I have been told that under the Data Protection Act 2018 I can access any information held about me by anyone holding it and that they have to send it to me quickly – is this so?
Broadly speaking – yes. And other points are that:-
- a) The information has to be given to you for free – charges are not allowed other than in very limited circumstances.
- b) The information has to be provided in the format in which you ask for it – this means (for example) that if you ask for your information by email it should be provided to you by email.
As to speed of response – the law says that data holders have one calendar month to give you what you want.
The Data Protection Act 2018 governing this legal area came into force in May of 2018. It replaced the previous law the Data Protection Act 1998 (which did allow charging for providing information).
This new 2018 Act of Parliament had to be passed because of a European Union (EU) regulation called the General Data Protection Regulation (GDPR) made some years ago and binding on all EU member states. The GDPR stated that member states had to put in place quick easy routes to people obtaining information about themselves held by others. The time limit for getting the GDPR passed into the laws of EU member states was May of 2018.
The GDPR also puts limits on when and for how long data holders can obtain and keep information. It was for this reason that in the run up to the new law coming into force and for a time after it did we were all bombarded with texts and emails asking us for our permission for data holders to keep information on us. (Thankfully it seems this blizzard of communications has eased off a bit as time has gone by).
A lot of this contact apart from being a bit of a pain was unnecessary in that the new law does allow data holders or controllers to hold data on us in circumstances where they have a good reason to do so – this can include business reasons.
The GDPR was passed back in 2016 before more recent highly publicised mass data breach scandals and before the general public were so aware as we all are now that masses of information is held about us by large-scale internet based and other organisations.
No doubt those who passed the GDPR hoped that issues arising from the misuse of data and the unjustified retention of it might diminish once things were made tighter. It is too early to say whether such hopes will be justified. It is also too early to say whether the new law will have any limiting effect on areas such as law enforcement or investigative journalism for example.
On unwanted marketing however which is perhaps one of the main ways most of us have become aware of data issues – has anyone in legal eagle’s readership noticed any reduction in the number of emails and texts you get trying to sell you things and the amount of junk mail through your letter-box? No? Thought not.
Blog by Adrian Dalton, Partner