Accessing my personal information
Explains your rights to see and have copies of your personal information, and how to complain if access to your records is refused or if what is written about you is wrong.
View this information as a PDF (new window)
Your personal data rights
This page covers the following information about your personal data rights:
Do I have a right to access my personal information?
Yes, you have a legal right to access personal information held about you by an organisation.
This right is protected by the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). These laws cover your rights regarding information held about you by organisations such as:
- GPs
- hospitals
- social services
- the police
- your employer
- the Department for Work and Pensions (DWP).
In some situations, an organisation does not have to share your personal information with you. This is known as ‘withholding’ information. See our section on withholding personal information to learn about why this might happen.
What information do I have a right to ask for?
You have the right to ask an organisation:
- what, if any, personal information it holds about you
- why it holds that information
- who it may be sharing your information with
- where the information came from
- to explain any technical or complicated terms relating to the information.
You also have the right to see the information held about you and to be given copies of it. This includes both digital and paper records.
What format should the records be in?
The organisation must provide copies of your records in a permanent form. This is unless you agree to them providing the information in some other way, such as viewing it in person at the organisation’s office.
If you want the information in a particular format, it's best to mention this when first making your request. For example, you might ask for:
- photocopies on paper
- digital copies on a USB memory stick
- digital copies on an encrypted device
- digital copies on a disk.
When can an organisation withhold information from me?
There are some specific situations where an organisation is allowed to withhold (not share) personal information from you. These include:
- if your request is 'manifestly unfounded or excessive'
- if the data includes third-party information, meaning personal information about someone else
- if sharing it would likely cause serious harm to you or another person
- if sharing it would make preventing crime or prosecuting criminals harder for the police.
If an organisation refuses to share information with you for one of these reasons, they should write to you explaining why.
Manifestly unfounded or excessive requests
In most cases, organisations must make proper efforts to find all the information you have requested. They can't refuse your request purely because it will be inconvenient for them or will require some work.
However, they don't have to comply with any requests that are ‘manifestly unfounded or excessive’. This could apply if:
- you request more information than you need
- you make repeated requests for the same information.
If an organisation finds your request excessive, it should ask you to be more specific rather than refuse you outright.
Third-party information
If the records you have requested about yourself also include personal information about someone else (a third party), the organisation doesn't have to share it unless:
- the other person mentioned has agreed for the information to be shared, or
- it's reasonable for the organisation to share the information anyway without the other person’s agreement. To make this decision the organisation has to weigh up your right to see your information against the other person’s right for information about them to be kept confidential.
One way around this problem may be for the organisation to redact information that would identify the third party. This means you couldn't see those parts, but could see everything else.
But information that identifies a health or social care professional should not usually be redacted. For example, the names of doctors who conducted an assessment under the Mental Health Act.
Serious harm to you or another person
You usually have the right to see your health records, also known as medical records, and any information held about you by social services.
This information may be withheld if it would be likely to cause serious harm to your mental or physical health, or that of another person.
An organisation can only use this exception after assessing the likelihood of serious harm. This would usually involve consulting with the health professional responsible for your care, or the care of the person they're concerned about. The organisation must have spoken to the health professional within the last six months if they want to rely on this exception.
An organisation cannot use 'serious harm’ as a reason for withholding your information simply because you might find the information upsetting.
The NHS website has information on how to access your medical records.
Preventing crime or prosecuting criminals
You usually have the right to find out what personal information is held about you by the police.
However, the police don't have to share this with you if doing so would be likely to make it harder for them to:
- prevent or detect crime – for example, where the information is relevant to an ongoing police investigation
- capture or prosecute offenders.
Can I access personal information about someone else on their behalf?
You don't usually have the right to access personal information about other people.
The exceptions are:
- If you manage the affairs of a person who lacks capacity. You might be an attorney or someone appointed by the Court of Protection. In this case you should be able to access that person’s information on their behalf. You will need to provide the organisation with copies of appropriate paperwork to show that you have this authority.
- If you are someone with parental responsibility. In this case you may be able to access personal information on behalf of your children, but the subject access rights are the child's. If the child understands that they have a right to see their personal information, the organisation would expect the subject access request SAR to be made by the child. If you are a child or young person in this situation, you might find it useful to read our page on confidentiality.
- If you want to access the health records of someone who has died. In this case, you can request to see their records if you are the executor or administrator of their estate, or if you might have a legal claim as a result of their estate. The NHS website has information on accessing medical records of someone who has died.
Subject access request (SAR)
This is a written request to an organisation asking for details of the personal information they hold about you.
See our pages on accessing my personal information to find out more.
Visit our full listing of Legal TermsPersonal information (or personal data)
Information which relates to you in such a way that you can be identified from the information. Personal information might be held on computers, in emails, printed out or in handwritten documents, or in photographic images, videos or audio recordings.
To find out more about your rights regarding your personal information, see our pages on my personal information.
Visit our full listing of Legal TermsCourt of Protection
The Court of Protection makes decisions and appoints deputies to act on your behalf if you are unable to make decisions about your personal health, finance or welfare.
See our pages on the Mental Capacity Act for more information.
Visit our full listing of Legal TermsCapacity
'Capacity' means the ability to understand information and make decisions about your life. Sometimes it can also mean the ability to communicate decisions about your life.
For example, if you do not understand the information and are unable to make a decision about your treatment, you are said to 'lack capacity' to make decisions about your treatment.
See our pages on the Mental Capacity Act for more information.
Visit our full listing of Legal TermsHealth record
A health record is any record of information relating to your physical or mental health that has been made by, or on behalf of, a health professional.
Visit our full listing of Legal TermsRedact
This means removing the relevant information. It can be done by crossing through the relevant information with a black marker pen and then photocopying the document or by using a computerised programme specially designed for this purpose.
Visit our full listing of Legal TermsGeneral Data Protection Regulation (UK GDPR)
These regulations tell organisations how they can use your personal information. They also give you rights to access and correct personal information held about you.
Visit our full listing of Legal TermsData Protection Act 2018
The Data Protection Act 2018 is the law that sets out how organisations must handle and process your information. It also gives you rights to access and correct personal information held about you.
Visit our full listing of Legal TermsMental Health Act 1983 (MHA)
This is a law that applies to England and Wales which allows people to be detained in hospital (sectioned) if they have a mental health disorder and need treatment. You can only be kept in hospital if certain conditions are met.
See our pages on the Mental Health Act for more information.
Visit our full listing of Legal TermsParental responsibility
The rights and responsibilities that a parent has for a child. This might include making decisions about their upbringing and where they live. It is possible for people who are not parents of a child to get parental responsibility. For example, a grandparent or family member could be given parental responsibility by the court.
Visit our full listing of Legal TermsThis information was published in November 2021. We will revise it in 2024.
References are available on request. If you would like to reproduce any of this information, see our page on permissions and licensing.