Subject Access Request - How to request personal information an organisation holds about you
How you can exercise your rights
How do I make a request (known as a Subject Access Request)?
Where you are seeking a copy of your personal information please submit your request to the Data Protection Officer, Bury Council, Town Hall, Knowsley Place, Bury BL9 0SW.
For Subject Access Requests relating to a family or children, please send your request to 3 Knowsley Place or email firstname.lastname@example.org.
For all other requests please contact us (see contact details at the end of the page).
For all requests, we will need:
- documentary proof that you are who you say you are (this is for security reasons to ensure we are dealing with you and that none of your personal information is accessed or interfered with by anyone else falsely claiming to be you);
- information about the request you are making and your dealings with us to help identify the information in question and to your request.
Please ensure you provide at least two forms of identification with your request [copies of utility bills, driving licence or similar] bearing your full name and current postal address.
On receipt of your request, we will always send you a written acknowledgement and may need to ask you for:
- proof of identification if you have not supplied this already;
- information about the nature of your request and your dealings with us so we can understand, identify and locate information that is relevant where this is not already clear from your request.
If we do not hear back from you with confirmation of your identity and/or sufficient information to respond to your request within 2 weeks, we will not be able to process your request and it will be treated as lapsed for accounting purposes.
Can someone else make a request for me?
A friend, relative, advocate or solicitor may act on your behalf. However, this person must supply written authority from you to confirm that they are acting for you and we will still require identification for you.
What if a data subject 'lacks mental capacity'?
A person with a lasting power of attorney appointed directly by the data subject or a Deputy appointed by the Court of Protection may exercise these rights.
What about requests involving children?
Unlike Scotland, there is no set age in England which recognises when children are automatically able to exercise data protection rights.
A child aged 13 or over is able to create an on line social media account without the consent of a person with parental responsibility.
As a general rule a child must have sufficient understanding and maturity to exercise their own rights and a common sense approach will be adopted in the event a child or young person submits a request.
For children aged under 13, it will generally be expected that a request is made by a person with parental responsibility with whom the child normally resides and 'best interest' considerations will be taken into account.
When can I expect your response?
We aim to respond to your request without undue delay and no later than 1 calendar month counted from the first working day after we are in receipt of your request, and:
- proof of your identity, and
- any further information (where we have requested this from you) we need to process your request and/or locate and retrieve your personal information.
Where it is not possible to respond sooner and the last day before expiry of 1 calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.
If your request is complex, we may need to extend the length of time required to respond.
If this applies, we will let you know before the latest due date on which you would be expecting to hear back from us.
The law says we can extend the length of time to respond by a maximum of a further 2 calendar months.
Where it is not possible to respond sooner and the last day before expiry of the 2nd calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.
We will always endeavour to respond as quickly as we can.
Will I have to pay a charge?
Ordinarily we will not charge a fee for fulfilling a request from you.
The only exception is where you make repeat requests for the same of similar information. In these cases, we reserve the right to charge a reasonable fee based on the administrative costs of supplying further copies if we consider a reasonable time period has not intervened since fulfilling a previous request.
Will I get all of the information I am requesting?
Normally this is likely to be the case.
But it is important to note that the right of access to your own information does not extend to information about other people who may be identified in the information that also refers to you.
We may therefore redact personal information about other persons (including third parties) where we are satisfied it is reasonable in the circumstances to do so.
In some cases information may be so interlinked that it is not possible to fulfil your request without breaching another person's privacy rights.
The names of professional staff (whether directly employed by us or not) involved in decision-making about your care and education will often be disclosable and their identities will not be automatically redacted, unless this is warranted in a particular case.
The law recognises that there are occasions when it may be appropriate to withhold certain information and provides exemptions in specified circumstances.
If we withhold information on the basis that it is exempt from disclosure, where it is possible to do so, we will explain the exemption(s) we are relying on and the reasons why one or more are necessary.
Can I choose the format in which my information is supplied?
Where you have submitted your request electronically or asked us to respond in a particular format, we will try to do so wherever this is reasonably practicable.
Can you refuse my request?
In certain circumstances we may refuse to act on your request if we consider that your request is unfounded, excessive or repetitive in nature.
We will give our reasons if we refuse to comply with your request on this ground.
What if I am not satisfied with your response or it is taking too long?
If you do not hear from us by the latest due date or are not satisfied with the response we have given, you have the right to complain to the Information Commissioner.
The Information Commissioner is the UK's independent regulator responsible for upholding and enforcing the rights of individuals under data protection law.
You can email the Information Commissioner's office at email@example.com or write to:
Information Commissioner's Office,
Full information about your rights is also available at Information Commissioner’s Office.
For definitions of terms used, please see: Data protection - Meaning of terms.