Principal 6

6. Personal data must be processed in accordance with the rights of the individual.

As well as placing obligations on data controllers and data processors, the Data Protection Act gives individuals a range of rights to know what personal information is processed about them, to put it right if it is wrong or to stop it being used altogether.

They are also entitled to compensation, in certain circumstances, if they suffer harm by its processing.

This right to obtain a copy of personal data is known as the ‘right to subject access’.

The most commonly exercised right is to object to the processing of personal information for direct marketing. This covers marketing by any channel, for example, mail, telephone, fax and email.

As a business you can charge a fee for subject access. This can be a maximum of £10 and is a figure agreed by law.

Subject access states that if an individual requests access to the data in writing and pays a fee they must be:

• Told whether, and for what purpose, their personal data is being processed, where the information came from and to whom it may be disclosed.
• Given a description of the data involved and all the information forming their personal data, usually as a permanent copy.
• Told about the logic involved in any automated decision to be made about them based on the data processed.

The next section of this course explains more about subject access, including what to do if someone asks you for a copy of their data.