Data protection legislation and subject access requests

As an organisation that handles personal information, Ordnance Survey (OS) must comply with Data Protection legislation

Data protection legislation

The UK General Data Protection Regulation states that personal data shall be:

  • Processed lawfully, fairly, and in a transparent manner in relation to individuals. (lawfulness, fairness and transparency).
  • Collected for specified, explicit and legitimate purposes and not further processed for other purposes incompatible with those initial purposes (purpose limitation).
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).
  • Accurate and, where necessary, kept up to date.
  • Kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed. We may store your personal data for longer periods, but we will ensure we have a legal purpose for this, such as for archiving purposes in the public interest, scientific, or historical research purposes. Or statistical purposes subject to implementation of appropriate technical and organisational measures required by the legislation in order to safeguard your rights (storage limitation).
  • Processed in a way that ensures appropriate security of the personal data. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. (integrity and confidentiality).
  • The controller shall be responsible for, and be able to demonstrate compliance with the principles (accountability).

How OS uses your personal information

If you would like information on how OS collects and uses your personal information, please see our privacy policy for further details.

See our privacy policy

What is the ‘Right of Access’?

You are entitled to request a copy of the information we hold about you under the ‘Right of Access’. You are only entitled to your own personal data, and not to information relating to other people (unless you are acting on behalf of that person). This is known as a subject access request (SAR).

Unless there is an applicable exemption, you are entitled to be given information on:

  • Whether your personal data is being processed.
  • The purposes of the processing.
  • The types of personal data being processed.
  • A copy of your personal data being processed.
  • The recipients or categories of recipients your data will be disclosed to. This includes countries outside of the EU and the appropriate safeguards in place to protect your data.
  • Where possible, the envisaged period of time your data will be stored and processed.
  • The right to request rectification, erasure or restriction of the processing of your personal data.
  • The source of your data, if it has not been collected directly from you.
  • The existence of automated decision making, including profiling.

Please note that should another person request information about you, unless specifically allowable under the Freedom of Information Act (FOIA) or Data Protection legislation (normally for other legislative purposes), their request is likely to be refused under the Section 40 personal information exemption, under the FOIA.

How to make a subject access request (SAR)

You may send your request via the following methods:

  • Complete an online form. Please fill out the form below
  • Email our Data Protection Officer at DPO@os.uk
  • Write to us at The Data Protection Officer, Customer Service Centre, Ordnance Survey, Explorer House, Adanac Drive, Southampton, SO16 0AS

Please ensure to:

  • Provide us with as much detail as possible on the information you require. This will enable us to identify the information requested.
  • Include your full name and email, or postal address so that we can reply in full.
  • State in your application if you prefer your information in a particular format, for example, a photocopy or electronic copy.

Before responding to your SAR, we will require proof of identity to ensure that we do not release the information to anybody else other than you.

If you have difficulty in identifying the precise information you require, or difficulty in making the application in writing, please email our Data Protection team at DPO@os.uk, or call our Customer Services Centre who will be happy to assist.

There is usually no charge to make a subject access request. However, we can request a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if you request further copies of your data.

The Information Commissioner’s Office recommends you read their guidance regarding subject access requests to check we have followed the law. If it has been over one month since you made your request you can send a follow up email or letter.

What happens next?

We will respond to your request by acknowledging it and starting the one calendar month ‘clock’ response time we have to respond. We may seek more details or identification from you to help us find your information, at this point we will pause the ‘clock’ until the clarification is received. This means the ‘clock’ is paused for the number of days that it takes you to respond and so the response deadline will move accordingly.

If the request is complex, we may extend the deadline by a further two calendar months, making the response deadline three calendar months in total.

If you do not respond to our request for further information, we will follow up to ensure that you no longer require the information and then close the request.

Related information