Data Protection Act 1998

Data controllers

Under the Data Protection Act 1998 (DPA 1998), any organisation which processes your personal data is known as a ‘data controller’. All such organisations which handle personal information must comply with eight principles. These are to ensure that the personal information is:

  • fairly and lawfully processed;
  • obtained and processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate and up to date;
  • not kept for longer than is necessary;
  • processed in line with your rights;
  • kept secure;
  • not transferred to other countries outside of the European Economic Area without adequate protection.

Subject access requests

DPA 1998 and the Freedom of Information Act 2000 (FIA 2000) give you the right to get a copy of the personal information that is held about you on computers and in most paper records by organisations processing your personal data. This is known as a subject access request.

  • DPA 1998 gives you the right to access the personal information about you held by organisations;
  • FIA 2000 allows you to see official information about you held by public authorities.


DPA 1998 does not apply if the information an organisation holds about you is not held on computer or is not on paper and not sorted by reference to individuals. Nor does it apply where an organisation holds information relating to businesses or other organisations
Where the information you have asked for contains information relating to another person, the organisation is entitled to withhold this information unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission.

There are also circumstances under DPA 1998 where an organisation can legally refuse a subject access request, for example, if the personal data is processed for specified purposes of crime prevention/detection, apprehension/prosecution of offenders or imposition of tax or similar duties.

Making a subject access request

To obtain the information, you must make a request in writing or via fax/ email to the person or organisation which is holding it. You should make clear that this is a subject access request under DPA 1998 and include the following information:

  • your full name, address and contact telephone number;
  • any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique ID’s etc);
  • details of the specific information you require and any relevant dates.

An organisation can charge you a fee for giving you a copy of your personal information. But, there are limits on how much they can charge. The current limit is a fee of up to £10 for organisations or £2 if it is a request to a credit reference agency for information about your financial standing only. There are special rules that apply to fees for paper-based health records (the maximum fee is currently £50) and education records (a sliding scale from £1 to £50 depending on the number of pages provided).

The organisation must reply within 40 days, starting from the day they receive the fee and the information they need to identify you and the information you need. A credit reference agency must reply within seven days to a request for a credit file. The organisation should give you the information in writing but they need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen.

The Act does not define what disproportionate effort means but the Information Commissioner’s Office says the following factors should be taken into account:

  • the cost of giving you the information;
  • the length of time it will take;
  • how difficult it will be;
  • the size of the organisation; and
  • the effect on you of not having the information in permanent form.

Inaccurate information

If you believe an organisation holds personal information about you which is inaccurate, you should write to the organisation or person holding the information. Keep a copy of your correspondence. You may need it if you make a complaint.

Customer complaint

If you are unhappy with the way an organisation has dealt with your complaint about personal information you have various options:

  • contact the Information Commissioner’s Office;
  • write to your local Member of Parliament (MP);
  • take the matter to court.

The Information Commissioner’s Office

The Information Commissioner’s Office is an independent authority. It promotes openness of official information and protection of private information. The Information Commissioner’s Office has legal powers to ensure that organisations comply with DPA 1998.

Article written by...
Nicola Laver LLB
Nicola Laver LLB

Nicola on LinkedInNicola on Twitter

A non-practising solicitor, Nicola is also a fully qualified journalist. For the past 20 years, she has worked as a legal journalist, editor and author.