You have the right to get your personal data from an organisation in a way that is accessible and machine-readable, for example as a csv file.
You also have the right to ask an organisation to transfer your data to another organisation. They must do this if the transfer is, as the regulation says, “technically feasible”.
This is known as the right to data portability.
What kind of data this right relates to
This right is similar to your right of access [link to guide for SARs] but there are some differences. Specifically, the right only applies to data that:
- is held electronically, and
- you have provided to the organisation.
Data you have provided does not just mean information you have typed in, such as a username or email address. It may include data the organisation has gathered from monitoring your activities when you have used a device or service. This may include:
- website or search usage history
- traffic and location data, or
- ‘raw’ data processed by connected objects such as smart meters and wearable devices. An example of this could be data recorded on a fitness app.
How to ask an organisation to give you your data or transfer it
To exercise your right to portability you should:
- make your request directly to the organisation,
- state what you want.
A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your concern, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.
When to make a portability request
You can make a portability request at any time to any organisation that:
- relies on your consent to use your personal data, or
- uses your data as part of a contract you have with them.
The organisation’s privacy notice will tell you more about why it is using your data.
What to do if you disagree with the outcome or remain dissatisfied
If you are unhappy with how the organisation has handled your request, you should first complain to it.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.
How should I raise my concern about how an organisation has handled my information?
You can use the template letter below to help you raise your concerns.
[Your full address]
[Name and address of the organisation]
Dear [Sir or Madam / name of the person you have been in contact with]
Information rights concern
I am concerned that you have not handled my personal information properly.
[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]
I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.
If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.
You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me on the following number [telephone number].
What organisations should do
The organisation must provide a copy of the requested data in a commonly used and machine-readable format, such as a csv file. The organisation may also allow you to access the data yourself through an automated tool.
Depending on what you have requested, the organisation should send the data to you or to an organisation you have identified. Before doing this, the organisation may need to confirm your identity.
The organisation may not automatically delete your data after giving it you or sending it to another organisation. So if you want your data to be deleted, you may need to exercise your right to erasure..
When can the organisation say no?
If the organisation believes that a request is, as the law states, “manifestly unfounded or excessive”, it can:
- request a reasonable fee to deal with the request, or
- refuse to deal with the request.
In reaching this decision, it can take into account whether the request is repetitive. In either case it will need to tell you and justify its decision.
How long should an organisation take?
The organisation has one month to respond to your request. In certain circumstances it may need extra time to consider your request and can take up to an extra two months. If it is going to do this, it should let you know within one month that it needs more time and why. For more on this, see our guidance on Time Limits.