6 - Access to personal data

Summary

Introduction

The rights of the individual to access personal data held about them are probably the most important element of the Data Protection Act. Access to third party data, while covered in this chapter, is also dealt with in Chapter 7 on data sharing. In this chapter we will be examining requests for data on a one-off basis, while in Chapter 7 we will look at sharing data on a regular basis.

It is important when considering access to establish under which legislation access is requested. To do this it is necessary to refer to the definitions of what is and what is not personal data explained in Chapter 3.

The first question to be asked is: ‘Does the data requested relate to the individual who is requesting it or does it relate to someone else?’ If the former, then it is relatively straightforward, as we shall see shortly; if the latter, many more safeguards and checks have to be observed.

Access to the data subject's personal data

Subject access request

Section 7 of the Act gives the data subject, the person whose data it is, the right of access to all data held by the data controller about that person (Section 7.1):

7 (1) Subject to the following provisions of this section and to sections 8 and 9 an individual is entitled –

(a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,

(b) if that is the case, to be given by the data controller a description of –

(i) the personal data of which that individual is the data subject,

(ii) the purposes for which they are being or are to be processed and

(iii) the recipients or classes of recipients to whom they are or may be disclosed. (DPA 1998, s. 7(1))

These will be recognized as the requirements of the fair processing statement under the first data protection principle (see Chapter 5).