Explains your rights to see and have copies of your personal information, and how to complain if access to your records is refused or if what is written about you is wrong.
The ICO is an independent body responsible for making sure that organisations comply with the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). The ICO also deals with concerns raised by members of the public about the way in which organisations look after personal information and deal with subject access requests (SARs).
You can complain to the ICO if an organisation:
The ICO will expect you to have first raised your concerns with the organisation before submitting a complaint.
To make your complaint, you can use the form on the ICO website. When you submit the form, you'll need to include all the communications you’ve had with the organisation about your request. This includes copies of the documents raising your initial concerns to the organisation.
You should make a complaint to the ICO within three months of your last proper contact with the organisation concerned.
The ICO may only take action in extreme situations where there has been a serious breach. This may include sending the organisation an enforcement notice and imposing a financial penalty. Either way, the ICO cannot award you compensation. You can only claim compensation by taking an organisation to court.
You have the right to take an organisation to court for failing to respond appropriately to a subject access request. However, you need to be able to show the court that you tried to sort things out directly with the organisation first.
It's rare for things to get to this stage, as you should be able to sort the problem out by complaining to the ICO.
You can ask the court to order the organisation to put things right. For example, you might ask it to:
As there's no legal aid available for this kind of court application, you would have to fund the case yourself. This can be costly, so you should always get specialist legal advice from a solicitor before making an application to court.
This is a document sent to an organisation by the Information Commissioner's Office setting out the action it needs to take to comply with its obligations under the Data Protection Act 2018. Failure to comply with an enforcement notice is a criminal offence which can result in a fine.Visit our full listing of Legal Terms
These regulations tell organisations how they can use your personal information. They also give you rights to access and correct personal information held about you.Visit our full listing of Legal Terms
The Data Protection Act 2018 is the law that sets out how organisations must handle and process your information. It also gives you rights to access and correct personal information held about you.Visit our full listing of Legal Terms
This information was published in November 2021. We will revise it in 2024.
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.