Data Protection for Organisations

Personal data is information relating to an identifiable living individual. Whenever personal data is processed, collected, recorded, stored or disposed of it must be done within the terms of the Data Protection Act (DPA). The DPA and other information rights laws set out your rights regarding your personal information, how organisations should carry out direct marketing and how you can access information from public authorities.


Can I access my personal information?

You have the right to get a copy of the information that is held about you. This is known as a subject access request. This right of subject access means that you can make a request under the Data Protection Act to any organisation processing your personal data. The Act calls these organisations ‘data controllers’.

You can ask the organisation you think is holding, using or sharing the personal information you want, to supply you with copies of both paper and computer records and related information.

What can I request?

The Freedom of Information Act, Environmental Information Regulations and INSPIRE Regulations give you rights to access official information. Under the Freedom of Information Act and the Environmental Information Regulations you have a right to request any recorded information held by a public authority, such as a government department, local council or state school. Environmental information requests can also be made to certain non-public bodies carrying out a public function.

  • You can ask for any information you think a public authority may hold. The right only covers recorded information which includes information held on computers, in emails and in printed or handwritten documents as well as images, video and audio recordings.
  • You should identify the information you want as clearly as possible.
  • Your request can be in the form of a question, rather than a request for specific documents, but the authority does not have to answer your question if this would mean creating new information or giving an opinion or judgment that is not already recorded.
  • Some information may not be given to you because it is exempt, for example because it would unfairly reveal personal details about somebody else.
You don’t have to know whether the information you want is covered by the Environmental Information Regulations or the Freedom of Information Act. When you make a request, it is for the public authority to decide which law they need to follow.

The INSPIRE Regulations require public authorities that hold spatial or geographic information to make it available so that you can search it in particular ways.

What should I do before I make a request?

You can ask for any information you choose, at any time, but you may not always succeed in getting it. Before you make a request, it may help to consider the following questions.
  • Is the information you want already available, for example, on the authority’s website?
    Authorities must make certain information routinely available. You can find out what information is available by checking the authority’s publication scheme or guide to information. Do this by looking at its website or by contacting the authority.

You have the right to be confident that organisations handle your personal information responsibly and in line with good practice. If you have a concern about the way an organisation is handling your information; if it:

  • is not keeping your information secure;
  • holds inaccurate information about you;
  • has disclosed information about you;
  • is keeping information about you for longer than is necessary; or
  • has collected information for one reason and is using it for something else;

we believe that the organisation responsible should deal with it. We expect them to take your concern seriously and work with you to try to resolve it.

How should I raise my concern about how an organisation has handled my information?

You can use the template letter below to help you raise your concerns.

[Your full address]
[Phone number]
[The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Information rights concern
[Your full name and address and any other details such as account number to help identify you]

I am concerned that you have not handled my personal information properly.

[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]

I understand that before reporting my concern to the Information Commissioner’s Office (DPC) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the DPC, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the Commission’s website ( as well as information on their regulatory powers and the action they can take.

Please send a full response within 28 calendar days. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].

Yours faithfully

The Commissioner cannot award compensation.

As an individual you may go to court to claim compensation for damage or distress caused by any organisation if they have breached the Data Protection Act.

When can I claim compensation under the Data Protection Act?

You have a right to claim compensation from an organisation if you have suffered damage because they have breached part of the Act.

Previously, you could only claim compensation for distress suffered as a result of a breach of the DPA if you also suffered damage. The only time compensation could be claimed for distress alone was if the organisation broke the law when using your information for journalism, artistic or literary purposes.

In 2015 the Court of Appeal ruled, in the case of Vidal-Hall v Google, that compensation under the DPA could be awarded for distress alone. Google appealed this aspect of the judgment to the Supreme Court, however the appeal was withdrawn following an agreement being reached between the parties. This means that, unless the matter is raised again to the Supreme Court, the courts will be bound by the judgment in Vidal-Hall v Google. Claims for distress alone may now therefore be admissible.

How do I make a claim for compensation?

You do not have to make a court claim if an organisation agrees to pay you compensation. If you cannot reach an agreement with them, you can apply to a court for compensation alone or you can combine your claim with an action to put right any breach of the Act.

By law, the Information Commissioner cannot award compensation, even when she has said that in her view the organisation did breach the Act. If you cannot agree on compensation you have to make a claim in court.

What do I need to do before I make a claim to the court?

