Got a minute to help? Take our quick website survey>
Accessing my personal information
Explains your rights to see and have copies of your personal information, and how to complain if access to your records is refused or if what is written about you is wrong.
What to do if your data request is unsuccessful
There are various reasons why your request for your personal information might be unsuccessful. This page covers what you can do if:
Your request for information is refused or ignored
You should always receive a response of some kind to a subject access request (SAR). Even if the organisation holds no information about you, or it has a reason to withhold your information from you, it must still write to you and explain that this is the case.
If more than one calendar month has passed since you made your request and you've not heard anything back, you should take these steps in the following order:
- Write to the organisation. Remind them of your request, and of their obligations under UK General Data Protection Regulation (UK GDPR). The Information Commissioner’s Office (ICO) website has a letter template for this. It's a good idea to set the organisation a further reasonable deadline for responding to your request, for example 7 or 14 days.
- Make a complaint to the organisation. If you still don't hear back after writing to them, you should complain directly to them using their complaints process.
- Complain to the ICO. If you aren't happy with their response to your complaint, and you still believe that they should share the information you've asked for, you can complain to the ICO.
An organisation doesn't provide the information you asked for
If they don't provide what you asked for, you should write back to the organisation explaining what you think is missing. You should be as specific as possible about the missing information.
To help you write it out, you can use the template letter on the ICO website.
If you aren't happy with the organisation's response, and you still believe that it has failed to share all of the information you asked for, you can complain to the ICO.
An organisation takes too long to provide your information
The organisation has a time limit of one calendar month to respond. If an organisation takes any longer than this, you can use the ICO's online form to report it.
The ICO might receive many reports from different individuals about a particular organisation’s failure to meet the one-month time limit. In this case, they may take action against the organisation for failing to meet its obligations under UK GDPR.
Find out more on the ICO website about the ways it ensures organisations meet their obligations.
The information in your personal records is wrong
Under UK GDPR you have a right to 'rectification' of your records. This means that if something in your records is wrong, you can ask to have it corrected. Your request doesn’t need to be in writing, but it may be helpful if it is.
The organisation has one month to respond to your request. If they think your request is manifestly unfounded or excessive, they may charge you a fee or refuse your request.
But there is a difference between information that is wrong and information that you disagree with.
Information that is wrong could include an incorrect record of your birthdate or the medication that you have been prescribed.
However, if you disagree with a medical opinion in your health records:
- You cannot force the organisation to change or remove the record. It's a record of an opinion expressed by a medical professional at a particular point in time. Even if their opinion is proved wrong at a later date, the old record won’t necessarily be removed. For example, for example, this could be if your diagnosis is revised.
- You can ask for a note to be added to your record. You can write to the organisation that holds your health records and ask that a note is added, stating that you disagree with the views expressed. If the organisation refuses to record your objections, you can make a complaint to the ICO.
General Data Protection Regulation (UK GDPR)
These regulations tell organisations how they can use your personal information. They also give you rights to access and correct personal information held about you.
Visit our full listing of Legal TermsInformation Commissioner's Office (ICO)
The ICO is the independent body responsible for making sure that organisations comply with their obligations under the Data Protection Act 2018.
Visit our full listing of Legal TermsSubject access request (SAR)
This is a written request to an organisation asking for details of the personal information they hold about you.
See our pages on accessing my personal information to find out more.
Visit our full listing of Legal TermsThis information was published in November 2021. We will revise it in 2024.
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.