Explains your rights to see and have copies of your personal information, and how to complain if access to your records is refused or if what is written about you is wrong.
View this information as a PDF (new window)
The Information Commissioner’s Office (ICO) is an independent body responsible for making sure that organisations comply with the Data Protection Act and General Data Protection Regulation (GDPR). The ICO also deals with concerns raised by members of the public about the way in which organisations look after personal information and deal with subject access requests.
You can complain to the ICO if an organisation:
The ICO will always expect you to have raised your concerns with the organisation before submitting a complaint.
The ICO has a form on its website which you can use to make your complaint. When you send the form to the ICO, include all the communications you’ve had with the organisation about your request for disclosure, including copies of the documents raising your concerns.
You should make a complaint to the ICO within three months of your last proper contact with the organisation concerned.
If the ICO thinks that an organisation has failed to comply with its obligations under the Data Protection Act or GDPR, it can:
However, the ICO cannot award you compensation. You can only claim compensation by taking an organisation to court.
You do have the right to take an organisation to court for failing to respond appropriately to a subject access request, but you need to be able to show the court that you tried to sort things out directly with the organisation first.
It's rare for things to get to this stage, as you should be able to sort the problem out by complaining to the ICO.
You can ask the court to order the organisation to put things right – for example to:
There's no legal aid available for this kind of court application so you would have to fund the case yourself, which could be costly. That’s why you should always get specialist legal advice from a solicitor before making an application to court.
This is a written request to an organisation asking for details of the personal information they hold about you.
See our pages on my personal information to find out more.
See our full list of legal terms.This is a document sent to an organisation by the Information Commissioner's Office setting out the action it needs to take to comply with its obligations under the Data Protection Act 2018. Failure to comply with an enforcement notice is a criminal offence which can result in a fine.
See our full list of legal terms.The ICO is the independent body responsible for making sure that organisations comply with their obligations under the Data Protection Act 2018.
See our full list of legal terms.These are regulations that came into force on 25 May 2018. They tell organisations how they can use your personal information. They also give you rights to access, correct and erase personal information held about you.
See our full list of legal terms.The Data Protection Act 2018 is the law that sets out how organisations must handle and process your information. It also gives you rights to access, correct and erase personal information held about you.
See our full list of legal terms.This information was published in May 2018. We will revise it in 2020.
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.