Get help now Make a donation

My personal information

Explains your rights to see and have copies of your personal information, and how to complain if access to your records is refused or if what is written about you is wrong.

Do I have a right to access my personal information?

Yes, you have a legal right to access personal information held about you by an organisation.

This right is protected by the Data Protection Act 2018 and General Data Protection Regulation (GDPR). These deal with your rights regarding information held about you by various organisations and agencies, including:

  • GPs
  • hospitals
  • social services
  • the police
  • your employer
  • the Department for Work and Pensions.

However, there are some situations where an organisation is allowed to withhold personal information from you (not share it).

What records do I have a right to see?

You have the right to ask an organisation:

  • what, if any, personal information it holds about you
  • why it holds that information
  • who it may be sharing your information with
  • where the information came from
  • for an explanation of any technical or complicated terms relating to the information.

You also have the right to see the information held about you and/or to be given copies of it. This includes both computerised and paper records.

What format should the records be in?

The organisation must provide copies of your records in a permanent form (for example photocopies, or digital copies on a USB memory stick or on a disk) – unless you have agreed to the information being provided in some other way (for example, viewing it at the organisation’s offices).

If you want the information in a particular format (such as on an encrypted USB memory stick), it's worth saying so when first making your request.

When is an organisation allowed to withhold information from me?

There are some specific situations where organisation is allowed to withhold personal information from you (not share it). These include:

If an organisation is refusing to share information with you for one of these reasons, they should write to you and explain why.

Manifestly unfounded or excessive requests

Organisations must usually make proper efforts to find all the information you have requested. They can't refuse your request purely because it will be inconvenient for them or require some work.

However, they don't have to comply with any requests that are ‘manifestly unfounded or excessive’. This could apply if:

  • you request more information than you actually need
  • you make repeated requests for the same information.

If an organisation thinks your request is excessive it should ask you to be more specific rather than refuse you outright.

Third party information

If the records you have requested about yourself also include personal information about someone else (a third party), the organisation doesn't have to share it unless:

  • the other person mentioned has agreed for the information to be shared, or
  • it's reasonable for the organisation to share the information anyway without the other person’s agreement. To make this decision the organisation has to weigh up your right to see your information against the other person’s right for information about them to be kept confidential.

One way around this problem may be for the organisation to redact information that would identify the third party (so you couldn't see those bits, but could still see everything else).

But information that identifies a health or social care professional should not usually be redacted (for example, the names of doctors who conducted an assessment under the Mental Health Act).

Serious harm to you or another person

You usually have the right to see your health records (sometimes called medical records) and any information held about you by social services.

The exception to this is if sharing that information with you would be likely to cause serious harm to your mental or physical health, or that of another person.

An organisation can only use this as a reason for not sharing your information after assessing how likely it would be to cause you or another person serious harm. This would usually involve consulting with the health professional responsible for your care (or the care of the person they're concerned about).

You can find information on how to access medical records on the NHS Choices website.


Amir is 16 years old. He is looked after by social services under a Care Order. Amir has a history of self-harming following contact visits with his birth family. He's not seen his birth family for 6 months and has not self-harmed during this time.

Amir asks to read his social services records. But his social worker is concerned that there's information in these records about Amir's birth family which may distress him and lead to him self-harming again.

In this situation, social services may choose not to share some of Amir's social services records with him as it may cause serious harm to his mental or physical health. Alternatively they could invite Amir to look at his records at the social services offices, with the support of his social worker.

Preventing crime or prosecuting criminals

You usually have the right to find out what personal information is held about you by the police.

However, the police don't have to share your information with you if doing so would be likely to make it harder for them to:

  • prevent or detect crime – for example, where the information is relevant to an ongoing police investigation
  • capture or prosecute offenders.

Can I access personal information about someone else on their behalf?

You usually don't have the right to access personal information about other people.

The exceptions are:

  • If you manage the affairs of a person who lacks capacity, (as an attorney or someone appointed by the Court of Protection). In this case you should be able to access that person’s information on their behalf. You will need to provide the organisation with copies of appropriate paperwork to show that you have this authority.
  • If you are a parent with parental responsibility. In this case you can access personal information on behalf of your children, but the subject access rights are the child’s. If the child understands what it means to make a subject access request and how to interpret the information they receive as a result, the organisation would expect the subject access request to be made by the child.

This information was published in May 2018. We will revise it in 2021.

References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.

Share this information

arrow_upwardBack to Top