Can anyone tell me if the DPA covers written material? For example if a company has a written report of me, legally can I see it?

If it's held on a computer then I assume so Russ!

Why - what have you been up to now you naughty boy? :nono:

If it's held on a computer then I assume so Russ!

Cool!! Only written documents tend to be on paper, not on a computer.... ;) :D but thanks anyway!

As for what I've done? Nothing, that's just the thing - I want to see what someone says I've done ;)

Sorry luv - read it in a hurry!
Care to share the latest allegations?

I have to be careful with what I say in case by some chance the people involved get to see this site, but the general outline is that I was once involved with an organisation who it now appears have some incorrect information about me. Due to the nature of the organisation it's unlikely this information will be held on a computer however I'm reliably informed the allegations are kept in written form.

I really need to see these documents are they are potentially damaging, so I need to know if under the DPA I'm entitled to see them.

Try looking here: http://www.dataprotection.gov.uk (http://www.dataprotection.gov.uk/)

Might be a bit of a pain but all the info seems to be there.

Good luck and hope you sort it out!

The Data Protection Act of 1998 does allow you to see any written documents as well as any computer documents. Well that's what we were told at work.

EDIT: The company can charge you for it and I don't know if it can be enforced to anything held before 1998.

Tried that site - it made as much sense as an inebriated Glasweigen :spin:

Well there's a 'contact us' button - could always give that a go! :)

Or give your local Citizen's Advice a go - they are usually helpful.

More specifically, the organisation in question claims to have documents written by myself which I can say with 100% surety that I did not write. Although they are not publically stating they have such papers, they have told me they claim to have them in their possession. I need to know if the DPA gives me the right to see these letters. Could they be my intellectual property for instance?

The company can charge you up to £10 (I think)

For that you get everything they can find thats written about you. Not just your HR file, but they should search e-mail archives, records kept by departments, payroll records, attendance records, sick records, the lot. Its massively onerous on the employer and most have not fully prepared to handle it.

The old DPA used to cover computer only records, the new one covers computer and paper, so a handwritten note on a file about you is fair game.

You need to write to your companies data controller and make a request enclosing a cheque for a tenna. A "Subject Access Request"

If they cannot comply then the DC is potentially subject to criminal sanctions.

If you want more help PM me, or ask on the forum. I'm not an HR expert, but pretty good at ensuring compliance with such regs.

More specifically, the organisation in question claims to have documents written by myself which I can say with 100% surety that I did not write. Although they are not publically stating they have such papers, they have told me they claim to have them in their possession. I need to know if the DPA gives me the right to see these letters. Could they be my intellectual property for instance?

If you created them while being paid by them then the IP probably resides with them. e.g a M$ ee writing code for WXP does not own the IP to that code M$ does.

If in his bedroom at home he writes the next google, then thats his IP.

Cheers for that, only it's not a previous employer! As I said, it's a bit of an unusual situation and I can't go in to detail yet until I've sought legal advice. But this organisation I used to be involved with is claiming I wrote letters to them (which I know I didn't) and the contents of which is something I would dispute even if I HAD written to them.

Subject Access Requests

http://www.dataprotection.gov.uk/dpr/dpdoc.nsf/ed1e7ff5aa6def30802566360045bf4d/9092e8f0d4b12f4d802569f9003f5763?OpenDocument

V.2 2/11/00
Data Protection Act 1998
Compliance advice

Frequently asked questions
Subject Access


Q. How can I find out what information is held about me?
A. A request for a copy of information held about you is known as a "Subject Access Request." Requests must be made to the person or organisation ("data controller") who you think processes (for example, holds discloses and/or uses) the information to which you want access. Requests must be made in writing and must be accompanied by the appropriate fee (as to which see below).

You are entitled to be told if any personal data are held about you AND, if so:
· to be given a description of the data;
· to be told for what purposes the data are processed and
· To be told the recipients or the classes of recipients to whom the data may have been disclosed.
This information should include what sort of data are held, the purposes for which the data are processed and the type of organisation or people to whom the data may be disclosed.

