Data Protection Act 1998

7Right of access to personal data

(1)Subject to the following provisions of this section and to sections 8 and 9, an individual is entitled—

(a)to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

(b)if that is the case, to be given by the data controller a description of—

(i)the personal data of which that individual is the data subject,

(ii)the purposes for which they are being or are to be processed, and

(iii)the recipients or classes of recipients to whom they are or may be disclosed,

(c)to have communicated to him in an intelligible form—

(i)the information constituting any personal data of which that individual is the data subject, and

(ii)any information available to the data controller as to the source of those data, and

(d)where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-taking.

(2)A data controller is not obliged to supply any information under subsection (1) unless he has received—

(a)a request in writing, and

(b)except in prescribed cases, such fee (not exceeding the prescribed maximum) as he may require.

(3)A data controller is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.

(4)Where a data controller cannot comply with the request without disclosing information relating to another individual who can be identified from that information, he is not obliged to comply with the request unless—

(a)the other individual has consented to the disclosure of the information to the person making the request, or

(b)it is reasonable in all the circumstances to comply with the request without the consent of the other individual.

(5)In subsection (4) the reference to information relating to another individual includes a reference to information identifying that individual as the source of the information sought by the request; and that subsection is not to be construed as excusing a data controller from communicating so much of the information sought by the request as can be communicated without disclosing the identity of the other individual concerned, whether by the omission of names or other identifying particulars or otherwise.

(6)In determining for the purposes of subsection (4)(b) whether it is reasonable in all the circumstances to comply with the request without the consent of the other individual concerned, regard shall be had, in particular, to—

(a)any duty of confidentiality owed to the other individual,

(b)any steps taken by the data controller with a view to seeking the consent of the other individual,

(c)whether the other individual is capable of giving consent, and

(d)any express refusal of consent by the other individual.

(7)An individual making a request under this section may, in such cases as may be prescribed, specify that his request is limited to personal data of any prescribed description.

(8)Subject to subsection (4), a data controller shall comply with a request under this section promptly and in any event before the end of the prescribed period beginning with the relevant day.

(9)If a court is satisfied on the application of any person who has made a request under the foregoing provisions of this section that the data controller in question has failed to comply with the request in contravention of those provisions, the court may order him to comply with the request.

(10)In this section—

  • “prescribed” means prescribed by the Secretary of State by regulations;

  • “the prescribed maximum” means such amount as may be prescribed;

  • “the prescribed period” means forty days or such other period as may be prescribed;

  • “the relevant day”, in relation to a request under this section, means the day on which the data controller receives the request or, if later, the first day on which the data controller has both the required fee and the information referred to in subsection (3).

(11)Different amounts or periods may be prescribed under this section in relation to different cases.