Cabinet Office Homepage

Data Protection Act 1998:

Standards and Best Practice Handbook for Government Departments

Annex F

Your Rights and the Complaints Procedures Under the Data Protection Act 1998
Data Protection Act
Right of access

An individual is entitled:

1. to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller;
2. if that is the case, to be given by the data controller a description of -
   • the personal data of which that individual is the data subject,
   • the purpose for which they are being or are to be processed, and
   • the recipients or classes of recipients to whom they are or may be disclosed;
3. to have communicated to him in an intelligible form -
   • the information constituting any personal data of which that individual is the data subject, and
   • any information available to the data controller as to the source of that data.

2. “Personal data” is information relating to an identifiable living individual. It includes information about the intentions of the data controller towards the data subject and also applies to information relating to an individual who can be identified from other information that is in the possession of, or is likely to come into the possession of, the data controller.

3. All personal data that is automatically processed (ie computerised) are covered, irrespective of the form in which the computer processes them. Manual records are also covered if they form a “relevant filing system” through meeting the following criteria:

• the information must be part of a structured set of information, relating to individuals;
• the structuring must be by reference to individuals or by reference to criteria relating to individuals; and
• the structuring must allow specific information relating to a particular individual to be readily accessible.

4. “Processing” means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.

5. A data controller is not obliged to supply any information unless he has received:

• a request in writing,
• the fee where a fee is charged, and
• such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.

6. The “prescribed period” for a data controller to respond to a subject access request is within forty days of the request being received. If a request is not accompanied by the fee, where a fee is charged, and/or further information is required to help locate the information being sought the forty day period starts from the date the data controller receives the required fee and/or additional information.

7. Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless:

• the other individual has consented to the disclosure of the information to the person making the request, or
• it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

8. Individuals have, subject to certain exceptions, the right to:

• prevent processing likely to cause damage or distress;
• prevent processing for the purpose for the purposes of direct marketing;
• not to have decisions taken solely based on automated processing; and
• have inaccurate personal data rectified, blocked, erased or destroyed.

Subject access exemptions

9. The attached outlines the exemptions that relate to particular categories of personal data such that one or more of the provisions of the Data Protection Act do not apply. The main exemptions that are provided cover national security; crime taxation; health, education and social work; regulatory activity; journalism, literature, art; research, history and statistics; information available to the public by or under enactment; disclosures required by law or made in connection with legal proceedings domestic purposes etc.

10. There may be personal data being processed by or on behalf of the [department concerned] that are exempt from the subject access provisions on the grounds that such exemption, as provided for under section 28(1) of the Data Protection Act, is required for the purposes of safeguarding national security. If it were the case that the [department concerned] held such personal data there would be no right of access, although it should not be assumed by an individual that any such data is or is not held on them.

Right of complaint

11. Under the terms of the Data Protection Act there is a right of complaint to the Information Commissioner or a court, (or, in the case of a certificate issued under section 28 of the Act and signed by a member of the Cabinet or the Attorney General or the Advocate General, the Information Tribunal) if an individual is dissatisfied with the response they receive from the [department concerned]. The address for the Information Commissioner is:

The Office of the Information Commissioner
Wycliffe House
Water Lane
Cheshire
SK9 5AF

Data Protection Handbook [PDF, 710KB]

[Top]