Respond to a data protection request

Under data protection law, anyone can ask if your organisation holds personal information about them - you must respond to their request within 40 days.

You can charge them up to £10 to provide the information, or up to £50 for paper-based health or education records.

They have the right to know:

  • what information is being used
  • why it’s being used
  • where it came from
  • who can see the information

You must send them a hard copy - like a print out or photocopy. If you received the request by email, you can send the information by email if the requester agrees.

Make sure they can understand the information - eg explain what any codes mean.

You could be ordered by the Information Commissioner’s Office to respond to the request if you ignore it or don’t provide the information.


You might not need to give all the personal information you have about someone if requested. For example, it may contain legal advice or relates to another person.

Contact the Information Commissioner’s Office for more about what information you need to give and how to respond to requests.