Select here to go directly to the document text
Accessibility | Access Keys | Sitemap | Help | Advanced Search | Contact Us | Online Updates
 
Parliamentary Business Visit, Learn, Interact MSPs News, Media & Events About the Parliament
 Home > Freedom of Information > The Data Protection Act 1998 - Subject Access Requests > ..back
 
The Data Protection Act 1998 – Subject Access Requests
What is personal data?

The Data Protection Act 1998 (DPA) describes personal data as ‘data which relate to a living individual who can be identified:
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual’. DPA (c.29) s1(1)

What are subject access requests?

The Data Protection Act 1998 gives individuals who are the subject of personal data a right of access to personal data about them held by an individual or an organisation about them.

You can request your personal data by making a subject access request.

Personal data can be held in many formats. For example, personal data might include paper documents, computerised records, photographs or videos or a combination of these formats.

What details should you include in your request?

When you send a subject access request to the SPCB, you must send it in writing, either by letter or email. Please include the following details:

  • your full name and address (including email address if you wish an email response) together with a phone number so that we can contact you if we require further details or if we need to clarify any part of your request
  • additional information which will help us to identify you includes the dates during which you had contact with us, any reference number quoted on any correspondence with us and the name of the office with which you corresponded.

Please be as specific as possible about the personal data that you seek. If we receive minimal details from you, we may need to contact you for more details.

Some decisions affecting your personal data may be made by automatic means such as a decision made by a computer system. If you would like to be told if your personal data is processed by any automatic means, please mention this in your request.
An example of a letter you could use appears at the end of this leaflet but you can also use your own words.

How will we respond to your request?

The SPCB will ensure that you receive a reply to your subject access request within the statutory 40 days.

We will contact you if we are unable to provide the information you want until we get more details from you. We will not deal with your request until this additional information has been received.

The 40 day time limit is calculated from the day on which the SPCB has both the required fee (if appropriate) and the necessary information to confirm your identity and to locate the data.

What will it cost?

Generally up to £10 may be charged but there are special rules that may apply.

What can I expect to be sent to me?

You are entitled to be told if any personal data is held about you by the SPCB and if so to be:

  • given a description of that data
  • told for what purpose(s) the data is processed (obtaining, recording, holding, obtaining or using). An example of this would be if the information held about you is processed for the purpose of maintaining your contact details so that you can be kept up to date about relevant events or publications
  • told about the recipients or types of recipients to whom your personal data may be disclosed. In other words, to be told if your personal data is passed by us to anybody else.

You are entitled to be:

  • provided with a copy of the information described above with any abbreviations or specialist terminology explained
  • given any information available to the SPCB about the source of the personal data
  • given an explanation as to how any automated decisions taken about you have been made and of the logic involved in such automated decisions.

The SPCB is obliged to provide this information to you in a permanent form unless the supply of such a copy is not possible or would involve disproportionate effort. Disproportionate effort is not defined in the DPA but may include the cost, length of time involved and how difficult or otherwise it may be to provide the information.

When can information be withheld?

There may be circumstances in which the SPCB finds that providing you with the information that you seek involves passing to you the personal data relating to another individual. In these circumstances the SPCB must seek consent from the third party as to the release of that personal data. If the third party does not agree to the release of this information or it is unreasonable in all the circumstances to comply with the request without third party consent, the information is likely to be withheld. There are additional reasons why information may be withheld and these can be found on the Information Commissioners’ website at: www.informationcommissioner.gov.uk under the heading ‘Your Information Rights’.

Alternatively, please contact the Information Access Manager – contact details are provided at the end of this guidance under ‘who to contact’.

Sample letter to request access to your personal data
Feedback | Copyright | Privacy Policy | Freedom of Information | FAQ | Glossary | Online Shop