The court will want to know what steps you have taken to try to settle the claim. This means you must write or speak to the organisation to see if you can reach an agreement.

If you fail to reach an agreement, you should write to the organisation before you start court proceedings, to tell them that you intend to take the matter to court. If you do not, the court may penalise you. You should send the letter by recorded delivery and address it to the person you have been dealing with, or the company secretary. In some cases, this may help prompt the data controller to settle the dispute.

Will it help me in court to involve the Information Commissioner’s Office?

You can ask the DPC to assess if the organisation breached the Act and we will tell you whether, in our view, it was likely or unlikely that the organisation broke the law. You can give a copy of the DPC’s letter to the court together with the evidence you have to prove your claim. However, a court will take their own view of the law and the judge may not agree with the DPC’s view.
You may want to ask our helpline first to see whether you potentially have a valid data protection concern that you can bring to us. Whether you complain to the ICO or take a case to court, you will need evidence to back up what you say.
The Information Commissioner and her staff will not usually take part in court proceedings commenced by you. However, if you or the defendant require someone from the Information Commissioner’s Office to give evidence, this is known as expert evidence which will only be allowed if the judge orders it. The reasonable costs of a witness would have to be met by the party calling the witness.

How much will the court award me if my claim is successful?

There are no guidelines about levels of compensation for a claim under the Data Protection Act. It will be up to the judge hearing the case  who will take into account all the circumstances, including how serious  the breach was and the impact it has on you, particularly when assessing the distress you suffered. Even when you can show the court the exact sum of money you have lost as a result of the breach of the Act, it is still up to the judge to make the award and the judge may reduce your claim or award nothing at all.

It is also important to remember that even if the court awards you compensation, the organisation may refuse, or may not be able to pay. If this happens you should ask the court about what you should do to enforce the judgment.

Can an organisation record a telephone call without telling me?

Yes. In our view, individuals should generally expect that an organisation will keep a record of the call. This could be by recording the call itself or by making notes.

How long can an organisation hold data about me?

The Data Protection Act states that organisations should only keep personal data for as long as it is necessary. Organisations should also have a retention policy for the information they hold.

Can an organisation use my information or pass it on without my consent?

Sometimes – for example, if the police want information in connection with a criminal investigation, or in an event where your health might be at risk. You have certain rights in situations where information might be shared, which you can read about in our guide Sharing my information.

If you think your information has been used unfairly, you should first approach the organisation involved, asking them to explain how they have used your information and how they have followed the Data Protection Act principles. Organisations are obliged to explain how they are processing your personal information if you make a formal request.

How do I get information held about me corrected?

If you have any concerns about the accuracy of your personal data, you will need to raise it in writing with the organisation concerned. You should be clear about exactly what you believe is inaccurate and how the organisation should correct it, providing evidence of the inaccuracies where available. Be aware that the Data Protection Act only obliges organisations to keep information factually accurate, it can't be used to alter or remove opinions, including medical diagnoses, unless those opinions themselves are based on inaccurate factual information.

How do I get an organisation to stop using my data?

Under the Data Protection Act, you may ask an organisation to stop using your information. For further information, read our guidance on preventing the processing of personal data.

How do I get information held about me deleted?

You do not have an automatic right to have personal data deleted. However, you may ask an organisation to stop using your information. For further information, read our guidance on preventing processing of personal information.

I think a decision has been made about me by a computer. What can I do?

The Data Protection Act gives you a limited right to prevent significant decisions being taken about you solely by automatic processing. You can write to an organisation telling it not to make decisions about you on this basis. You should consider sending your letter by recorded delivery and keeping a copy. The organisation has 21 days to respond. It can either reconsider any decision it has made or make a fresh decision not just using a computer. If you are not satisfied with the response, you can go to court and the court can order the organisation to reconsider the decision it has made or take a new decision on a different basis.

What is a privacy notice?

When organisations collect your information, they should usually be open about why they are collecting it, only use it in a reasonable way that you would expect, and shouldn't use it in way that is unfair to you. When your data is collected you should be given a fair processing notice or privacy notice that tells you what will be done with your data and why, unless it's already obvious who has collected your details and what they are going to be used for.

Are organisations allowed to transfer my data to foreign call centres?

Yes, providing the organisation keeps your data secure.

The Commission provides for the process to obtain, hold, use or disclose personal information and for other related issues bordering on the protection of personal data.