Explains your rights to see and have copies of your personal information, and how to complain if access to your records is refused or if what is written about you is wrong.
Yes, you have a legal right to access personal information held about you by an organisation.
This right is protected by the Data Protection Act 2018 and General Data Protection Regulation (GDPR). These deal with your rights regarding information held about you by various organisations and agencies, including:
However, there are some situations where an organisation is allowed to withhold personal information from you (not share it).
You have the right to ask an organisation:
You also have the right to see the information held about you and/or to be given copies of it. This includes both computerised and paper records.
The organisation must provide copies of your records in a permanent form (for example photocopies, or digital copies on a USB memory stick or on a disk) – unless you have agreed to the information being provided in some other way (for example, viewing it at the organisation’s offices).
If you want the information in a particular format (such as on an encrypted USB memory stick), it's worth saying so when first making your request.
There are some specific situations where organisation is allowed to withhold personal information from you (not share it). These include:
If an organisation is refusing to share information with you for one of these reasons, they should write to you and explain why.
Organisations must usually make proper efforts to find all the information you have requested. They can't refuse your request purely because it will be inconvenient for them or require some work.
However, they don't have to comply with any requests that are ‘manifestly unfounded or excessive’. This could apply if:
If an organisation thinks your request is excessive it should ask you to be more specific rather than refuse you outright.
If the records you have requested about yourself also include personal information about someone else (a third party), the organisation doesn't have to share it unless:
One way around this problem may be for the organisation to redact information that would identify the third party (so you couldn't see those bits, but could still see everything else).
But information that identifies a health or social care professional should not usually be redacted (for example, the names of doctors who conducted an assessment under the Mental Health Act).
You usually have the right to see your health records (sometimes called medical records) and any information held about you by social services.
The exception to this is if sharing that information with you would be likely to cause serious harm to your mental or physical health, or that of another person.
An organisation can only use this as a reason for not sharing your information after assessing how likely it would be to cause you or another person serious harm. This would usually involve consulting with the health professional responsible for your care (or the care of the person they're concerned about).
You can find information on how to access medical records on the NHS Choices website.
Amir is 16 years old. He is looked after by social services under a Care Order. Amir has a history of self-harming following contact visits with his birth family. He's not seen his birth family for 6 months and has not self-harmed during this time.
Amir asks to read his social services records. But his social worker is concerned that there's information in these records about Amir's birth family which may distress him and lead to him self-harming again.
In this situation, social services may choose not to share some of Amir's social services records with him as it may cause serious harm to his mental or physical health. Alternatively they could invite Amir to look at his records at the social services offices, with the support of his social worker.
You usually have the right to find out what personal information is held about you by the police.
However, the police don't have to share your information with you if doing so would be likely to make it harder for them to:
You usually don't have the right to access personal information about other people.
The exceptions are:
Information which relates to you in such a way that you can be identified from the information. Personal information might be held on computers, in emails, printed out or in handwritten documents, or in photographic images, videos or audio recordings.
To find out more about your rights regarding your personal information, see our pages on my personal information.See our full list of legal terms.
'Capacity' means the ability to understand information and make decisions about your life. Sometimes it can also mean the ability to communicate decisions about your life.
For example, if you do not understand the information and are unable to make a decision about your treatment, you are said to 'lack capacity' to make decisions about your treatment.
See our pages on the Mental Capacity Act for more information.See our full list of legal terms.
A health record is any record of information relating to your physical or mental health that has been made by, or on behalf of, a health professional.See our full list of legal terms.
This means removing the relevant information. It can be done by crossing through the relevant information with a black marker pen and then photocopying the document or by using a computerised programme specially designed for this purpose.See our full list of legal terms.
These are regulations that came into force on 25 May 2018. They tell organisations how they can use your personal information. They also give you rights to access, correct and erase personal information held about you.See our full list of legal terms.
The Data Protection Act 2018 is the law that sets out how organisations must handle and process your information. It also gives you rights to access, correct and erase personal information held about you.See our full list of legal terms.
This information was published in May 2018. We will revise it in 2020.
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.