Explains your rights to see and have copies of your personal information, and how to complain if access to your records is refused or if what is written about you is wrong.
View this information as a PDF (new window)
You should always receive a response of some kind to a subject access request. Even if the organisation holds no information about you, or it has a reason to withhold your information from you (not share it), it must still write to you and explain that this is the case.
If more than one month has passed since you made your subject access request and you've not heard anything back, you should follow these steps:
If you aren't happy with the organisation's response, and you still believe that it has failed to share all of the information you asked for, you can complain to the ICO.
There is a one month time limit to provide the information you ask for. If an organisation takes any longer than this, you can report it to the ICO using this form on its website.
If the ICO receives many reports from different individuals about a particular organisation’s failure to meet the one month time limit, they may take action against the organisation for failing to meet its obligations under GDPR. Find out more about how the ICO ensures organisations meet their information rights obligations.
Under GDPR you have a right to 'rectification' of your records. This means that if something in your records is wrong, you can ask to have it corrected. Your request doesn’t need to be in writing but it may be helpful if it is.
The organisation has one month to respond to your request. If they think your request is manifestly unfounded or excessive they may charge you a fee or refuse your request.
However, there's a difference between information that is wrong and information that you disagree with.
If you disagree with a medical opinion in your health records:
If you're not happy with their response, you can make a complaint to the ICO.
These are regulations that came into force on 25 May 2018. They tell organisations how they can use your personal information. They also give you rights to access, correct and erase personal information held about you.
See our full list of legal terms.The ICO is the independent body responsible for making sure that organisations comply with their obligations under the Data Protection Act 2018.
See our full list of legal terms.This is a written request to an organisation asking for details of the personal information they hold about you.
See our pages on my personal information to find out more.
See our full list of legal terms.This information was published in May 2018. We will revise it in 2020.
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.