Under data protection law, anyone can ask if your organisation holds personal information about them - you must respond to their request within 40 days.
You can charge them up to £10 to provide the information, or up to £50 for paper-based health or education records.
They have the right to know:
- what information is being used
- why it’s being used
- where it came from
- who can see the information
You must send them a hard copy, if possible - like a letter or print out - unless you both agree otherwise.
Make sure they can understand the information - eg explain what any codes mean.
If you ignore the request or don’t provide the information, you could be given a heavy fine by the Information Commissioner’s Office.
Some organisations don’t have to respond to data protection requests, eg:
- some not-for-profit organisations
- organisations that do not process personal information on computer
You also don’t have to respond if you process personal data only for:
- staff administration (including payroll)
- advertising, marketing and public relations (in connection with your own business activity)
- accounts and records
Find out more on the Information Commissioner’s Office website.