The Data Protection Act 2018 (based on the General Data Protection Regulations (GDPR)) gives you a number of rights. One of those is to have access to all the information an organisation holds about you. There is more detailed information about ‘Right of Access’ on the Information Commissioner’s Office (ICO) website.
Examples of personal information you can get:
- Copies of correspondence between you and an organisation (proof they received it).
- Copies of CCTV showing you trying to gain access (e.g. to premises or transport).
- Recordings of phone calls (usually with larger organisations).
- Your medical and healthcare records from your GP and hospitals.
- Any records held by a company which refer to you in an identifiable way.
- Communications within an organisation about you, or between organisations, e.g. emails.
Format of Right of Access Request
While “Right of Access” requests do not have to be in a set format and can be made by any method including during a phone call, we at Reasonable Access recommend you make your request in a way which is easy to track and record such as email or a postal letter.
We also recommend that you say “This is a Right of Access Request under the Data Protection Act 2018” or similar as this means the organisation cannot claim they misunderstood. There is no requirement for you to fill in specific forms or follow an organisation’s processes, so if this is being used as a delaying tactic, you can refuse to do this and complain.
Make specific requests if you can
You should be clear which data you are asking for. While you can request all your data, this might take a long time or be unreasonably difficult to find, so if you can give specific information that can speed up the response. An example might be giving the date and time-range you should have been captured on CCTV, alongside the location of likely cameras.
Before 2018 there was a charge to get copies of healthcare records. Now, if you are asked to pay, remind the organisation that the GFPR and Data Protection Act 2018 say a charge should not be made.
You usually have to make a separate request to each NHS Trust that you see. For some people this can involve many requests. Making a request to a GP can get a good overview of records as hospitals tend to write to them directly – however some information may only be held by hospitals.
You should be able to request copies of X-rays and scans.
Proof of identity and address
The organisation holding the data may ask for proof of your identity (passport or driving licence) and address (utility bill or bank statement) so you may choose to send this with your request to speed things up.
Timing of your request
CCTV needs to be requested quickly
Information like CCTV is often not kept for very long, so you should make your “Right of Access” request as early as possible and to the correct person (organisations’ websites often say where to send them, or you may wish to phone to quickly find out).
The organisation should acknowledge your request promptly and send your data to you without unnecessary delay and within one calendar month of your request (though in exceptional circumstances they can ask to extend this to two months). This means if you make your request on the 4th February, you should usually receive your information by the 5th of March at the very latest.
If you do not receive your data or a reasonable explanation for the delay within that calendar month, you should complain to the organisation and remind them that if they don’t send an appropriate reply within a few days that you will make a complaint about them to the Information Commissioner’s Office (ICO).