The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000

Citation, commencement and interpretation

1.—(1) These Regulations may be cited as the Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 and shall come into force on 1st March 2000.

(2) In these Regulations “the Act” means the Data Protection Act 1998.

Extent of subject access requests

2.—(1) A request for information under any provision of section 7(1)(a), (b) or (c) of the Act is to be treated as extending also to information under all other provisions of section 7(1)(a), (b) and (c).

(2) A request for information under any provision of section 7(1) of the Act is to be treated as extending to information under the provisions of section 7(1)(d) only where the request shows an express intention to that effect.

(3) A request for information under the provisions of section 7(1)(d) of the Act is to be treated as extending also to information under any other provision of section 7(1) only where the request shows an express intention to that effect.

Maximum subject access fee

3.  Except as otherwise provided by regulations 4, 5 and 6 below, the maximum fee which may be required by a data controller under section 7(2)(b) of the Act is £10.

Limited requests for subject access where data controller is credit reference agency

4.—(1) In any case in which a request under section 7 of the Act has been made to a data controller who is a credit reference agency, and has been limited, or by virtue of section 9(2) of the Act is taken to have been limited, to personal data relevant to an individual’s financial standing—

(a)the maximum fee which may be required by a data controller under section 7(2)(b) of the Act is £2, and

(b)the prescribed period for the purposes of section 7(8) of the Act is seven working days.

(2) In this regulation “working day” means any day other than—

(a)Saturday or Sunday,

(b)Christmas Day or Good Friday,

(c)a bank holiday, within the meaning of section 1 of the Banking and Financial Dealings Act 1971(1), in the part of the United Kingdom in which the data controller’s address is situated.

(3) For the purposes of paragraph (2)(c) above—

(a)the address of a registered company is that of its registered office, and

(b)the address of a person (other than a registered company) carrying on a business is that of his principal place of business in the United Kingdom.

Subject access requests in respect of educational records

5.—(1) This regulation applies to any case in which a request made under section 7 of the Act relates wholly or partly to personal data forming part of an accessible record which is an educational record within the meaning of Schedule 11 to the Act.

(2) Except as provided by paragraph (3) below, a data controller may not require a fee under section 7(2)(b) of the Act in any case to which this regulation applies.

(3) Where, in a case to which this regulation applies, the obligation imposed by section 7(1)(c)(i) of the Act is to be complied with by supplying the data subject with a copy of information in permanent form, the maximum fee which may be required by a data controller under section 7(2)(b) of the Act is that applicable to the case under the Schedule to these Regulations.

(4) In any case to which this regulation applies, and in which the address of the data controller to whom the request is made is situated in England and Wales, the prescribed period for the purposes of section 7(8) of the Act is fifteen school days within the meaning of section 579(1) of the Education Act 1996(2).

Certain subject access requests in respect of health records—transitional provisions

6.—(1) This regulation applies only to cases in which a request made under section 7 of the Act—

(a)relates wholly or partly to personal data forming part of an accessible record which is a health record within the meaning of section 68(2) of the Act,

(b)does not relate exclusively to data within paragraphs (a) and (b) of the definition of “data” in section 1(1) of the Act, and

(c)is made before 24th October 2001.

(2) Where in a case to which this regulation applies, the obligation imposed by section 7(1)(c)(i) of the Act is to be complied with by supplying the data subject with a copy of information in permanent form, the maximum fee which may be required by a data controller under section 7(2)(b) of the Act is £50.

(3) Except in a case to which paragraph (2) above applies, a data controller may not require a fee under section 7(2)(b) of the Act where, in a case to which this regulation applies, the request relates solely to personal data which—

(a)form part of an accessible record—

(i)which is a health record within the meaning of section 68(2) of the Act, and

(ii)at least some of which was made after the beginning of the period of 40 days immediately preceding the date of the request; and

(b)do not fall within paragraph (a) or (b) of the definition of “data” in section 1(1) of the Act.

(4) For the purposes of paragraph (3) above, an individual making a request in any case to which this regulation applies may specify that his request is limited to personal data of the description set out in that paragraph.