Skip to content

Data protection and identity theft

The Data Protection Act controls how your personal information is used by organisations, businesses or the government.

Data protection principles

Everyone who collects data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • kept safe and secure
  • not transferred outside the UK without adequate protection

There is stronger legal protection for more sensitive information, such as:

  • ethnic background
  • political opinions
  • religious beliefs
  • health
  • sexual health
  • criminal records

Find out what data an organisation has about you

The Data Protection Act gives you the right to find out what information the government and other organisations stores about you.

You can write to the organisation and ask for a copy of the information they hold about you. If you do not know who in the organisation to write to, address your letter to the company secretary.

The organisation is legally required to provide you with a copy of the information they hold about you - if you request it.

When information can be withheld

There are some situations when organisations are allowed to withhold information, for example if the information is about:

  • the prevention, detection or investigation of a crime
  • national security or the armed forces
  • the assessment or collection of tax
  • judicial or ministerial appointments

An organisation doesn’t have to say why they are withholding information.

How much it costs

Some organisations may charge you for providing the information. The cost is usually no more than £10 but it can be more if there is a lot of information or if it is held in manual (paper) records.

Make a complaint

If you think your data has been misused or that the organisation holding it hasn’t kept it secure, you should contact them and tell them.

If you are unhappy with their response or if you need any advice you should contact the Information Commissioner’s Office (ICO).

The ICO can investigate your claim and take action against anyone who has misused personal data. You can also visit their website for information on how to make a data protection complaint.

More useful links