be responded to within 40 days.

If you do not normally deal with these requests, please pass this letter to your Data Protection Officer. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you and can be contacted on 0303 123 1113 or at www.ico.org.uk

Yours faithfully
[Signature]

3) Keep copies and proof of receipt

It is best to send your request by recorded delivery or by email, and you should keep a copy of the request and all other correspondence. This will be important as evidence if you need to complain to the Information Commissioner’s Office that the organisation has not given you the information you think you are entitled to.

What can I expect from the organisation?

How should an organisation respond to my request?

The organisation has to reply within 40 days, starting from the day they receive both the fee and the information they need to identify you and the information you need. A credit reference agency must reply within seven days to a request for a credit file.

If an organisation reasonably needs more information to help them find your information or identify you, they have to ask you for the information they need. They can then wait until they have all the necessary information as well as the fee before dealing with your request.

The organisation should give you the information in writing but they need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen. The Act does not define what disproportionate effort means but we think the following should be taken into account:

  • the cost of giving you the information;
  • the length of time it will take;
  • how difficult it will be;
  • the size of the organisation; and
  • the effect on you of not having the information in permanent form.

What should an organisation send me?

You are entitled to be told if any personal information is held about you and if it is, to be given:

  • a copy of the information in permanent form;
  • an explanation of any technical or complicated terms;
  • any information the organisation has about where they got your information from;
  • a description of the information, the purposes for processing the information and who the organisation is sharing the information with; and
  • the logic involved in any automated decisions (if you have specifically asked for this).

Can the organisation withhold any information?

Yes. There are some circumstances where the information you have asked for contains information that relates to another person. Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, the organisation is entitled to withhold this information.

There are other circumstances where the organisation can withhold information under the Act. For example, if it would put at risk a criminal investigation or catching an offender. If you want more information on the circumstances when information may be withheld in this way, view our guide to data protection for organisations.

The Act covers personal information that:

  • is held, or going to be held on computer;
  • is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved;
  • is in most health, educational, social service or housing records; or
  • is other information held by a public authority.

What can I do if the organisation does not respond?

If more than 40 calendar days have passed since you made your request, we advise you write to the organisation to remind them of your request and their obligations under the Data Protection Act. We recommend you send any correspondence by recorded delivery.

Here is a template letter you may use:

(Printable word version of template letter)

[Your full address]
[Phone number]
[The date]


[Name and address of the organisation]

Dear Sir or Madam

Non response to a subject access request

I am writing further to my letter of [date] in which I made a subject access request, because I have not received any response from your organisation.

As the statutory time limit for responding to my subject access request (40 days) has now expired, I would be grateful if you could provide a response as soon as possible.

If I do not receive a response from your organisation within 14 days, I will report this matter to the Information Commissioner’s Office (ICO).

You can find advice on the ICO’s website on how to deal with a subject access request [ico.org.uk/sar] and information on their powers and the action they can take [ico.org.uk/action] or call them on 0303 123 1113.

*If there is anything you would like to discuss, please contact me on the following [telephone number].

Yours faithfully
[Signature]

*optional

If you do not receive a response to this letter, please report your concern to us.

What can I do if I believe the organisation has not sent me all the information I am entitled to?

If you feel the organisation has withheld some of your personal information, we recommend you contact them with your concern. Make sure you state the information you think is being withheld.

Here is a template letter you may use:

(Printable word version of template letter)

[Your full address]
[Phone number]
[The date]


[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear […]

Subject access request

Further to my letter of [date] in which I made a subject access request, I would now like you to revisit the way you handled my request.

I requested the following information: [List information]

I received a response from you on [date] from [name of person in the organisation responding]. I have attached a copy of both letters for your information. From the information you have provided and from my reading of the Information Commissioner’s Office website at www.ico.org.uk, I suspect you have failed to disclose all the relevant information I requested.

I believe that I have not received all the data I am entitled to. I expected to receive any personal data relating to me that may be contained within the following: [List the records that you want the organisation to search and where they might be found, including any relevant dates, for example:

  • your personnel file;
  • emails between ‘A’ and ‘B’ (between 1/6/11 and 1/9/11);
  • your medical records (between 2006 & 2009) held by Dr ‘C’ at ‘D’ hospital;
  • CCTV camera situated at (‘E’ location) on 23/5/12 between 11am and 5pm;
  • copies of statements (between 2006 & 2009) held in account number xxxxx).]

If you have withheld any information relating to me I would be grateful if you would confirm this and tell me why you consider it appropriate to do so.

If there is anything further you can do to resolve this matter, or further information you can provide, please do so.

As the statutory time limit for responding to my subject access request (40 days) has now expired, I would be grateful if you could provide this information within 14 days.

I must advise you that if I do not receive a satisfactory response from you, I will report this matter to the Information Commissioner’s Office (ICO).

You can find advice on the ICO’s website on how to deal with a subject access request [ico.org.uk/sar] and information on their powers and the action they can take [ico.org.uk/action] or call them on 0303 123 1113.

*If there is anything you would like to discuss, please contact me on the following [telephone number].

Yours sincerely
[Signature]

*optional

If you have contacted the organisation and still believe some of your personal information has is being withheld, please call our helpline on 0303 123 1113.