In today’s digital age, personal data is collected, processed, and stored by countless organisations — from banks and employers to retailers and public bodies. UK citizens have the legal right to know exactly what information an organisation holds about them. This is done through a subject access request (SAR), a key tool under the UK GDPR and Data Protection Act 2018. SARs ensure transparency, giving individuals control over their personal data.
For organisations, understanding SARs is crucial. Mishandling a request can lead to complaints, ICO enforcement action, and fines. Both individuals and businesses benefit from knowing how to make, manage, and respond to SARs effectively.
What is a Subject Access Request?
A subject access request is a formal request by an individual asking an organisation for a copy of the personal data it holds about them. This includes digital and paper records, such as contact details, purchase history, employment files, or correspondence.
The main purpose of a SAR is transparency. It allows individuals to see what data is being processed, why, and whether it has been shared with third parties. This visibility is central to data protection law, ensuring organisations handle personal information responsibly.
Legal Definition Under UK GDPR
Under Article 15 of the UK GDPR, individuals have the right to obtain:
- Confirmation that their personal data is being processed
- A copy of the personal data
- Supplementary information, including processing purposes, data recipients, and retention periods
This framework provides clarity and legal protection for both individuals and organisations.
When and Why to Make a SAR
SARs can be used in various situations:
- Check for inaccuracies: Identify outdated or incorrect information.
- Employment disputes: Access HR records or internal communications.
- Potential misuse: Verify if personal data has been shared without consent.
- General awareness: Understand what data is stored and how it’s handled.
SARs are valuable whether or not there is a dispute, offering transparency and control over personal information.
How to Make a Subject Access Request in the UK
Making a SAR is straightforward:
- Identify the organisation holding your data and confirm the contact point (Data Protection Officer or privacy team).
- Submit your request in writing, by email, online form, or verbally. Verbal requests are valid under UK GDPR.
- Include your full name, contact details, and sufficient information to locate your records.
- Provide proof of identity if requested, ensuring the organisation releases data to the correct person.
- Specify the information you want, especially if you only need certain records.
Organisations must treat all SARs seriously, regardless of the format or terminology used.
Timeframes, Fees, and Organisation Responsibilities
- Organisations must respond within one month of receiving a SAR.
- Extensions of up to two additional months are allowed for complex requests, with explanation.
- Most SARs are free of charge. A reasonable fee can apply if requests are excessive or repetitive.
Organisations must provide information in a clear and understandable format and explain how personal data is processed.
What to Expect in a SAR Response
A comprehensive SAR response includes:
- All personal data held
- Categories of data
- Processing purposes
- Recipients of data
- Retention periods
- Explanation of technical terms or codes used
Data should be supplied in an accessible format, electronically if preferred. Paper copies are also valid.
When a SAR Can Be Refused or Limited
Organisations may limit or refuse SARs in certain situations:
- Disclosing information would adversely affect the rights of another person
- Requests are manifestly unfounded or excessive
- Legal exemptions apply (e.g., legal privilege, crime prevention, confidential business information)
If a SAR is refused, the organisation must explain why and inform the individual of their right to complain to the ICO.
Special Considerations for Children and Third Parties
- SARs involving children require assessment of the child’s competence to make the request.
- Requests from third-party representatives must be verified to protect the individual’s privacy.
- Organisations should follow ICO guidance to balance access rights with confidentiality obligations.
Escalating Complaints About SARs
If unsatisfied with a SAR response:
- Raise the issue directly with the organisation, clearly explaining your concern.
- If unresolved, escalate to the Information Commissioner’s Office (ICO).
- The ICO can investigate, require compliance, or take enforcement action.
In complex cases, legal advice or court proceedings may be necessary.
Best Practices for Organisations Handling SARs
- Maintain a documented SAR policy
- Train staff to recognise and respond to requests promptly
- Use secure databases, tracking systems, and automated alerts
- Provide data in a clear, accessible format
- Balance individual rights with third-party confidentiality and sensitive information protection
Efficient SAR handling builds trust and ensures legal compliance.
Key Takeaways
- SARs empower individuals to access personal data and understand its use.
- Organisations must respond within strict timeframes and follow UK GDPR guidelines.
- Clear procedures, training, and documentation are essential for compliance.
- Legal exemptions and special cases must be carefully considered.
By respecting SAR rights, individuals safeguard their privacy and organisations demonstrate commitment to data protection.
FAQs
What is a subject access request under UK GDPR?
A SAR allows individuals to obtain a copy of personal data held by an organisation and understand how it is used.
How long does an organisation have to respond?
Organisations must respond within one month, with a possible extension of two months in complex cases.
Can my employer refuse my SAR?
Yes, but only in limited circumstances, such as if the request is excessive, unfounded, or breaches another person’s privacy.
Is there a fee for making a SAR?
Generally free, except if the request is repetitive or excessive, in which case a reasonable fee may be charged.
What should I do if I’m unhappy with a SAR response?
First, raise the issue with the organisation. If unresolved, escalate to the ICO for investigation or enforcement.
You may also read: Is dating in the UK destroyed? How the dating market has changed in London
