Got a minute to help? take our quick website survey >
Asking for your personal data
Explains your right to request copies of personal data and records held about you by different organisations.
Problems with asking for personal data
You have a legal right to ask for copies of your personal data, but you might face some problems when doing this. Like an organisation taking too long to respond. Or providing incorrect data.
As your data rights are protected by UK law, there are ways to resolve problems with data requests. You're not alone, and our information is here to help you.
On this page
Read about:
What if an organisation refuses or ignores my data request?
You should always receive a response to a subject access request (SAR). Even if the organisation holds no data about you, or has a reason to withhold your data, they must tell you this. The way they tell you should match the format of your request. This could be written or verbal.
Organisations have 1 calendar month to respond. If you've not heard anything back after this time, you should follow these steps in order:
- Write to the organisation. You can write to them first to remind them of your request. You should also mention their duties under UK General Data Protection Regulation (UK GDPR), as amended by the Data (Use and Access) Act 2025 (DUAA). You can then set a further reasonable deadline for responding to your request. For example, 7 or 14 days from receipt of your letter. You can find a letter template on the Information Commissioner's Office (ICO) website.
- Make a complaint to the organisation. If you don't hear back after writing, complain directly using their complaints process. From June 2026, organisations have a legal duty to operate a formal data protection complaints procedure.
- Make a complaint to the ICO. If you're unhappy with the organisation's initial response and response to your complaint, you can complain to the ICO.
What if they don't provide the personal data I asked for?
If the organisation doesn't provide the personal data you asked for, you should write back explaining what you think is missing. Try to be as specific as you can. To help you write this, you can use the template letter on the ICO website.
After communicating directly with the organisation, you can then complain to the ICO if:
- You're unhappy with the organisation's response
- You still believe that they've failed to share all the data you requested
To find out more, go to our page on how to complain to the ICO.
What if they take too long to provide my personal data?
Organisations have a time limit of 1 calendar month to respond to your SAR. If they take longer, you can complain directly. If you still haven't received a response, use the online complaint form on the ICO website.
The ICO might receive several reports about an organisation's failure to meet the 1-month deadline. In this case, they might take action against the organisation for failing to meet its legal duties. Organisations must follow these duties under UK GDPR, as amended by the DUAA.
What if information in my personal data is wrong?
Under UK GDPR, as amended by the DUAA, you have a right to ‘rectification’ of your personal data. This means that if something in your data is wrong, you can ask to have it corrected. Your request doesn't need to be in writing, but might be the best way to provide it, if you can.
The organisation has 1 month to respond to your request for rectification. If they think your request is manifestly unfounded or excessive, they might charge you a fee or refuse it.
Some examples of wrong information in your personal data might include:
- An incorrect record of your birthdate
- A mistake about a type of medication that a doctor prescribed you
What if I disagree with information in my personal data?
There's a difference between information about you that's wrong, and information that you disagree with.
For example, you might disagree with a medical opinion in your health records:
- You can't force the organisation to change or remove this part of your record. The opinion was expressed by a medical professional at a particular time. Even if someone can later prove this opinion wrong, the organisation won't necessarily remove the old record. For example, if another doctor later changes the diagnosis for your mental health problem.
- You can ask them to add a note to your record. You can write to the organisation that holds your health records asking to add a note. The note can state that you disagree with the views expressed, but won't remove the record. If the organisation refuses to note your objections, you can complain to the ICO.
Information Commissioner's Office (ICO)
The ICO is an independent body. It's responsible for making sure that organisations comply with their obligations under the Data Protection Act 2018.
Visit our full listing of Legal TermsGeneral Data Protection Regulation (UK GDPR)
These regulations tell organisations how they can use your personal information. They also give you rights to access and correct personal information held about you.
Visit our full listing of Legal TermsSubject access request (SAR)
This is a written request to an organisation asking for details of the personal information they hold about you.
See our pages on accessing my personal information to find out more.
Visit our full listing of Legal TermsPersonal data (or personal information)
Data which relates to you in such a way that you can be identified from it. Personal data might be held:
- On computers
- In emails, printed or handwritten documents
- In photographic images, videos or audio recordings
To find out more about your rights, see our pages on asking for your personal data.
Visit our full listing of Legal TermsHealth record (or medical record)
A health record (or medical record) is any record of information relating to your physical or mental health that has been made by, or on behalf of, a health professional.
Visit our full listing of Legal TermsData (Use and Access) Act 2025 (DUAA)
The Data Use and Access Act 2025 (DUAA) is a law that came in to update data protection rules. This law makes the rules simpler for organisations, while still protecting your rights.
Visit our full listing of Legal TermsPublished: June 2026
Next review planned: June 2029
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.
