- How long does an organisation have to respond?
- Can an organisation charge a fee?
- What should an organisation send back to me?
- Will I always receive everything I asked for?
- Cwestiynau cyffredin
An organisation normally has to respond to your request within one month.
If you have made a number of requests or your request is complex, they may need extra time to consider your request and they can take up to an extra two months to respond.
If they are going to do this, they should let you know within one month that they need more time and why.
Am fwy o gyngor, gallwch gysylltu â ni arguidance on time limits.
In most circumstances, they should give you a copy of your personal information free of charge.
However, an organisation can charge a reasonable fee to cover their administrative costs – if they think your request is ‘manifestly unfounded or excessive’.
They can also charge a fee if you ask for further copies of your information following a request.
If an organisation can charge a fee, the one-month time limit does not begin until they have received the fee.
When an organisation responds to your request, they should normally tell you whether or not they process your personal information and, if they do, give you copies of it. The organisation should also include:
- what they are using your information for;
- who they are sharing your information with;
- how long they will store your information, and how they made this decision;
- details on your rights to challenge the accuracy of your information, to have it deleted, or to object to its use;
- eich hawl i gwyno i'r Swyddfa'r Comisiynydd Gwybodaeth
- details about where they got your information from;
- whether they use your information for profiling or automated decision-making and how they are doing this; and
- what security measures they took if they have transferred your information to a third country or an international organisation.
If you specifically wish to receive this additional information, we recommend you state this in your request.
Not always. Depending on the circumstances:
- you may receive only part of the information you asked for; or
- the organisation may not provide you with any personal information at all.
An organisation can refuse to comply with your subject access request if they think it is ‘manifestly unfounded or excessive’.
There can be other reasons why you may not receive all the information you expect, such as when an exemption applies, or the type of information you asked for is not covered by a subject access request.
Am I entitled to receive copies of entire documents?
No. Your right of access does not entitle you to receive full copies of original documents held by an organisation – only your personal information contained in the document.
You make a subject access request to your bank for full copies of your bank statements.
Your bank is not required to provide copies of the actual bank statements, but they must provide you with your personal data contained within them, for example, by providing you with a list of transactions.
By doing so, they have now complied with your subject access request without having to give you a full copy of the original bank statements.
There is no set definition of what makes a subject access request ‘manifestly unfounded or excessive’. It will depend on the particular circumstances of your request. An organisation should explain the reasons for their decision.
As an example, an organisation may consider a request to be ‘manifestly unfounded or excessive’ when it is clear that:
- it has been made with no real purpose except to cause them harassment or disruption;
- the person making the request has no genuine intention of accessing their information (eg they may offer to withdraw their request in return for some kind of benefit, such as a payment from the organisation); or
- it overlaps with a similar request they are still addressing.
To decide this, an organisation must consider each request on a case-by-case basis and be able to explain their reasoning to you.
An organisation may withhold some, or all, of your personal information because of an exemption in data protection law.
Exemptions are meant to protect particular types of information, or how certain organisations work.
Sometimes an organisation may not even have to let you know whether or not they hold information about you.
An organisation may also refuse to give you your information if it also includes personal information about someone else, except where:
- the other individual has agreed to the disclosure; or
- it is reasonable to give you this information without the other individual’s consent.
In their decision-making, an organisation has to balance your right of access against the other individual’s rights over their own information.
This may lead the organisation to refuse your subject access request.
Alternatively, the organisation may attempt to remove (or edit out) the other individual’s information before sending your information to you. This is commonly known as ‘redaction’.
This could mean you only receive partial information – such as copies of documents showing blanked-out text or missing sections.
In any case, an organisation normally needs to:
- tell you why they are not taking action;
- justify their decision; and
- explain how you can challenge this outcome.
Gweler einguidance on exemptionsi sefydliadauam fwy o fanylion ar y pwnc hwn.
What happens if the organisation requires proof of ID?
ID (identity) checks are usually required for security – they are part of an organisation’s measures to protect your personal data from unauthorised access.
If an organisation asks you for proof of ID, the one-month time limit does not begin until they have received it.
What information is not covered by my request?
The right of access does not cover all types of information or uses of personal information. Some common examples of this include:
- information used for personal/household activity (eg friends writing letters to you or pictures of you taken by family members);
- images of you captured on a domestic CCTV system within the boundary of their domestic property; and
- information about a deceased relative’s medical records (as data protection law only applies to living individuals).
Can I submit the same request again?
Yes, you can ask an organisation for access to your information more than once. However, they may be able to refuse your request if:
- they have not yet had the opportunity to address your earlier request; or
- not enough time has passed since your last request (eg your information has not changed since then).
Remember, you can also ask an organisation for further copies of your information following a request, but they can charge a reasonable fee for this.