Subject Access Requests

What is a Subject Access Request (SAR)?

Under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, you have a fundamental legal right to see the personal information an organization holds about you. This process is known as a Subject Access Request (SAR).

Whether it’s an employer, a medical provider, a bank, or a government body, organizations are legally required to be transparent about the data they process. At sar.co.uk, we believe that understanding your data rights is the first step toward digital privacy and security.

Your Right of Access: The Basics

A Subject Access Request allows you to find out what data is being held, why it is being processed, and who it is being shared with. This right applies to almost all organizations operating within the UK.

What can you request?

When you submit a SAR, you are entitled to:

  • Confirmation that your data is being processed.

  • A copy of your personal data (e.g., emails, CCTV footage, file notes).

  • Details on the purpose of the processing.

  • Information on how long the data will be stored.

  • Information regarding the source of the data if it wasn’t collected from you directly.

How to Make a Subject Access Request

One of the most common misconceptions is that a SAR must follow a specific legal format. In reality, a request can be made verbally or in writing. It can be sent via email, social media, or even over the phone.

However, to ensure your request is handled efficiently, we recommend following these steps:

  1. Identify the Controller: Determine exactly which department or organization holds your data.

  2. Be Specific: Instead of asking for “everything,” specify the timeframe or the type of records (e.g., “my employment contract and disciplinary records from 2022″).

  3. Provide ID: Organizations have a duty to ensure they aren’t giving your data to a stranger. Be prepared to provide a copy of your ID or proof of address.

  4. Keep a Record: Always keep a copy of your request and any delivery receipts.

SAR Timescales: How Long Does it Take?

Under UK GDPR, an organization must respond to your Subject Access Request without undue delay and at the latest within one month of receiving it.

Note on Deadlines: If you send a request on September 10th, the organisation should respond by October 10th. If the deadline falls on a weekend or bank holiday, they have until the next working day.

Can they extend the deadline?

Yes. If a request is complex or if you have made multiple requests, the organisation can extend the response time by a further two months. However, they must inform you within the first month and explain why the extension is necessary.

Does a Subject Access Request Cost Anything?

In the vast majority of cases, making a SAR is free. Organisations cannot charge a fee for providing a copy of your personal data.

There are two rare exceptions where a “reasonable fee” can be charged:

  1. If the request is manifestly unfounded or excessive (e.g., repetitive requests).

  2. If you request further copies of the same information already provided.

The fee must be based only on the administrative costs of providing the information.

Common Challenges and Exemptions

While the right of access is powerful, it is not absolute. Organisations may withhold certain information if an exemption applies. Common reasons for redacting or withholding data include:

  • Third-Party Data: If the records contain information about another person, the organisation may redact those parts to protect that person’s privacy.

  • Legal Privilege: Information regarding legal advice or litigation may be exempt.

  • Crime & Taxation: Data may be withheld if disclosing it would prejudice the prevention or detection of a crime.

  • Management Forecasts: Information relating to management planning (like upcoming redundancies) may be restricted if disclosure would damage the business.

What to Do If Your SAR is Ignored

If an organisation fails to respond within the timeframe, or if you believe they have withheld information unfairly, you have several options:

  1. Contact the Organization: First, reach out to their Data Protection Officer (DPO) to request an internal review.

  2. Complain to the ICO: You can escalate the matter to the Information Commissioner’s Office (ICO), the UK’s independent regulator for data protection.

  3. Seek Legal Action: In some cases, you may be able to apply for a court order to compel the organisation to comply or seek compensation for damages caused by the breach.

Frequently Asked Questions about Subject Access Requests

1. Can an employer refuse a Subject Access Request?

An employer cannot simply refuse a SAR because it is inconvenient or time-consuming. However, they can refuse to comply if the request is “manifestly unfounded or excessive.” This usually means the request was made to harass the company or is a repeat of a request already fulfilled. If they refuse, they must explain why and inform you of your right to complain to the ICO.

2. Can I make a SAR for someone else?

Yes, you can make a request on behalf of someone else (such as a child or a client), but you must provide written proof of authorisation. The organisation needs to be satisfied that you have the legal right to act for them to avoid a data breach. For children, the organisation will consider whether the child is mature enough to understand their own rights (usually around age 12 in the UK).

3. What is the difference between a SAR and a Freedom of Information (FOI) request?

A Subject Access Request (SAR) is used to get your own personal data from any organisation. A Freedom of Information (FOI) request is used to get general information held by public authorities (like the NHS or local councils) that is not about a specific person. If you want your own records, always use a SAR.

4. Can I get a copy of my CCTV footage via a SAR?

Yes. CCTV footage that captures your image is considered your personal data. When making this request, provide the specific date, time, and location. Note that the organisation may blur out the faces of other people in the footage to protect their privacy before sending it to you.

5. Do I have to say “Subject Access Request” for it to be valid?

No. You do not need to use the formal term or cite the UK GDPR for your request to be legally binding. As long as you are asking for your personal information, the organisation is required to treat it as a SAR. However, using the term “Subject Access Request” helps the organisation identify it quickly and speeds up the process.

6. Can I request data that has been deleted?

You can only request data that the organisation currently “holds.” If data has been securely deleted or anonymised in line with their retention policy, they cannot provide it. However, if they deleted the data after receiving your request specifically to avoid disclosing it, they may be committing a criminal offence.