• What can I do if my request is refused or ignored?
• What can I do if an organisation doesn’t send me everything I asked for?
• What can I do if an organisation takes too long to provide my information?
• What if the information in my records is wrong?

What can I do if my request is refused or ignored?

You should always receive a response of some kind to a subject access request. Even if the organisation holds no information about you, or it has a reason to withhold your information from you (not share it), it must still write to you and explain that this is the case.

If more than one month has passed since you made your subject access request and you've not heard anything back, you should follow these steps:

• Step 1: Write to the organisation reminding them of your request, and of their obligations under General Data Protection Regulation (GDPR). The Information Commissioner’s Office (ICO) have a standard template letter for this here on their website (scroll down to 'What can I do if the organisation does not respond?'). It's a good idea to set the organisation a further reasonable deadline for responding to your request – for example 7 or 14 days.

• Step 2: Make a complaint to the organisation. If you still don't hear back from them after writing to them to remind them of their obligation, you should complain directly to them using their complaints process.

• Step 3: Complain to the Information Commissioner's Office (ICO). If you aren't happy with their response to your complaint, and you still believe that they should share the information you've asked for, you can complain to the ICO.

What can I do if an organisation doesn’t send me everything I asked for?

You should write back to the organisation explaining what information you think is missing. You should be as specific as possible.

If you aren't happy with the organisation's response, and you still believe that it has failed to share all of the information you asked for, you can complain to the ICO.

What can I do if an organisation takes too long to provide my information?

There is a one month time limit to provide the information you ask for. If an organisation takes any longer than this, you can report it to the ICO using this form on its website.

If the ICO receives many reports from different individuals about a particular organisation’s failure to meet the one month time limit, they may take action against the organisation for failing to meet its obligations under GDPR. Find out more about how the ICO ensures organisations meet their information rights obligations.

What if the information in my records is wrong?

Under GDPR you have a right to 'rectification' of your records. This means that if something in your records is wrong, you can ask to have it corrected. Your request doesn’t need to be in writing but it may be helpful if it is.

The organisation has one month to respond to your request. If they think your request is manifestly unfounded or excessive they may charge you a fee or refuse your request.

However, there's a difference between information that is wrong and information that you disagree with.

If you disagree with a medical opinion in your health records:

• You cannot force the organisation to change or remove the record. This is because it's a record of an opinion expressed by a medical professional at a particular point in time. Even if their opinion is proved wrong at a later date (for example, if your diagnosis is revised), the old record won’t necessarily be removed.

• You can ask for a note to be added to your record. You can write to the organisation that holds your health records and ask that a note is added, stating that you disagree with the views expressed. If the organisation refuses to record your objections, you can make a complaint to the ICO.

If you're not happy with their response, you can make a complaint to the ICO.

This information was published in May 2018. We will revise it in 2020.