The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

• used fairly, lawfully and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant and limited to only what is necessary
• accurate and, where necessary, kept up to date
• kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

• race
• ethnic background
• political opinions
• religious beliefs
• trade union membership
• genetics
• biometrics (where used for identification)
• health
• sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

Your rights

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

• be informed about how your data is being used
• access personal data
• have incorrect data updated
• have data erased
• stop or restrict the processing of your data
• data portability (allowing you to get and reuse your data for different services)
• object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

• automated decision-making processes (without human involvement)
• profiling, for example to predict your behaviour or interests

Write to an organisation to ask for a copy of the information they hold about you.

If it’s a public organisation, write to their Data Protection Officer (DPO). Their details should be on the organisation’s privacy notice.

If the organisation has no DPO, or you do not know who to write to, address your letter to the company secretary.

How long it should take

The organisation must give you a copy of the data they hold about you as soon as possible, and within 1 month at most.

In certain circumstances, for example particularly complex or multiple requests, the organisation can take a further 2 months to provide data. In this case, they must tell you:

• within 1 month of your request
• why there’s a delay

When information can be withheld

There are some situations when organisations are allowed to withhold information, for example if the information is about:

• the prevention, detection or investigation of a crime
• national security or the armed forces
• the assessment or collection of tax
• judicial or ministerial appointments

An organisation does not have to say why they’re withholding information.

How much it costs

Requests for information are usually free. However, organisations can charge an administrative cost in some circumstances, for example if:

• you’re asking for a large amount of information
• your request will take a lot of time and effort to process

If you think your data has been misused or that the organisation holding it has not kept it secure, you should contact them and tell them.

If you’re unhappy with their response, you can make a complaint to the Information Commissioner’s Office (ICO) or get advice from the ICO.

You can also chat online with an advisor.

The ICO can investigate your claim and take action against anyone who’s misused personal data.

You can also visit their website for information on how to make a data protection complaint.