Got a minute to help? take our quick website survey >
Requesting your personal data
Explains your right to request copies of personal data and records held about you by different organisations.
Personal data and your rights
You have a legal right to ask for personal data held about you by an organisation. This right is protected by UK law.
You might feel unsure about when and why you might want copies of your personal data and records. Especially if it involves medical records about your mental health. You're not alone, and our information is here to help you.
What is personal data?
Personal data means any data about us that directly identifies us, or could identify us.
Lots of things could identify us in personal data or records. For example, our:
- Name
- Date of birth
- Home address
- Email address
- Mobile number
- Location data
- Physical description
Sometimes, our personal data is sensitive and private. For example, our mental health diagnosis or health records. Or something that happened to us involving the police.
We might also hear personal data called ‘personal records’ or ‘personal information’. Some organisations use a mix of these terms to mean personal data.
Who might hold my personal data?
Lots of organisations might hold different types of our personal data. It depends on why they might've needed it in the first place.
The law protects your rights for personal data held about you by organisations and services. For example:
- GP practices
- Hospitals
- Social services
- The police
- Your current or past employer
- The Department for Work and Pensions (DWP)
Do I have a right to ask for my personal data?
You have a legal right to ask an organisation for the personal data it holds about you.
This right is protected by the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. To support you further, these laws are amended by the Data (Use and Access) Act 2025 (DUAA).
You also have the right to:
- Ask to see the data and records held about you
- Ask the organisation to provide copies of your data, or certain parts of it
This right applies for both digital and paper records.
Which format should they provide my data in?
Normally, the organisation must provide copies of your data in a ‘permanent form’. You can ask for a particular format when first making your request. For example, you could ask for:
- Photocopies or printouts on paper
- Digital files to be sent by email, which should be password protected
- Digital files you can view and save via a secure online platform
You could also agree to them providing your data in another way. Like viewing it in person at their office.
Do I have a right to ask questions about my personal data?
You have the right to ask an organisation certain questions about the data and records they hold on you.
For example, you could ask:
- What personal data they hold about you, if any
- Why they hold that data
- Who they might share your data with, or have already shared it with
- How they got your data, if you didn't consent to providing it
- For explanations of any technical or complicated terms related to their data about you
When can organisations withhold my personal data?
You have a right to request your personal data. But in certain situations an organisation can legally withhold personal data from you. Withholding is another way of saying ‘not sharing’.
For example, organisations might withhold your personal data if:
- Your request is manifestly unfounded or excessive
- Your data includes third-party information, meaning personal data about someone else
- Sharing it would likely cause serious harm to you or another person
- Sharing it would make it harder for the police to prevent crime or prosecute criminals
An organisation might refuse to share with you for any of these reasons. If so, they should write to you explaining why.
We have more information about each of these reasons below:
In most cases, organisations should make proper efforts to find all the personal data you've requested. They generally can't refuse if it's inconvenient or time-consuming to find what you've asked for. It's their legal duty to carry out a ‘reasonable and proportionate’ search for personal data.
However, they don't have to comply with requests that are ‘manifestly unfounded or excessive’. This might apply if:
- You request more personal data or records than you need
- You make repeated requests for the same data or records
If an organisation finds your request excessive, they should first ask you to be more specific. They should not:
- Immediately refuse your request
- Refuse it without giving you a good reason
However, if this does happen, you can try challenging the refusal directly with the organisation. This might resolve things without taking it further. If it's still unresolved, you can then complain to the Information Commissioner's Office (ICO).
If nothing else works, you might then consider taking legal action.
Sometimes, the data you've asked for about yourself might include personal data about someone else. This person is known as a ‘third party’.
The organisation should agree to your request if either 1 of these conditions is met:
- The third party has agreed for their data to be shared.
- It's reasonable for the organisation to share the data anyway, without the other person's agreement.
To resolve this in a fairer way, the organisation could offer to redact identifying data about the third party. Redacting it means that you couldn't see the parts they're involved in, but could see everything else. But if this isn't possible, the organisation can withhold the data.
