Right of access to personal data
The right of access to personal data is a fundamental right created by section 5 of the Data Protection Act. The exercise of this right is referred to as making a "subject access request".
A subject access request can be made by any individual who wishes to find out what personal data an organisation holds about them - they do not need to have a direct relationship with the organisation. A request can be made for all, or specific, personal data processed and could include, for example, personal data in emails, CCTV, health records etc..
The right of access also entitles an individual to be:
- told whether any personal data is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of the information comprising the personal data; and given details of the source of the data (where this is available).
An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret).
Main points to consider:
- Subject access requests must be responded to without undue delay ("promptly") and in any event within 40 calendar days of receipt.
- A fee of up to £10 (or up to £50 in respect of manual health records) may be charged.
- Failure to comply with a request may result in the individual
- making a complaint to the Information Commissioner; and/or
- exercising their right to seek compensation.
Data controllers should have an appropriate policy in place to ensure it deals with subject access requests promptly and in accordance with the right.
Further information on complying with subject access requests, including the limited exemptions from the right of access, is available below.
Dealing with subject access requests
- Complying with a Subject Access Request
- Flowchart to assist in complying with a Subject Access Request
- Subject access requests - exemptions from the right of access
- Subject Access Requests and legal proceedings
- Subject access requests for employment references
- Subject Access Requests and Third Party Information
- Subject access requests and opinions
- Right of access - Health Records and Reports
- Subject Access Request - fees for access to health records
- Subject Access Request - Police Records
- Subject Access Requests for complaint files
- “Unstructured personal data” held by a public authority