Accessing my personal information
Explains your rights to see and have copies of your personal information, and how to complain if access to your records is refused or if what is written about you is wrong.
View this information as a PDF (new window)
Complaining to the ICO
This page covers information about how to make a complaint to the Information Commissioner’s Office (ICO):
What is the ICO?
The ICO is an independent body responsible for making sure that organisations comply with the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). The ICO also deals with concerns raised by members of the public about the way in which organisations look after personal information and deal with subject access requests (SARs).
Can I make a complaint to the ICO?
You can complain to the ICO if an organisation:
- fails to respond to your request for information
- refuses your request
- fails to send you all of the information you asked for
- fails to comply with the time limit for information, which is normally one calendar month.
The ICO will expect you to have first raised your concerns with the organisation before submitting a complaint.
How do I submit my complaint to the ICO?
To make your complaint, you can use the form on the ICO website. When you submit the form, you'll need to include all the communications you’ve had with the organisation about your request. This includes copies of the documents raising your initial concerns to the organisation.
You should make a complaint to the ICO within three months of your last proper contact with the organisation concerned.
- If you have everything saved electronically, you can submit the form and the correspondence by email to [email protected].
- If you only have paper copies, you will need to send the correspondence and the form to Customer Contact, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
- If you need support with your complaint, you can call the ICO helpline on 0303 123 1113 (local rate) or start a live chat on the ICO website.
What powers does the ICO have?
If the ICO thinks that an organisation has failed to comply with its obligations under the Data Protection Act 2018 or UK GDPR, it can:
- write to the organisation and ask it to sort out the problem
- take action against the organisation concerned.
The ICO may only take action in extreme situations where there has been a serious breach. This may include sending the organisation an enforcement notice and imposing a financial penalty. Either way, the ICO cannot award you compensation. You can only claim compensation by taking an organisation to court.
Can I take an organisation to court?
You have the right to take an organisation to court for failing to respond appropriately to a subject access request. However, you need to be able to show the court that you tried to sort things out directly with the organisation first.
It's rare for things to get to this stage, as you should be able to sort the problem out by complaining to the ICO.
What can I ask the court for?
You can ask the court to order the organisation to put things right. For example, you might ask it to:
- disclose the information that you have requested
- pay you compensation for harm and distress caused to you as a result of the organisation’s actions.
As there's no legal aid available for this kind of court application, you would have to fund the case yourself. This can be costly, so you should always get specialist legal advice from a solicitor before making an application to court.
For more information on finding a solicitor, see our useful contacts page. The ICO website also has further information about taking your case to court.
Subject access request (SAR)
This is a written request to an organisation asking for details of the personal information they hold about you.
See our pages on accessing my personal information to find out more.
Visit our full listing of Legal TermsEnforcement notice
This is a document sent to an organisation by the Information Commissioner's Office setting out the action it needs to take to comply with its obligations under the Data Protection Act 2018. Failure to comply with an enforcement notice is a criminal offence which can result in a fine.
Visit our full listing of Legal TermsInformation Commissioner's Office (ICO)
The ICO is the independent body responsible for making sure that organisations comply with their obligations under the Data Protection Act 2018.
Visit our full listing of Legal TermsGeneral Data Protection Regulation (UK GDPR)
These regulations tell organisations how they can use your personal information. They also give you rights to access and correct personal information held about you.
Visit our full listing of Legal TermsData Protection Act 2018
The Data Protection Act 2018 is the law that sets out how organisations must handle and process your information. It also gives you rights to access and correct personal information held about you.
Visit our full listing of Legal TermsThis information was published in November 2021. We will revise it in 2024.
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.