Find out what data an organisation has about you

Write to an organisation to ask for a copy of the information they hold about you. If it’s a public organisation, write to their Data Protection Officer ( DPO ). Their details should be on the organisation’s privacy notice. If the organisation has no DPO , or you do not know who to write to, address your letter to the company secretary. How long it should take The organisation must give you a copy of the data they hold about you as soon as possible, and within 1 month at most. In certain circumstances, for example particularly complex or multiple requests, the organisation can take a further 2 months to provide data. In this case, they must tell you: within 1 month of your request why there’s a delay When information can be withheld There are some situations when organisations are allowed to withhold information, for example if the information is about: the prevention, detection or investigation of a crime national security or the armed forces the assessment or collection of tax judicial or ministerial appointments An organisation does not have to say why they’re withholding information. How much it costs Requests for information are usually free. However, organisations can charge an administrative cost in some circumstances, for example if: you’re asking for a large amount of information your request will take a lot of time and effort to process

Data protection

Q: Make a complaint

If you think your data has been misused or that the organisation holding it has not kept it secure, you should contact them and tell them. If you’re unhappy with their response, you can make a complaint to the Information Commissioner’s Office ( ICO ) or get advice from the ICO . ICO Telephone: 0303 123 1113 Textphone: 18001 0303 123 1113 Monday to Friday, 9am to 5pm Find out about call charges Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF You can also chat online with an advisor . The ICO can investigate your claim and take action against anyone who’s misused personal data. You can also visit their website for information on how to make a data protection complaint .

The UK's data protection legislation

Data protection legislation controls how your personal information is used by organisations, including businesses and government departments.

In the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’ unless an exemption applies. There is a guide to the data protection exemptions on the Information Commissioner’s Office (ICO) website.

Anyone responsible for using personal data must make sure the information is:

used fairly, lawfully and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

race
ethnic background
political opinions
religious beliefs
trade union membership
genetics
biometrics (where used for identification)
health
sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

Your rights

Under the legislation, you have rights in relation to your personal data, with some exceptions. These include the right to:

be informed about how your data is being used
access personal data
have incorrect data updated
have data erased
stop or restrict the processing of your data
data portability (allowing you to get and reuse your data for different services)
object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

automated decision-making processes (without human involvement)
profiling, for example to predict your behaviour or interests

If you’re concerned about how an organisation is handling your personal data

Contact the ICO for advice or to make a complaint.

ICO
Telephone: 0303 123 1113
Textphone: 18001 0303 123 1113
Monday to Friday, 9am to 5pm
Find out about call charges

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

You can find more contact details on the ICO website.

View a printable version of the whole guide

Data protection

The UK's data protection legislation

Your rights

If you’re concerned about how an organisation is handling your personal data

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK

Cookies on GOV.UK

Data protection

The UK's data protection legislation

Your rights

If you’re concerned about how an organisation is handling your personal data

Related content

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK