|The Campaign for Freedom of Information|
Many bodies, both public and private, hold files on the people they deal with. Important decisions about you may be taken on the basis of your file - often by people who have never met you or spoken to you. All they know about you is what the file says. If the information is incomplete, inaccurate or unfair your rights may be at risk or you could be denied a benefit or service that you need. The best safeguard is a right to see the file for yourself, so you can challenge unjustified statements, correct factual inaccuracies and make your views known before - not after - decisions are taken.
Data Protection Act
Your main rights to see personal data about yourself, held on computer and on paper, come from the Data Protection Act 1998 (DPA). The DPA provides a right of access to personal information about yourself held by public authorities and private bodies, regardless of the form in which it is held
The 1998 DPA provides access to some records previously available under earlier legislation, which has now been repealed. This includes the right to see computerised records under the 1984 DPA, and the right to see paper-based medical, social work, housing and school records. These rights still apply, though under the new Act. [The 1998 DPA repealed the Access to Personal Files Act 1987 - together with its subsidiary Regulations - and the Access to Health Records Act 1990.]
Additional rights to see other paper and other non-computerised records are being phased in. A limited right came into force in March 2000. The main right of access will come into force in October 2001.
The DPA's right of access to non-computerised records is limited to information held in 'structured' files. These are collections of files or papers organised in a way that makes it easy to find information about a particular individual. This would include files which are indexed or arranged by reference to the name of the person concerned, or to some other identifying feature such as their household, street name, post code, car number plate, national insurance or other reference number.
The DPA does not, in general, allow you to see personal information held on paper which is not organised in this way, (described in this guide as 'unstructured' information). So a set of files containing correspondence from many people arranged chronologically, and not by the name of the person sending the letter, would probably not be covered (unless it was separately indexed by name). Occasional references to you in other kinds of files or papers would usually not be covered either.
In brief, the position is:
All these rights are subject to a variety of exemptions, which allow certain information to be withheld. These are described later.
Applying under the DPA
The person holding information ('data') about you is called the data controller. To apply, write to the data controller, saying that you are applying under section 7 of the Data Protection Act 1998 for access to any personal data about yourself. Sending your request by recorded delivery will help avoid any later dispute about whether it was received. If the data controller has different offices or branches and you're not sure which to write to, telephone first and ask. Alternatively, contact the Information Commissioner's office or look at the data controller's Register entry, which can be found on the Internet at www.dpr.gov.uk.
Organisations must register under the Act and provide an address for 'subject access' requests in their register entry. The register entry must also specify the purposes for which information is held. A data controller must not hold or use the information for purposes incompatible with those stated in the register entry.
Before supplying information the data controller is entitled to ask you for proof of your identity and for any further details needed to locate data held about you. It may help if you say what your relationship to the organisation is (eg customer, employee, student, patient), give any relevant dates or reference numbers and say which of its offices or branches you have dealt with - but don't volunteer any information which you regard as sensitive. You do not need to say why you want the information. The data controller cannot refuse access because you might use the data to criticise the controller, complain or take legal action.
You may have to pay a fee. At the time of writing the maximum fee is £10, though some organisations charge less or nothing. If information is held about you in both computer form and in structured paper files, a single £10 fee covers both.
Different rules apply to health and educational records, where you could be charged up to £50 (including the cost of all photocopies) and credit reference agency records where the maximum fee is £2. These fees are explained in more detail later.
The data controller must normally give access within 40 days of receiving your request and any supplementary details needed. It must supply the information in "permanent form". This normally means a print-out or a photocopy, but could also include copies of microfiches, x-rays, or audio/video cassettes. Any unintelligible terms, such as computer codes, must be explained.
The data controller can refuse to supply a permanent copy of the data if this is not possible or would involve 'disproportionate effort'. You would still be entitled to inspect the information.
Parents and children
The Act has no minimum age requirement for applicants. Children can apply for their own records provided they are capable of understanding the nature of the request. A parent or guardian can only apply on the child's behalf if (a) the child has given consent or (b) the child is too young to have the understanding to make an application. A parent concerned about a small child's health probably would be able to see the medical record. But a parent wishing to defend him or herself against allegations of child abuse, or looking for evidence to support a custody claim, probably would not.
The DPA gives you the right to have inaccurate data about yourself corrected. This only applies if the data is incorrect or misleading about any matter of fact or contains an opinion based on data which is factually incorrect or misleading. In such cases you are entitled to require the data controller to correct, erase, destroy or block the use of the information. Opinions cannot be challenged unless they are based on wrong facts - but if you disagree with an opinion, it is worth asking for your own views about the disputed data to be added to the record, though there is no explicit right to have this done.
The DPA's right of correction comes into force with the right of access. So, for example, the right to correct errors in structured files applies from October 2001.
You should send a written notice to the data controller asking for a correction, saying why you think the information is incorrect. If the data controller refuses to comply with your notice, you can complain to the Information Commissioner or apply directly to the court. It will usually be to your advantage to go to the Commissioner first, since this costs nothing and does not prevent you going to the court later.
The data controller can withhold certain kinds of 'exempt' information from you. The main exemptions apply to:
If the information can be disclosed to you in a way that does not identify the individual - for example by deleting the name or other identifying features - then you are entitled to it.
Only identifiable individuals, not organisations, are protected. Thus information which would reveal that a former employer had supplied information about you would not be exempt unless you would be able to identify the particular individual (e.g. a particular manager). This exemption does not protect the identity of a health professional, social worker or teacher who has provided information which is recorded on your health, social work or educational record.
The exemption is not restricted to bodies like the police or Inland Revenue. So, information about suspected fraud held by a bank or a social security officer could also be covered.
Not all law enforcement information is necessarily exempt. If you are the victim of a crime you should be able to see what is held about you without much risk of prejudicing the purpose for which the record is held. But if you are the suspect, the chance of the information being withheld will be much greater.
Information revealing how anyone is classified under a system for assessing potential tax evasion or benefit fraud is exempt where the exemption is required in the interests of the operation of the system.
The DPA contains many other exemptions. For example, for data used purely to calculate pay or pensions, or for business accounting purposes or for managing an individual's personal or family affairs; for data kept solely for statistical, historical or research purposes and published anonymously; for data processed for the publication of journalistic, literary or artistic material; to information that could harm the financial interests of the United Kingdom; and to lawyer-client communications.
Will you know what has been withheld?
One of the weaknesses of the DPA is that you need not be told whether exempt information has been withheld. You have no right to be told whether you have been given access to the full file, or only an edited version. You may even get a deliberately ambiguous reply to your request, such as 'We hold no data on you which we are required to disclose to you'. This could mean that no information is held on you - or that there is a file, but everything in it is regarded as exempt.
Nevertheless, it is worth asking if anything has been held back: it may be difficult for the person involved to evade a direct question. If you suspect you have been refused access to information which is not genuinely exempt you can ask the Information Commissioner to investigate - see below under 'Enforcing the Act'.
You have additional rights of access to your own health records. Under the DPA you are entitled to see all information relating to your physical or mental health which has been recorded by or on behalf of a 'health professional' in connection with your care. This applies not just to computerised data and structured files but to 'unstructured' data as well. The right of access covers both NHS and private medical records, and information of any age, however long ago it was recorded. These rights existed before the 1998 DPA and are not dependent on the October 2001 commencement date.
The health professionals whose records can be seen are doctors, dentists, opticians, pharmacists, nurses, midwives, health visitors, clinical psychologists, child psychotherapists, osteopaths, chiropracters, chiropodists, dieticians, occupational therapists, physiotherapists, radiographers, speech therapists, music and art therapists, orthoptists, prosthetists, medical laboratory technicians and scientists who head health service departments.Your access rights are more limited if:
In these cases, you are entitled to see computerised data and (from October 2001) structured files - but not unstructured information. However, you have additional rights to see medical reports supplied for insurance or employment purposes (see below).
Charges - If you just want to inspect your records, and not have copies, access must be given without charge, so long as any information has been added to your record in the last 40 days. This should allow free inspection by anyone who has recently been seen by a health professional.
If you ask for copies, you can be charged up to a maximum of £50 for all copies supplied to you, including copies of non-paper records such as x-rays. You cannot be charged more than this, however many copies are involved. If your request applies solely to computerised information, a maximum fee of only £10 may be charged.
You will not normally be able to see confidential information about another person, such as another member of your family, which has been recorded in your own record unless that person consents or it is reasonable in the circumstances to disclose this to you. The same applies to information identifying an individual who has supplied information about you, other than health professionals.
A health professional does not need another health professional's permission to show you information recorded by that person. So your GP cannot withhold, say, a letter from a hospital consultant on the grounds that he or she needs the consultant's permission for disclosure. However, if there is a possibility that you might be seriously harmed by the record, the health professional responsible for the relevant aspects of your treatment may have to be consulted (see below).
Parents normally require their child's consent before they can see the child's records. If the child is too young to give an informed consent, the parent may be given access except where the child gave information in the expectation that it would not be revealed to the parent or expressly asked for it not be disclosed. The same rule applies to a situation where the data subject is an adult incapable of managing his own affairs and the person seeking access is someone who has been appointed by a court to manage those affairs.
Relatives of someone who has died have no right to the deceased's records. The only exception is if the death may have been caused by negligence. In this case, a provision in the Access to Health Records Act 1990 allows someone who might be entitled to compensation - usually a dependent - to get records relating to the cause of death. All other provisions of this Act have been repealed.
In addition to the other exemptions in the DPA, information likely to cause "serious harm" to the physical or mental health or condition of the applicant or someone else is exempt. This decision can only be taken after consulting a health professional, normally the doctor treating the patient for the condition concerned. If the health professional's opinion was given more than 6 months ago, a new opinion must be obtained.
This provision might allow information to be withheld from, for example, someone with a mental illness whose condition could be seriously aggravated by seeing the record. It is not, however, a blanket exemption for psychiatric - or any other class of - patients. Studies have shown that most psychiatric patients benefit from seeing their medical records, provided they have been written in the knowledge that they might be seen and someone is available to help explain them.
This exemption refers to "serious harm" - not to "harm" or "distress". It should not permit doctors to withhold upsetting news from patients who want the truth, particularly if they could be helped to come to terms with it by support and counselling.
Medical reports for employers or insurers
If your doctor writes a report on your health for an insurance company or an employer you have the right to see it before it is sent under the Access to Medical Reports Act 1988.
Only reports by doctors who are or have been involved in your medical care are covered. A report by an independent doctor, who has never treated you, and acts solely for the insurer or employer is not subject to this Act, and will only be accessible under the DPA.
An employer or insurer cannot contact your doctor unless it has your written consent and has informed you of your rights under the 1988 Act. You must be invited to say whether you want to see the report before it is sent. If you say yes, the doctor should wait 21 days before sending it, to allow you to arrange to see it. Get in touch with your doctor straight away and ask to be contacted as soon as the report is ready.
No charge can be made if you just inspect the report; if you want a copy you can be charged a "reasonable fee". If information has been withheld under an exemption (eg for 'serious harm') you are entitled to be told.
If you see the report and are unhappy with it - for example, if you feel it involves an unacceptable breach of your privacy, or misrepresents the position - you have the right to stop it being sent. But if you do, the employer or insurer may not be willing to offer you the job or insurance policy - so do not take this step lightly.
The doctor is required to keep a copy of the report for six months after sending it, and to let you see it if you ask. This may be valuable if you are unexpectedly refused insurance or employment.
If you believe that a doctor, employer or insurance company has breached the Act you can apply to a court for an order requiring compliance. If a doctor has sent a report without your consent, this may be a breach of medical confidentiality. You may have grounds for a complaint to the General Medical Council.
Social work records
You are entitled under the DPA to see all information held about you by a local authority social services department, including 'unstructured' information.
In addition to the normal DPA exemptions information can be withheld if disclosure would be likely to cause serious harm to your or any other person's physical or mental health.
A parent would not normally be entitled to see a child's records without the child's consent. If the child is too young to consent, the parent can apply on the child's behalf. Any information which a child has provided in the expectation that it would not be shown to the parents is exempt.
These exemptions mean that a parent who is accused of child abuse is unlikely to be given access to the child's records, or to information provided by the child but recorded on the parent's file. But the parent should still be able to see other information recorded about him or herself such as the notes of an interview or home visit, so long as disclosure would not expose the child to risk or prejudice law enforcement.
A family member caring for a mentally handicapped adult who cannot give an informed consent to their application has no explicit right of access to that person's file, unless they are acting under a power of attorney or an order of the Court of Protection.
Information about someone else which is recorded on your file, and anything which would identify an individual who has provided information about you will normally be exempt, unless disclosure to you is reasonable in the circumstances.
The Department of Health has issued a guidance - "Data Protection Act 1998 Guidance to Social Services" - on access to social records. It is available on the Internet at www.doh.gov.uk/scg/datap.htm, or by writing to:
Parents, and pupils who are 16 or over, have had the right to see local education authority (LEA) school records for a number of years. The DPA has now extended this right to younger pupils. There is no minimum age: any pupil who makes a written request to see their school records is entitled to do so, unless the pupil does not have the ability to understand what they are asking for. The right applies to any information produced by a teacher, an education welfare officer or an employee of the LEA. Access must be given within 15 days.
In addition to the general exemptions in the DPA:
Educational records can be inspected free of charge. Photocopying charges are limited to a maximum of £1 for the first 20 pages, plus a further £1 for every subsequent 10 pages, up to a maximum of £50. This maximum applies regardless of how many pages are supplied.
If you are or have been a local authority tenant, have applied to be one, or have bought your council home, you have the right to see the council's housing records on you, including unstructured information. Housing records often contain information about a whole family. Under the DPA, you have no automatic right to information about other family members without their consent, unless disclosure is reasonable in the circumstances. The Department of the Environment, Transport & the Regions has told local authorities that its view is that it normally will be reasonable to reveal information about other family members held in connection with a tenancy. However, if other members of your family have no objection, it may be safest to include signed statements from them saying that they agree to the release of any personal information held about them.
Credit reference agency records
When you apply for a loan, credit card, bank account or mortgage the chances are that the company involved will run a check on you with a credit reference agency. These agencies check the electoral register to confirm that people live where they say they do, and report on bad debts, bankruptcies and perhaps on how well people keep up repayments of existing loans. If any of the information about you is wrong, it could be extremely damaging. The DPA allows you to see this information.
If you are about to apply for a mortgage or other major loan it may be worth checking in advance to see what information credit reference agencies hold on you. Correcting any errors in advance could help you avoid problems at a later stage, when you may not be able to get things put right in time.
When you apply, you should state that your request is limited to personal information relating to your financial standing. The data controller then has to reply within seven working days. The maximum fee it can charge you is £2 and you should enclose this with your application.
Under the Consumer Credit Act 1974 you are entitled to have incorrect information corrected. If the file contains mistakes, the agency must correct them and tell you what it has done within twenty-eight days. If it refuses, or you aren't satisfied with the amendment you can send it a note of correction of up to 200 words which it must add to your file and send out whenever information about you is supplied in the future.
The two main credit reference agencies in the U.K. are:
Other Data Protection rights
A data controller must only use information about you in accordance with the data protection principles. Amongst other things, these require that the information must be collected and used fairly and lawfully, that the information must be accurate and adequate and not held longer than necessary for the purposes for which it is held. These purposes must be specified in the data controller's data protection register entry. The information must not be used in a manner incompatible with those purposes. The data protection principles also require that information must not be transferred to countries outside Europe if those countries cannot guarantee the same level of protection of the rights and freedoms afforded under the DPA.
These principles apply to computerised records already. Structured manual files will not be fully covered until 24 October 2007.
Under the DPA, you are entitled to be informed by the person holding information about you what the information is, why it is being used and to whom it has been or will be disclosed.
The data controller's register entry must state in general terms the kinds of organisations to whom it may want to disclose data, but need not give the names of the specific organisations. For example, it may tell you that disclosures will be made to local authorities - but not which ones.
You cannot be required under the terms of a contract to obtain your health records and pass them on to an employer or anyone else. When the DPA is fully in force it will also prohibit an employer or service supplier from requiring you to obtain and pass on to it information from your criminal or police records. However, separate legislation will allow employers to require prospective employees to obtain a certificate of convictions from a new criminal records bureau.
Enforcing the Act
If a data controller fails to comply with any of the Act's requirements - for example if it withholds information which is not exempt, fails to respond to your request within 40 days, or refuses to correct demonstrably inaccurate information - you can complain either to a court or to the Information Commissioner. The Commissioner is usually preferable, as this costs you nothing.
Also, if you have suffered damage because a data controller has contravened the DPA, you are entitled to compensation under section 13 of the Act. This right is enforceable through the High Court, but the Commissioner has the power to consider whether the contravention has caused any damage.
Codes of Practice
Although 'unstructured' personal data is not available under the Data Protection Act, this will change when the proposed Freedom of Information Act is fully in force. The Act will amend the DPA to create a right of access to unstructured personal information held by public authorities.
In the meantime, you should be able to obtain such information under the non-statutory Code of Practice on Access to Government Information (also known as the 'Open Government' code), which came into force in 1994. The Code commits government departments and agencies and other bodies supervised by the Parliamentary Ombudsman to release information on request. It applies to official information generally, as well as personal information.
Under the code departments and agencies must also make available the internal guidance they use in dealing with the public. So you should be able to see the procedures meant to be followed by officials who deal with say, your benefit application and check that you have been fairly treated. It also requires departments to give people reasons for administrative decisions which affect them.
One of the Code's limitations is that it only offers access to "information" and not to copies of actual documents. Departments may resist disclosing photocopies of actual documents and offer to answer your questions in a letter instead. However, the Parliamentary Ombudsman, who enforces the code, has said that where documents are requested, he would expect a department to disclose a photocopy of it, provided it does not contain any exempt information and can be disclosed in full.
The Code exempts varies kinds of information from disclosure. Personnel records are exempt altogether, so civil servants cannot see their own employment files under the code.
Other exemptions apply to information harmful to national security, defence and foreign relations; disclosures which would "harm the frankness and candour of internal discussion"; information which would prejudice law enforcement, legal proceedings, public safety, public order, the economy, tax collection, the commercial interests of an authority or a third party, and information supplied to the government in confidence. Departments can also refuse requests which are "vexatious or manifestly unreasonable or are formulated in too general a manner or which...would require unreasonable diversion of resources". There are other exemptions as well.
However, the code says that most kinds of exempt information can be disclosed if any harm that might result from disclosure is outweighed by the public interest in making the information available. It may be difficult to argue that a request that you are making for your own personal files is a matter of public interest. But if the information you are seeking has wider implications (for example if it shows that a department is routinely ignoring its own rules, or that people are not receiving a benefit they are entitled to) you may want to argue that there is a public interest in disclosure, even if the information is exempt.
Straightforward requests are generally handled free of charge. However, if your request is time-consuming, you may be asked to pay a fee, based on the number of hours of staff time spent on the request. A certain number of free hours is normally allowed (usually between one and five, depending on the department) followed by an hourly charge of £15 or £20. You will be told the likely charges in advance, and asked if you agree to pay.
Applying for information
You should make your application in writing to the body which holds the information you want. Your letter should say that you are asking for the information under the Open Government Code of Practice, and ask for a reply to be sent to you within 20 days - the Code's target response time. Make your request as specific as possible: this will reduce your chances of being charged a fee, or having your request turned down altogether.
If you are not sure who to send your request to, a list of 'open government contacts' in each department and agency can be obtained from the Internet at http://www.lcd.gov.uk/foi/codprac00/10app06.htm.
If you are refused information, you should be told which exemption has been relied on. If you think information is not in fact exempt, you should ask the body concerned to review its decision. The review will normally be carried out at a more senior level within the department or agency. If, after this, you are still dissatisfied you can complain to the Parliamentary Ombudsman. But you must normally have asked the body concerned to reconsider its own decision first. The Code of Practice is not legally binding, but the Ombudsman's recommendations carry weight in government and are usually accepted.
Unfortunately, you cannot write to the Ombudsman directly, you must ask an MP to refer your complaint to him. This can be done by any MP, not just your own constituency MP.
Scotland has a separate code, the 'Code of Practice on Access to Scottish Executive Information' supervised by the Scottish Parliamentary Ombudsman. In Wales the National Assembly of Wales has its own 'Code of Practice on Public Access to Information'. A further code applies to NHS bodies and is supervised by the Health Service Ombudsman. You can complain to the relevant Ombudsman directly under these codes, you do not need to go through an MP. However, the Ombudsman will expect you to have asked the body concerned to review any initial refusal before he will investigate a complaint.
Copies of the various codes can be found on the Internet at:
Office of the Information Commissioner
Information telephone line: 01625 545 745
Freedom of Information and Data Protection Division
Tel: 020 7273 3602
Office of the Parliamentary Ombudsman
Telephone: 0845 015 4033
Welsh Administration Ombudsman
Telephone: 0845 601 0987
Scottish Parliamentary Ombudsman
Telephone: 0845 601 0456
The Health Service Ombudsman
Telephone: 0845 015 4033
Campaign for Freedom of Information
16 Baldwins Gardens
Telephone: (020) 7831 7477