Menu

Right of access to personal data

The right of access to personal data is a fundamental right created by section 5 of the Data Protection Act. The exercise of this right is referred to as making a "subject access request".

A subject access request can be made by any individual who wishes to find out what personal data an organisation holds about them - they do not need to have a direct relationship with the organisation.  A request can be made for all, or specific, personal data processed and could include, for example, personal data in emails, CCTV, health records etc..

The right of access also entitles an individual to be:

An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret).

Main points to consider:

Data controllers should have an appropriate policy in place to ensure it deals with subject access requests promptly and in accordance with the right.

Further information on complying with subject access requests, including the limited exemptions from the right of access, is available below.