Subject Access Request - How to request personal information an organisation holds about you

How you can exercise your rights

How do I make a request (known as a Subject Access Request)?

For all requests, please complete the online form below so that we have all the relevant information to help us respond to your request. You will need to:

  • upload proofs of who you are (this is for security reasons to ensure we are dealing with you and that none of your personal information is accessed or interfered with by anyone else falsely claiming to be you)
  • you will need to upload two forms of identification with your request (copies of utility bills, driving licence or similar) bearing your full name and current postal address
  • provide information about the request you are making and your dealings with us to help identify the information required

If you are making a request on behalf of someone else you will need to:

  • upload proofs of who you are (this is for security reasons to ensure we are dealing with you and that none of your personal information is accessed or interfered with by anyone else falsely claiming to be you)
  • you will need to upload two forms of identification with your request (copies of utility bills, driving licence or similar) bearing your full name and current postal address
  • upload proof of the identity of the person you are requesting the information about, two forms of identification bearing full name and postal address
  • upload proof of legal authority to request the information e.g. parental responsibility, power of attorney, letter of authority

On receipt of your request we will send an acknowledgement within 5 workings days.

Make a Subject Access Request

When can I expect your response?

We aim to respond to your request without undue delay and no later than 1 calendar month counted from the first working day after we are in receipt of your request, and we have receipt of:

  • proof of your identity, and
  • any further information (where we have requested this from you) we need to process your request and/or locate and retrieve your personal information.

If we do not hear back from you with confirmation of your identity and/or sufficient information to respond to your request within 2 weeks, we will not be able to process your request and it will be treated as lapsed for processing purposes.

Where it is not possible to respond sooner and the last day before expiry of 1 calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.

If your request is complex, we may need to extend the length of time required to respond. If this applies, we will let you know before the latest due date on which you would be expecting to hear back from us.

The law says we can extend the length of time to respond by a maximum of a further 2 calendar months.

Where it is not possible to respond sooner and the last day before expiry of the 2nd calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.

We will always endeavour to respond as quickly as we can.

Can someone else make a request for me?

A friend, relative, advocate or solicitor may act on your behalf. However, this person must supply written authority from you to confirm that they are acting for you and we will still require identification for you.

What if a data subject 'lacks mental capacity'?

A person with a lasting power of attorney appointed directly by the data subject or a Deputy appointed by the Court of Protection may exercise these rights.

What about requests involving children?

Unlike Scotland, there is no set age in England which recognises when children are automatically able to exercise data protection rights.

A child aged 13 or over is able to create an on line social media account without the consent of a person with parental responsibility.

As a general rule a child must have sufficient understanding and maturity to exercise their own rights and a common sense approach will be adopted in the event a child or young person submits a request.

For children aged under 13, it will generally be expected that a request is made by a person with parental responsibility with whom the child normally resides and 'best interest' considerations will be taken into account.     

Will I have to pay a charge?

Ordinarily we will not charge a fee for fulfilling a request from you.

The only exception is where you make repeat requests for the same of similar information. In these cases, we reserve the right to charge a reasonable fee based on the administrative costs of supplying further copies if we consider a reasonable time period has not intervened since fulfilling a previous request.

Will I get all of the information I am requesting?

Normally this is likely to be the case.

But it is important to note that the right of access to your own information does not extend to information about other people who may be identified in the information that also refers to you.

We may therefore redact personal information about other persons (including third parties) where we are satisfied it is reasonable in the circumstances to do so.

In some cases information may be so interlinked that it is not possible to fulfil your request without breaching another person's privacy rights.

The names of professional staff (whether directly employed by us or not) involved in decision-making about your care and education will often be disclosable and their identities will not be automatically redacted, unless this is warranted in a particular case.

The law recognises that there are occasions when it may be appropriate to withhold certain information and provides exemptions in specified circumstances. 

If we withhold information on the basis that it is exempt from disclosure, where it is possible to do so, we will explain the exemption(s) we are relying on and the reasons why one or more are necessary.

Can I choose the format in which my information is supplied?

Where you have submitted your request electronically or asked us to respond in a particular format, we will try to do so wherever this is reasonably practicable.  

Can you refuse my request?

In certain circumstances we may refuse to act on your request if we consider that your request is unfounded, excessive or repetitive in nature.

We will give our reasons if we refuse to comply with your request on this ground.  

What if I am not satisfied with your response or it is taking too long?

If you do not hear from us by the latest due date or are not satisfied with the response we have given, you have the right to complain to the Information Commissioner.

The Information Commissioner is the UK's independent regulator  responsible for upholding and enforcing the rights of individuals under data protection law. 

You can email the Information Commissioner's office at accessicoinformation@ico.org.uk or write to:

Information Commissioner's Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF.

Full information about your rights is also available at Information Commissioner’s Office.


For definitions of terms used, please see: Data protection - Meaning of terms.

Contact for Privacy