Menu
Food
Fuel and water
Communications and broadcasting
Environment
Rural affairs
Transport
Health
Social care
Education
Housing
Access to information
Money matters
Access to goods and services
Consumer education
Involving consumers
Access to justice
Consumer rights
Legal and advice services
Regulation and self regulation
Local government
Europe


FOI Site map Contact Us Jobs
  Home SCC  > What’s on my record? > Your rights

Your rights

The Data Protection Act 1998 gives you general rights to see personal information about you held on computer and paper. This personal information includes records held by public-sector organisations and private companies, such as:

• airlines and travel agents
• banks and building societies
• computer dating agencies
• credit card companies
• employers
• gas, electricity, telephone and internet service providers
• government departments
• hospitals and doctors
• local councils, including schools and departments dealing with council tax, housing and social services or social work
• mail-order and internet companies
• the police
• supermarkets and high-street retailers.


Note: there are some differences to the general rights described below in relation to the following:

• access by pupils to their school records and by parents to their children’s school records
• access to health records
• access to housing records
• access to social work records.


These differences are described in later sections of this guide. People and organisations (known as data controllers) who keep information about you (the data subject) have to register their details with the Information Commissioner, unless they are exempt (see below). This register shows:

• the names and addresses of data controllers
• why they process the data
• the types of data they process
• the sources of data and the people they may want to give the information to
• whether it may be transferred outside the European Economic Area, which comprises the 27 member states of the European Union plus Iceland, Liechtenstein and Norway.


You can see the Register of data controllers at the Information Commissioner’s office, or online through the Commissioner’s website.

Exemptions from the need to register with the Information Commissioner are possible for:

(a) data controllers maintaining a public register that they are required to publish, such as the edited electoral roll. For guidance, see the Use of personal information available on the electoral roll. You can obtain a copy of this from the Information Commissioner - see ’Advice and assistance’ at the end of this guide
(b) some not-for-profit organisations, such as small clubs, voluntary organisations, church administration and some charities
(c) private individuals processing personal data for personal, family or household affairs (including recreational purposes)
(d) organisations keeping data only for staff administration, advertising, marketing and public relations, accounts and records

Data controllers must comply with the Data Protection Act even if they have not notified the Information Commissioner of their details.

How do I apply?

You have a right of access to information about you, regardless of your age, as long as the data controller is satisfied that you understand what it means to use your right. As a general guide, you are presumed to understand what it means from the age of 12.

You should apply in writing, by post or email, to the person or organisation you believe holds the information on you. This is known as a ’subject access request’. If you are not sure who to write to within the organisation, telephone the head office and ask who that is (such as a data protection officer or company secretary), and if they can send you an application form. You can ask for all the information they have about you to which the Act applies or you can ask them to help you identify the records you want. You should send a postal request by recorded delivery, and keep copies of the letter and any further correspondence. The data controller can ask you to prove your identity and provide enough information to help find your records. It will save time if you state what your relationship is with the body concerned — such as customer, employee, patient or tenant (past, current or prospective) — and give relevant dates or reference numbers.

Can I also apply on behalf of someone else?

Yes. You can also make a request on behalf of:

• a child aged under 16 for whom you have parental responsibility, although children can make their own requests if they understand their rights of subject access
• someone who is unable to manage their own affairs, where a court has appointed you to act for them In these cases, the data controller need not disclose information if satisfied that when the person gave the information, they would not have wanted it to be disclosed to you.

What am I entitled to see?

The data controller must tell you whether they hold any information about you. If they do, they must send you a copy of the information they have about you, and tell you:

• where the information came from
• why they keep it
• whom it may be passed to or seen by
• the reasoning behind any automated decisions, such as credit scoring. (You can find further information on credit scoring in Credit explained. You can get a copy of this from the Information Commissioner — see the ’Advice and assistance’ page.) You may receive the information as a computer printout, in a letter or on a form. It should be easy to understand and any codes used should be explained.

What does it cost?

You can be charged a fee of up to £10 for each request. Some data controllers charge less, and others charge nothing. Different charges may apply to requests for school and health records (see the relevant sections in this guide).

How long does it take?

When the data controller has enough information to identify you and find your records - and you have paid any necessary fee - they must respond within 40 days. Different time limits apply to requests by pupils to see their school records in England and Wales, and to requests by parents to see their children's school records (see the school records page).

What information can't I see?

The data controller may withhold some information on your record if it could identify someone else. If that person objects to being identified, you may be refused access to all or part of your record.

Also, some categories of information are exempt from various parts of the Data Protection Act and this may affect the information you can see. These exempt categories concern:

• health, education and social services or social work, which are subject to specific rights — see the relevant sections in this guide
• national security
• crime and taxation, but only to the extent that giving you access would hinder the effective prevention or detection of crime or collection of taxes
• regulatory activity — for example, public watchdogs, or regulators of charities and fair competition
• special purposes — for example, journalism, art or literature
• research, history or statistics
• information available under the law
• disclosures required by law
• disclosures made in connection with legal proceedings
• domestic purposes — for example, the processing of personal data for personal, family or household affairs
• confidential references given by a data controller
• the armed forces
• judicial appointments and honours
• Crown employment and Crown or ministerial appointments
• management forecasts and management planning
• negotiations
• corporate finance
• examination scripts
• examination marks — but see the section on school records in this guide
• legal professional privilege or confidentiality between client and legal adviser
• self-incrimination.


Some information may be withheld from you because it is in one of these categories. The data controller does not have to tell you if they have withheld information. If you suspect that information has been withheld without justification, or you want advice on what these exemptions mean, you should contact the Information Commissioner's helpline (see the 'Advice and assistance' page).

How can I correct errors?

If any information about you on your record is inaccurate, you are entitled to have it corrected or removed. Information is inaccurate if it is wrong or misleading in any matter of fact. Such information can include an expression of opinion if it is based on inaccurate data.

If the data controller refuses to amend your record when asked, you can ask the Information Commissioner to order them to correct or remove inaccurate information.

Is compensation available?

If you suffer physical or financial damage as a result of inaccurate information, you have a right to compensation. If you can prove the damage, a court may also order compensation for any distress it may have caused you. You can only claim compensation for distress alone if inaccurate information about you has been used for journalistic, artistic or literary purposes.

You can also claim compensation if your information is lost, damaged, destroyed or disclosed without the data controller's authority.

You can find guidance on claiming compensation in It's your information: claiming compensation. Copies are available from the Information Commissioner — see the 'Advice and assistance’ page.

How can I complain?

If you are dissatisfied with how a data controller has dealt with your application, you should first write and complain to the director or chief executive of the organisation. If your complaint is not resolved to your satisfaction, you can complain to the Information Commissioner — see the entry on the ’Advice and assistance’ page.

If a data controller has refused to give you access to your records, or to correct or remove inaccurate information - and the Information Commissioner cannot help - you can go to court. A citizens advice bureau or other advice agency (see the entry on the ’Advice and assistance’ page) can advise you about going to court.

<- About this guide | School records ->

copyright notice privacy policy terms and conditions PDF how to view pdf documents