What are subject access requests?
A subject access request is a written request to a business or organisation asking for access to the personal information it holds on you. You can make SARs to find out a variety of things, including:
-
details of the personal data (eg names and addresses) that is being processed (eg collected or stored) - this generally involved getting a copy of the data
-
the reasons why this data is being processed
-
how this data was sourced (if available)
-
which other organisations or individuals have access to your data
For more information, read Data protection requests.
How are subject access requests made?
While there is no standard form for how SARs should be made (eg post, email, social media or verbally), it is recommended that you make them in writing in order to have a record of the request. Consider making a Data subject access request.
Content of a SAR
Your SAR should, as a minimum, include:
-
your full name (including any previous names, where relevant)
-
your up-to-date contact details (eg address and telephone number)
-
any information used by the organisation to identify or distinguish you from others with the same name (eg account numbers or unique IDs)
-
details of the specific information you require and any relevant dates
-
how you would like to receive the information (eg by email or in print)
While you may request all the information an organisation holds on you, bear in mind that organisations may hold a lot of information and it could take them longer to respond or make it more difficult for you to locate the specific information you need in their response.
A SAR should not include information not relevant to your request (eg a wider customer service complaint).
Sending a SAR
Where possible, send your SAR directly to the individual or team who deals with subject access requests (eg the data protection officer (DPO)). Details on contacting the relevant individual or team are usually written in a Privacy policy.
Should I keep a record of my SAR?
Where possible, it is recommended that you:
-
keep a copy of any documents or written correspondence for your records
-
keep any proof of postage or delivery (eg postal reference number)
-
take a screenshot of the form before submitting (if using an online submission form)
Where it is not possible to copy the relevant documents, you should consider making a written note of your request, recording any key details, such as:
-
the date and time of the request
-
details of the personal information requested
-
details of any further information the organisation asked you to provide
-
any reference number provided by the organisation
-
the details of any contacts interacted with when making the request
Keeping records is helpful if you later wish to follow up on your request, raise any concerns or complain about an organisation’s response.
Can I make a SAR on someone’s behalf?
A SAR can be made on someone’s behalf, provided the person making the request has been authorised to do so. Examples of people who may wish to make a SAR on someone’s behalf include:
-
individuals with parental responsibility (or guardianship) requesting information about a child or young person
-
court-appointed individuals who manage someone else’s affairs (known as ‘deputies’ in England and Wales and ‘guardians’ in Scotland)
-
individuals with a power of attorney allowing them to make SARs
-
solicitors acting on their client’s instructions
-
friends or relatives that the individual feels comfortable asking for help
Organisations need to be satisfied that anyone making a SAR on behalf of someone else is authorised to do so and may ask for formal supporting evidence to show this (eg written authorisation from the person on whose behalf the request is being made).
For more information on making a subject access request on someone’s behalf, Ask a lawyer.
How long do organisations have to respond to a SAR and can they charge a fee?
Organisations generally have one month to respond to your request. In some circumstances (eg if you have made several requests or where proof of ID is required), organisations may need extra time to consider your request and can take up to an extra two months to respond. Organisations should inform you within one month if they need more time and explain why.
While data requests should generally be dealt with and provided free of charge, an organisation may be able to charge a fee in certain, limited circumstances (eg where the organisation finds the request to be ‘manifestly unfounded or excessive’ because it was made to harass or disrupt the organisation).
For more information, read Data protection requests.
What information will organisations provide?
When organisations respond to your SAR, they will typically tell you whether or not they process your personal information and, if they do, provide copies of it. The organisations should also state:
-
what they use your information for for
-
who they share your information with
-
how long they’ll store your information for and how this was decided
-
where they obtained your information from
-
if they use your information for profiling or automated decision-making and, if so, how this is done
-
details on your rights to challenge the accuracy of your information, to have it deleted, or to object to its use
-
your right to complain to the Information Commissioner's Office (ICO)
-
what security measures they’ve taken, if they have transferred your information to a third country or an international organisation
You won’t always receive all the information you have requested. Depending on your specific circumstances you may only receive part of the information you requested or the organisation may not provide you with any personal information. For example, you may not receive (all) the information you requested if:
-
the type of information you requested is not covered by a SAR (eg information about a deceased relative’s medical records)
-
certain exemptions apply (eg it could threaten freedom of expression in journalism, art and literature)
Organisations can also refuse to comply with your SAR if they believe it to be ‘manifestly unfounded or excessive’ (instead of charging a fee).
What if I don’t get a response or the response is unsatisfactory?
If an organisation doesn’t respond to your SAR or you are dissatisfied with their response, you should contact the organisation. If you do not receive a response or remain dissatisfied with the response, you can complain to the ICO. You can also consider seeking enforcement through the courts. For more information, read Data protection requests.