Quick Guide to Subject Access (How to get copies of your personal data)

If an organisation has stored data about you in permanent form, then you have a right to see it. If you think the information is wrong, outdated or being used unfairly then you can ask to have it amended or deleted. This right to access and amend your data is known as a Subject Access Request (SAR). It is a right provided by Article 15 of the General Data Protection Regulation (GDPR) and section 45 of the Data Protection Act 2018 (in relation to information held by law enforcement agencies).  

Who can I make a subject access request to?

Every organisation must comply with subject access: this includes local authorities, businesses, banks, creditors, insurers, schools, hospitals, employers, GPs, prisons, courts, the police and the Inland Revenue. It doesn’t matter if they are large or small, privately or publicly owned; if they are processing your personal information they must supply you with a copy of it upon request.

What type of data can I ask for?

You can use Subject Access to request almost any type of data: CCTV recordings, application forms, invoices, emails, account details, personal references, employment records, medical records, police records. If it is on paper, stored in digital form or held on audio or visual media – and you can be identified from it – then you are entitled to see it. You can also ask why the data is being processed, who it is being shared with, where it originated from and how long it will be stored.

Do I have to give a reason for my request? 

No. As long as you prove you are who you say you are, you don’t have to give a reason why you are requesting data. However, you will be asked to provide proof of identity. Most organisations will accept scanned copies of a passport or driving licence and a recent utility bill, but some may ask you send in your documents or bring them into their office. If you send your documents make sure you used a signed service so they are not lost in the post!

How much does it cost?

Prior to the GDPR and the Data Protection Act 2018 there was a £10 statutory fee payable to whomever you made your request to. That fee has now been scrapped, and all subject access requests are free. Only if further copies of the same data are requested can the organisation charge a reasonable administrative fee.

Can I ask for someone else’s data?

Subject access is a right to obtain YOUR personal data, not someone else’s. You need a person’s written permission if you are trying to obtain information on their behalf. If any of the information you request refers to someone else, the organisation can refuse to disclose it or they must blank out the other person’s data so you cannot see it. This is known as redaction. If your documents come back with blacked out or whited out sections, this will be why; not because they are hiding secret information from you but because they must not disclose any third party’s personal data!

If you genuinely think something you are entitled to see is missing from the documents sent to you, you can ask the data protection ombudsman ‘The Information Commissioner’s Office(ICO) to step in.

Can I use subject access to get CCTV footage of myself?

Yes. If a CCTV camera has captured you in a public place and the images are stored, then you have a right to a copy of it. This includes cameras on train platforms, in supermarkets, the high street, pubs and clubs, inside police stations, or cameras fitted inside taxi cabs. This even includes your neighbour’s CCTV camera if it picks you up on the street!

You may be asked to provide a photo of yourself, and give a time and date of the capture, so the CCTV operator can identify your likeness.

Can the police refuse to disclose data under the ‘prevention or detection of crime’ exemption?

Section 43(3) of the DPA 2018 provides exemptions to subject access requests ‘in relation to the processing of relevant personal data in the course of a criminal investigation or criminal proceedings, including proceedings for the purpose of executing a criminal penalty’. This does not mean that the police are exempt from having to disclose all data. But they can refuse to disclose certain types of data that could prejudice an ongoing investigation. However you can use your section 43 rights to obtain a broad range of police held data, including your criminal record, police notebooks, incident logs, crime reports and custody records. You can also use it to obtain recordings made on police Body Worn Video (BWV) as well as CCTV footage from a police station or custody suite. You can even get a copy of police radio traffic if they have mentioned you on the airwaves and the recording has been retained.

How long does subject access take?

Every organisation has 1 month in which to fulfil a subject access request. If they refuse to comply, withhold data or go over the time limit then you can ask the Information Commissioner’s Office to intervene. They will review your case and, if they find the organisation has not complied with the GDPR or the DOA the ICO can order them to do so. 

How much information will I get?

It’s not always easy to predict how many documents you will receive from  a subject access request. Some people get nothing more than a slip of paper informing them that no information is held. Others might be sent huge bundles of paperwork, with audio and video recordings supplied on CD. If you don’t think you’ve got everything you asked for then you can ask the organisation to check again. However, unless you know for certain a piece of data exists, it may be very difficult to prove information is being withheld, simply by its absence.

What if I don’t like what I see?

If after reviewing all of your police data, you find something that breaches your data subject rights then you can request the offending data be rectified under section 46 of the DPA 2018, or erased entirely under section 47. If the police refuse, then you can complain to the ICO or bring the matter before a court and let a judge decide whether the data is being processed lawfully.

Not sure if an organisation holds any data upon you at all? Then make your request anyway.