Under data protection law, anyone can ask if your organisation holds personal information about them – you must respond to their request within 40 days.
You can charge them up to £10 to provide the information, or up to £50 for paper-based health or education records.
They have the right to know:
- what information is being used
- why it’s being used
- where it came from
- who can see the information
You must send them a hard copy – like a print out or photocopy. If you received the request by email, you can send the information by email if the requester agrees.
Make sure they can understand the information – eg explain what any codes mean.
You could be ordered by the Information Commissioner’s Office to respond to the request if you ignore it or don’t provide the information.
You might not need to give all the personal information you have about someone if requested. For example, it may contain legal advice or relates to another person.
Contact the Information Commissioner’s Office for more about what information you need to give and how to respond to requests.
Responding to a data protection request – what you need to provide, how much you can charge, and what happens if you don’t provide the information.