You are also entitled;
· to be given a copy of the information with any unintelligible terms explained;
· to be given any information available to the controller about the source of the data;
· to be given an explanation as to how any automated decisions taken about you have been made

Q. How much does it cost to gain access?
A. Data controllers may charge a fee of up to £10 for responding to a subject access request.

Unless you specifically ask to be given an explanation as to how any automated decisions about you have been made, the data controller is not obliged to provide such information. If you do specifically include a request for such information in your request then the data controller must provide it within the single £10 fee. If you do not, then the data controller is entitled to charge a separate fee of no more than £10 for the separate provision of such information. You should also be aware of the fact that data controllers may not be required to provide such information if, or to the extent that, the information amounts to a trade secret.
Different fee structures apply to some 'accessible records' such as health, education or social services files.


Q. What else do I need to do?

A. Data controllers may ask for the information they reasonably need to verify the identity of the person making the request and to locate the data. This means you may need to provide the data controller with proof of your identity and information such as whether you were a customer or employee of the data controller concerned.

Q. What is the timescale for gaining access to the information?

A. The 1998 Act requires data controllers to comply with subject access requests promptly and, in any event, within forty days from receipt of the request or, if later, forty days from the day on which the data controller has both the required fee and the necessary information to confirm your identity and to locate the data.

The Act requires the information to be provided promptly. This means a deliberate delay on the part of a data controller is not acceptable and the Commissioner might make an adverse assessment of a data controller where the data controller delayed requesting payment of any required fee, or the provision of any further details required to identify or locate the required information, where such delays resulted in the response to the subject access request being provided after forty days from receipt of the original subject access request.

There are different periods for requests for copies of credit files (seven days) and for school pupil records, which is fifteen school days.

If a data controller already has in place a system for the provision of information for one purpose (e.g. a data controller who provides information to a commercial organisation within a certain timescale) then the Commissioner would expect that data controller to be able to deal with a subject access request for the same or similar information promptly.


Q. What can I do if access is not given to me?

A. Although there are some limited circumstances in which access can be withheld, access should normally be provided to you. If you feel your request has not been complied with you may take further action, as follows: -

1. Write back to the data controller setting out why you think that the information should have been provided to you. If you receive a response with which you are not satisfied, then the options available are as follows: -

(a) You may apply to the court alleging a failure to comply with the subject access provisions of the 1998 Act. The court may make an order requiring compliance with those provisions and may also award compensation for any damage you have suffered as a result and any associated distress.
(b) You may write to the Information Commissioner. The Commissioner may do one of the following: -
(i) make an assessment as to whether it is likely or unlikely that the data controller in question has complied with the 1998 Act.

(ii) issue enforcement proceedings if she is satisfied that the data controller has contravened one of the Data Protection Principles.

(iii) recommend that you apply to court alleging a failure to comply with the subject access provisions of the 1998 Act.


Further information on individual rights is available, see paper entitled "Using the law to protect your information", which can be found @ www.dataprotection.gov.uk under Guidance & other publications/sub heading your rights. More specialist information on access to credit health social services, school pupils and local authority housing records is also available.

Detail re: email

http://www.dataprotection.gov.uk/dpr/dpdoc.nsf/ed1e7ff5aa6def30802566360045bf4d/91f613d25a5aebb180256900003aea6e?OpenDocument

And this is the kinda response that deserves some spreading around of the rep points!

Excellent article, but it doesn't specifically state whether written documents are included....

Tried that site - it made as much sense as an inebriated Glasweigen :spin:


UlLLL Ave ye YAAA BAAAAAAAMMMMM!!!!!!!! :Peace:

Yes they are included

The DPA covers both computer and manual records.

Manual records are essentially paper records, paper files, card index systems, some notebooks and diaries, indices etc. held in a structured manual filing system; easily retrievable by virtue of their structure.

Written documents are included. This was the big change in the 1988 DPA. The document does not have to be created post '88 either. This was the reason that many Dr. kept paper records, but now SARs extend to them they are computerising peoples medical history.

From an employment perspective, this can extend to written scribbles on a CV as noted during an interview.

A subject access request can be made on any organisation that holds data on living beings, so you could do one on the DVLA for example even though you have never worked for them (i assume).

Ok cheers everyone, as soon as I make progress with this, I'll explain what the situation is...