Respond to a data protection request

Under data protection law, anyone can ask if your organisation holds personal information about them - you must respond to their request as soon as possible, and within one month at most.

Requests for personal data should be provided for free in most cases.

Individuals have the right to know:

  • what information is being used
  • why it’s being used
  • where it came from
  • who can see the information

What you must do

You must provide:

  • confirmation that you are processing their personal data
  • a copy of that data
  • details of how that data is collected, used and disposed of

You should send them a hard copy - such as a printout or photocopy. If you received the request by email, you can send the information by email if the requester agrees.

Make sure they can understand the information - for example explain what any codes mean. Your response should be:

  • transparent
  • written in clear, plain language
  • in an easily accessible format

Before you reply you must:

  • check the identity of the requester
  • remove any data which does not relate to them

You could be fined if you do not respond to the request or provide the information requested.

Exemptions

You might not need to give all the personal information you have about someone if requested - for example, if it contains legal advice or relates to another person.

Further information

Find out more about how to respond to requests. For further advice, contact the Information Commissioner’s Office (ICO).