What can I do if my request is refused or ignored?
Write a letter or email to the organisation
You should always receive a response of some kind to a subject access request. Even if the organisation holds no information about you, it must write to you to let you know that this is the case.
If more than 40 calendar days have passed since you made your subject access request, and you have not received a response, you should write to the organisation to remind them of your request and their obligations under the Data Protection Act 1998. The Information Commissioner’s Office (ICO) has produced a standard template letter for this on their website (scroll down to 'What can I do if the organisation does not respond?').
Within your letter or email, it is a good idea to set the organisation a further reasonable deadline for responding to your request – for example 7 or 14 days. If the organisation still fails to comply with your request, you should make a complaint to the ICO once this second deadline has passed.
Make a complaint
If you do not believe that the organisation has valid grounds for refusing to disclose your personal information, you should complain to the organisation.
If you do not receive a satisfactory response to your complaint and you still believe that the organisation has wrongly refused to disclose your personal information, you can complain to the ICO.
What can I do if the organisation doesn’t send me everything I asked for?
You should write back to the organisation explaining what information you think is missing. You should be as specific as possible.
The ICO website has produced a template letter which you can use (scroll down to 'What can I do if I believe the organisation has not sent me all the information I am entitled to?').
If you do not receive a satisfactory response to your letter or email, and you still believe that the organisation has failed to disclose all of the information you asked for, you can complain to the ICO.
What can I do if the organisation has provided the information I requested but not within 40 days?
You can report this to the ICO using the form on its website.
If the ICO receives many reports from different individuals about a particular organisation’s failure to meet the 40-day time limit, they may take action against the organisation for failing to meet its obligations under the Data Protection Act. Find out more about how the ICO ensures organisations meet their information rights obligations.
What if the information in my records is wrong?
If you think that the information an organisation holds about you is inaccurate, you should write to them, setting out your concerns and asking them to correct the mistake. If you are not happy with the response you receive, you can make a complaint to the ICO.
However, there is a difference between information that is wrong and information that you disagree with.
If you disagree with a medical opinion in your health records:
- you can ask for a note to be added. You can write to the organisation that holds your health records and ask that a note is added, stating that you disagree with the views expressed. If the organisation refuses to record your objections, you can make a complaint to the ICO.
- you cannot force the organisation to change or remove the opinion. This is because it is an opinion expressed by a medical professional at a particular point in time.
This information was published in October 2016. We will revise it in 2018.