Data Protection Act

The Data Protection Act gives you the right to know what information companies hold on you and how they can use it. It also sets out rules about the way companies handle your personal data.
spread the word:
email & print:

Collecting your personal data

When you buy goods and services, or even just visit a website, the organisations you deal with will collect information and data about you. 

This might include your name; address; and date of birth. 

They can even include things like the school you went to, the job you do, details about your partner or family or the sorts of things you buy online.

Like it or not, many organisations, including councils, hospitals, travel companies, banks and supermarkets hold data about you.

What data can you access?

You have a right to know what information companies hold about you. Asking for this data is known as making a subject access request. 

Under the Data Protection Act, companies must let you know what information is held about you, whether it is on computers or on paper. Companies are allowed to withhold certain information from you, for example:

  • If it could identify someone else who does not want to be identified
  • If you are being investigated for a crime
  • If you want to access the records of your deceased relative

Changing inaccurate information

If you discover that an organisation holds inaccurate information about you, for example, it says that you are married when you are now divorced, you can ask it to correct, block or remove the information.

You will need to write to the organisation and tell them of the inaccuracy, including proof where possible. 

If you do not get a reply or the information is still wrong, you may wish to contact the Information Commissioner  and ask them to consider whether the organisation has breached the Data Protection Act.

Stopping your information being used

The Data Protection Act means that you have a right to ask an organisation not to hold or use information about you that causes substantial unwarranted damage or distress. 

If you do this, the organisation has 21 days to respond to your request, and can refuse only if the information that it holds about you is:

• with your consent
• necessary to agreeing or carrying out a contract
• necessary to carry out any legal obligation that applies to the organisation
• necessary to protect your vital interests

If you think that an organisation has breached the Data Protection Act then under Section 42 of the Data Protection Act you can make a complaint to the Information Commissioner's Office.

Stopping unwanted direct marketing

You have a right to ask companies to stop unwanted direct marketing – whether it is by phone, post or email.

Most companies keeping personal information about you will give you the chance to opt out of direct marketing. 

If you ask it not to use or pass on your information for direct marketing purposes it must not do so.

Currently there are generally two things you can do if you are a private individual receiving unsolicited marketing information through the post (junk mail):

  • You can register your details with the Mail Preference Service. Although it is not a legal obligation for Data Controllers to check the MPS before sending junk mail most reputable organisations will do so.
  • You can exercise your right under the Act to ‘Prevent processing of your personal data for Direct marketing Purposes’ (section 11 of the Data Protection Act). You can use our template letter to issue a Section 11 Notice.

If you continue to receive junk mail from a company after asking to be removed from its mailing list you should contact the Information Commissioner's Office (ICO)

The ICO is the UK's independent authority set up to uphold information rights in the public interest.  It has a useful tool on its website which guides you through your complaint options. 

Companies' responsibilities

Under the Data Protection Act, anyone who processes personal information must make sure that the information is:

  • adequate, relevant and not excessive
  • processed fairly and lawfully
  • obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  • accurate and up to date
  • processed in accordance with the rights of data subjects under this Act
  • not kept for longer than is necessary
  • secure i.e. measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  • not transferred to other countries without adequate protection

Please tell us what you think of the Which? Consumer Rights website.

Your feedback is vital in helping us improve this site. All data will be treated confidentially. This survey will take approximately 5 minutes to complete.

Please take our survey so we can improve our website for you and others like you.