Data protection and subject access requests

How to access personal data, information or records we hold about you or someone you are responsible for.

Data protection rights

Every individual has certain rights in relation to their own personal data and their privacy, and in relation to the information we keep about you.

Personal data is any information related to a living person, that could be used to directly or indirectly identify that person. A data subject is the living person that the personal data is about.

Right of access (subject access requests) 

You have the right to access personal data we hold about you. This is called a subject access request. This could be electronic information in emails or databases, or paper information in files, records or archives. You can only access your own personal data. If data about other people is included within your files then it is likely that we may not provide you with this information. 

Can I access someone else's data on their behalf?

If you are acting on behalf of a data subject (such as if you are a parent, legal guardian, or solicitor) then you may still have a right of access to information about the data subject. You may need to provide us with documentary evidence. We would need the following evidence to be able to disclose records about someone else to you:

Data subject Evidence required
Child under 12 (or older child lacking mental capacity) Demonstrable evidence that you have parental responsibility for that child.
Child over 12 Your child may be asked to consent or agree to disclose data to you in certain circumstances.
Adult (who lacks mental capacity) Official paperwork listing you as legal guardian of the data subject.
Solicitor or agent (acting on behalf of an individual) A form of authority addressed specifically to the council and signed by the data subject or their legal representative. In some circumstances we may also request explicit consent from the data subject.

Can I access the records of someone who has died?

We can not release information about someone who has died, except to the person who represents their estate. This is because of the common law of confidentiality that protects each person's privacy. The person who represents the estate can be a person who has a 'grant of probate' (if the deceased left a will) or letter of administration (if the deceased did not leave a will or died intestate). 

If you are the personal representative for the deceased person's estate and affairs we will need to see the legal documentation proving this before giving you any records. 

Do you have to give me the information I ask for?

In some circumstances we can not give you information. Examples of situations when this might happen include information from a court, or information which could prejudice a criminal investigation or cause mental or physical harm. These are known as exemptions.

Exemptions are not applied to information very often. We may not tell you if an exemption applies to the information, or why. 

Right to erasure, right to rectification, and right to restriction 

Everyone has the right to request that we delete, correct or limit part or all of the personal information that we hold about you. 

Where we are using your personal data based on a legal power or an official authority that we have, we will only agree to do this if:

  • it is certain that the personal data we hold about you is incorrect; or
  • we no longer require your personal data for the purpose that it was collected.

In most cases we will keep a record of your complaint or request along with the rest of your information.

Every situation is different and we make decisions in response to these requests on a case-by-case basis. We take into account anything that may be relevant, to decide whether we will take action.

Right to objection (right to object to automated decision making)

When we have used any ‘automated decision making’ software (that is, if a computer has made a decision about you without human involvement) then you have a right to ask for a human being to check the decision.

We will always tell you when we do use automated decision making and provide you with details about how you are able to appeal.

Making a data protection request

You can  download the data protection request form here (docx / 32 KB).

You can send your completed form to the data protection officer via email to, or post via the address on the form.

You will also need to send copies of documents that prove your identity and address, so that we can be certain that only you have access to your personal data.

What kind of identification do I need to provide?

For proof of identity and address, you will need to provide a copy of two documents, one from section A and one from section B. You are advised to only send copies of these documents to us, and not the originals.

You can post us copies of these documents.

A. Primary trusted documents

  • current and valid passport;
  • current and valid driving licence photocard (full or provisional);
  • birth certificate (issued after time of birth);
  • adoption certificate;
  • marriage / civil partnership certificate;
  • HM Forces identity card; or
  • firearms licence.

B. Secondary trusted documents

  • mortgage statement - issued last 12 months;
  • bank or building society statement - issued in the last three months;
  • bank or building society account opening confirmation letter - issued in the last three months;
  • credit card statement - issued in the last three months;
  • financial statement, for example pension or endowment - issued in the last 12 months;
  • P45 or P60 statement - issued in the last 12 months;
  • council tax statement - issued in the last 12 months;
  • work permit or visa - non-expired;
  • letter of sponsorship from future employment provider - non-expired;
  • utility bill - issued in the last three months;
  • benefit statement, for example child benefit, pension - issued in the last three months;
  • central or local government, government agency, or local council document giving entitlement, for example from the department for work and pensions, the employment service, HMRC - issued in the last three months;
  • EU national ID card - non-expired;
  • cards carrying the PASS accreditation logo - non-expired; or
  • letter from head teacher or college principal - non-expired.

How long does it take?

Once we have checked your identity, and we are certain of what your request is, then we will let you know as soon as possible.

We then have up to 30 calendar days to respond to your request.

If your request is complex or very large, we may need a further 60 calendar days to deal with your request. We will write to you and let you know if this is the case.

Can I complain if I am unhappy?

If you are unhappy with the way in which your data has been handled or the way in which a data protection request has been answered then you may complain to our data protection officer. 

Data Protection Officer
North Yorkshire Council
County Hall
North Yorkshire

Telephone: 01904 552848

If you are still unhappy with the response from our data protection officer, or if you would rather complain straight to a regulator, then you may make a complaint to the Information Commissioner’s Office which regulates data protection and information governance matters in the UK. 

First Contact Team 
Information Commissioner’s Office
Wycliffe House 
Water Lane 
Wilmslow Cheshire


You can find out more information about your data protection rights from the Information Commissioner’s Office here.