However, organisations shouldn't usually redact data that identifies health or social care professionals. For example, redacting the names of doctors who carried out an assessment under the Mental Health Act.
Usually, you have the right to see any personal data held about you by social services, as well as your medical records. You might also hear these called ‘health records’ or ‘medical notes’.
But an organisation might withhold this if sharing would be likely to seriously harm:
- Your mental or physical health
- The mental or physical health of another person
An organisation can only use this reason if they've assessed the likelihood of serious harm.
This assessment usually involves them consulting with a health professional. This must have happened within the last 6 months. This professional must be either responsible for your care, or for the other person they're concerned about.
An organisation might try to withhold data because they think you might find it upsetting. But this is not a strong enough reason to count as ‘serious harm’.
Usually, you have the right to find out what personal data or records the police hold about you.
However, the police can withhold your data in some situations. They can withhold it if doing so would be likely to make it harder for them to do the following:
- Prevent or detect crime. Like if something in the data held about you relates to an ongoing investigation.
- Capture or prosecute offenders. Like if something in your personal data is important in solving a crime. Or if something noted your records could jeopardise an investigation.
To find out more, see our information on police and mental health.
Can I ask for personal data about someone else?
You don't usually have the right to find out about or ask for personal data about other people.
You can only make a data request for someone else if 1 or more of these reasons applies:
- You manage the affairs of someone who lacks capacity. You might be an attorney or someone appointed by the Court of Protection. In this case you should be able to access that person's data on their behalf. You'll need to provide copies of appropriate paperwork to show that you have this authority.
- You have parental responsibility. You might be able to ask for personal data on behalf of your child. But the subject access rights belong to the child. If the child understands their right to request their data, they should normally make their own subject access request (SAR).
- You want to request to see the health records of someone who has died. You can request this if you're the executor or administrator of their estate. Or if you might have a legal claim as a result of their estate. For more information about doing this in England, visit the NHS website. Or if you're in Wales, visit the NHS 111 website.
Court of Protection
The Court of Protection can make decisions and appoint deputies to act on your behalf. Specifically if you can't make decisions about your personal health, finance or welfare.
See our pages on the Mental Capacity Act for more information.
Visit our full listing of Legal TermsSubject access request (SAR)
This is a written request to an organisation asking for details of the personal information they hold about you.
See our pages on accessing my personal information to find out more.
Visit our full listing of Legal TermsCapacity
'Capacity' means the ability to understand information and make decisions about your life. Sometimes it can also mean the ability to communicate decisions about your life.
See our pages on the Mental Capacity Act for more information.
Visit our full listing of Legal TermsHealth record (or medical record)
A health record (or medical record) is any record of information relating to your physical or mental health that has been made by, or on behalf of, a health professional.
Visit our full listing of Legal TermsRedact
This means removing the relevant information. It can be done by crossing through the relevant information with a black marker pen and then photocopying the document. Or by using a computerised programme specially designed for this purpose.
Visit our full listing of Legal TermsGeneral Data Protection Regulation (UK GDPR)
These regulations tell organisations how they can use your personal information. They also give you rights to access and correct personal information held about you.
Visit our full listing of Legal TermsData Protection Act 2018
The Data Protection Act 2018 is the law that sets out how organisations must handle and process your information. It also gives you rights to access personal information held about you. And rights to correct personal information held about you if it's wrong.
Visit our full listing of Legal TermsData (Use and Access) Act 2025 (DUAA)
The Data Use and Access Act 2025 (DUAA) is a law that came in to update data protection rules. This law makes the rules simpler for organisations, while still protecting your rights.
Visit our full listing of Legal TermsParental responsibility
The rights and responsibilities that a parent has for a child. This might include making decisions about their upbringing and where they live. It's possible for people who are not parents of a child to get parental responsibility. For example, a court can give a grandparent or family member parental responsibility.
Visit our full listing of Legal TermsPublished: June 2026
Next review planned: June 2029
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.
