Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

Accept all cookies Reject all non-essential cookies Find out more

What is a Subject Access Request?/Right of Access?


What is the right of access?

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

What is an individual entitled to?                    

Individuals have the right to obtain the following from you:

  • confirmation that you are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information – this largely corresponds to the information that you should provide in a privacy notice (see ‘Supplementary information’ below).

Personal data of the individual

An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is important that you establish whether the information requested falls within the definition of personal data. 

Other information

In addition to a copy of their personal data, you also have to provide individuals with the following information:

  • the purposes of your processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient you disclose the personal data to;
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
  • the existence of their right to request rectification, erasure or restriction or to object to such processing;
  • the right to lodge a complaint with the ICO or another supervisory authority;
  • information about the source of the data, where it was not obtained directly from the individual;
  • the existence of automated decision-making (including profiling); and
  • the safeguards you provide if you transfer personal data to a third country or international organisation.

The ICO guide to the Right of Access can be found here

Quick links:

PRISMS-IG: All our IG policies in one place

Information Security Training Module: Provided by the University, needs to be completed by everyone

NHS Data Security and Protection Toolkit

How to:

Report an information governance incident

Ensure you are working securely