How do I make a Subject Access Request?

Disclaimer: this article is for general information. It’s not intended to be used as legal advice. For information on how to get legal advice, please see our page here.

What is a subject access request (SAR)?

A subject access request (SAR) is a request you can make to an organisation to find out what information they hold about you (known as your “personal data”).

You can make an SAR to find out:

• what personal data an organisation holds about you
• how they are using it
• who are they are sharing it with
• where they got your data from.

You can also ask the organisation to give you copies of your personal data – this can be useful if you are thinking about making a complaint or starting a legal case against the organisation.

You can make SARs to public and private organisations, including businesses, the police and local authorities.

The right to make an SAR comes from the UK General Data Protection Regulation (UK GDPR).

What is personal data?

Your “personal data” is information which relates to you and can identify you. This includes indirectly identifying you – for instance, if it can identify you when combined with other information the organisation has. Examples of identifiers include:

• your name
• an identification number
• location data
• an online identifier, such as an IP address.

For the information to “relate to” you, it must do more than simply identifying you – it must concern you in some way. This covers information which is obviously about you, such as your medical records or criminal record, but also information which can be linked to you and used by an organisation to decide how they will treat you, such as usage information about your phone or electricity account.

The Information Commissioner’s Office (ICO) website provides a fuller explanation of what personal data is.

How do I make an SAR?

There is no set way of making an SAR, but in writing or by email is best, because you can keep a record of when you sent it and what information you asked for.

Some organisations provide a standard form for you to use when making an SAR. You do not have to use this form if you prefer to make a request by letter, email or some other way.

The best place to send the request is usually the main contact address or email address for the organisation, such as their head office. However, some organisations will have a Data Protection Officer who is responsible for responding to SARs. Check the organisation’s website or contact them directly to ask for the correct contact details if you are not sure.

Organisations are not allowed to charge you money for responding to your request unless they think it is “manifestly unfounded or excessive” (for example, the person making the request is only doing so to cause disruption or annoyance), or you ask for more copies of the documents they give you.

If you prefer, someone else (such as a parent, guardian, or solicitor) can make an SAR for you. The organisation receiving the request may ask for evidence that you asked the other person to make the SAR for you, such as a letter.

What should I include?

Your SAR should include:

• A clear label for your request (use ‘subject access request’ as your email subject line or a heading for your letter)
• The date of your request
• Your name
• Any other information used by the organisation to help prove to them that you are who you say you are
• Your current contact details
• A full list of what personal data you want to access
• Any details, relevant dates, or search criteria that will help the organisation identify what you want
• How you would like to receive the information (e.g. by email, letter or speak to someone on the phone).

The ICO provides more information on its website.

What happens next?

The organisation must make a reasonable search for the information and provide it to you securely and in a way you can access it. They usually have to respond within one month, but if the request is particularly complex, they can take up to three months. If it will take longer than one month, they should let you know and tell you why.

They also have to give you other information, including:

• what they are using your data for
• who they are sharing it with
• how long they will store it
• your rights to correct inaccurate information about you, to have your information deleted, or to argue against its use
• your right to complain to the ICO
• where they got your information from
• whether they are using your information to make decisions or assessments about you by automated means, without any human involvement (known as “automated decision-making”).

Do organisations have to comply with every SAR?

Under data protection law, organisations can refuse to provide some or all of the information you request in certain circumstances, known as “exemptions”. These include:

• where they think the request is manifestly unfounded or manifestly excessive (for example, the person making the request is only doing so to cause disruption or annoyance)
• where sharing the information would identify other people who have not consented to having their information shared
• where sharing the information would likely cause serious harm to you or another person
• where sharing the information would make it harder for law enforcement agencies to prevent and detect crime, or arrest or prosecute offenders.

A full list of exemptions is available on the ICO’s website.

Can I challenge the outcome?

If the organisation does not give you all the information you asked for, or you are not happy with their response, you should contact them as soon as possible to let them know.

If the organisation still does not give you the information you requested, you have the right to complain to the ICO. The ICO was set up to protect information rights in the UK. The ICO can investigate your complaint, let you know if they think your rights have been breached and recommend steps that the organisation can take to put it right. The ICO is not able to award compensation, act as a representative or punish an organisation for breaching data protection law, except in the most serious cases.

To make a data protection complaint, you should contact the ICO using its online form and give it copies of any letters, emails or other evidence containing the details of your complaint. You should make your complaint within three months of your last contact with the organisation you sent the SAR to.

You can also enforce your data rights directly in the courts. If you believe that your rights have been breached, you can apply to a court for an order requiring the organisation to follow the UK GDPR.

If you want to take legal action, you should contact a solicitor specialising in data protection law.