Your Privacy Rights Under UK’s Data Protection Act

rightsUK’s Data Protection Act of 1998 gives individuals certain rights when dealing with organizations who handle their personal information.

When exercising your privacy rights, it is always wise to record copies of any correspondence you have with organizations. This may help you provide evidence and a stronger case if an organization refuses or denies your privacy rights and you request an investigation by UK’s Information Commissioner’s Office.

If you believe an organization has breached the Data Protection Act or has denied your privacy rights, you can request that the Information Commissioner’s Office investigate the matter. To do so, visit http://www.ico.gov.uk or call the helpline at 08456 306060.

Accessing Personal Information

If an organization handles your personal information, you have the right to request access to that information.

Requesting access to your personal information requires you to send a simple, straight-forward letter addressed to the organization. If you know the organization has a Data Protection Officer, address it to that individual; otherwise, address it to the company secretary.

In your letter, state who you are and what information you request. It is also a good idea to provide enough information for the organization to properly identify your records the first time. Provide your full name, contact information, and any other personal descriptors or account numbers that would help the organization identify your information.

When writing your letter, you should ask for access to your personal information pursuant to Section 7(1) of the Data Protection Act. This may help an individual at the organization who is not familiar with UK privacy legislation to understand what authority you request your information under.

You may receive a response from the organization with a request for you to provide more information to confirm your identity or to request that you pay a fee to access your information.

The letter you send is formally known as “subject access request.”

Correcting Personal Information

If you believe an organization handling your personal information has inaccurate or incomplete information about you, you can write to the organization and request that the information be updated.

You should let the organization know what information you believe is incorrect or innaccurate, and what it should do to fix it.

Preventing Personal Information from Processing

If an organization is sending you unsolicited marketing materials, you can write to the organization and request that they cease from doing so. This includes mail, email, telephone, text messages, and fax.

Preventing Automated Decision Making

If an organization makes a significant decision affecting you, and the decision was automated by a computer program or algorithm — without human involvement — you have the right to:

  • be told when the decision has been made,
  • know what the decision was,
  • request a new decision be made differently or with human involvement, and
  • request that courts order the organization to comply, if they refuse or you are not satisfied with your results.

A good example is an approval for a loan. If you are denied a loan, and the decision was purely automated, you have the right to have that decision reconsidered with human involvement. The computer program or algorithm is not perfect — it may miss out important factors from the decision making process.

Claiming Compensation

If you have suffered damage because an organization has breached the Data Protection Act, you have the right to apply to the courts for a claim for compensation. The Information Commissioner’s Office provides a guide to help you accomplish this.