The Data Protection Act 2018 (based on the General Data Protection Regulations (GDPR)) gives you a number of rights. One of those is to have access to all the information an organisation holds about you. There is more detailed information about ‘Right of Access’ on the Information Commissioner’s Office (ICO) website.
Examples of personal information you can get:
- Copies of correspondence between you and an organisation (proof they received it).
- Copies of CCTV showing you trying to gain access (e.g. to premises or transport).
- Recordings of phone calls (usually with larger organisations).
- Your medical and healthcare records from your GP and hospitals.
- Any records held by a company which refer to you in an identifiable way.
- Communications within an organisation about you, or between organisations, e.g. emails.
Format of Right of Access Request
While “Right of Access” requests do not have to be in a set format and can be made by any method including during a phone call, we at Reasonable Access recommend you make your request in a way which is easy to track and record such as email or a postal letter.
You should be clear which data you are asking for. While you can request all your data, this might take a long time or be unreasonably difficult to find, so if you can give specific information that can speed up the response. An example might be giving the date and time-range you should have been captured on CCTV, alongside the location of likely cameras.
Proof of identity and address
The organisation holding the data may ask for proof of your identity (passport or driving licence) and address (utility bill or bank statement) so you may choose to send this with your request to speed things up.
Timing of your request
Information like CCTV is often not kept for very long, so you should make your “Right of Access” request as early as possible and to the correct person (organisations’ websites often say where to send them, or you may wish to phone to quickly find out).
The organisation should acknowledge your request promptly and send your data to you without unnecessary delay and within one calendar month of your request (though in exceptional circumstances they can ask to extend this to two months). This means if you make your request on the 4th February, you should usually receive your information by the 5th of March at the very latest.
If you do not receive your data or a reasonable explanation for the delay within that calendar month, you should complain to the organisation and remind them that if they don’t send an appropriate reply within a few days that you will make a complaint about them to the Information Commissioner’s Office (ICO).