Data protection / How do I make a subject access request (SAR)?
How do I make a Subject Access Request?
Disclaimer: this article is for general information. It’s not intended to be used as legal advice. For information on how to get legal advice, please see our page here.
What is a subject access request (SAR)?
A subject access request (SAR) is a request you can make to an organisation to find out what information they hold about you ( your “personal data”).
You can make an SAR to find out:
- what personal data an organisation holds about you
- how they are using it
- who are they are sharing it with
- where they got your data from.
You can also ask the organisation to give you copies of your personal data. This can be useful if you are thinking about making a complaint or starting a legal case against the organisation.
You can make SARs to public and private organisations, like businesses, the police and local authorities.
The right to make an SAR comes from the UK General Data Protection Regulation (UK GDPR).
What is personal data?
Your “personal data” is information which relates to you and can identify you.
Information identifying you
This includes indirectly identifying you – for instance, if it can identify you when combined with other information the organisation has. Examples of identifiers include:
- your name
- an identification number
- location data
- an online identifier, such as an IP address.
Information relating to you
For the information to “relate to” you, it must do more than simply identifying you – it must concern you in some way. This covers
- information which is obviously about you, such as your medical records or criminal record, and
- information which can be linked to you and used by an organisation to decide how they will treat you, such as usage information about your phone or electricity account.
The Information Commissioner’s Office (ICO) website provides a fuller explanation on personal data.
How do I make an SAR?
There is no set way of making an SAR, but consider the following tips:
1. Write your request
This way you can keep a record of when you sent it and what information you asked for.
Some organisations provide a standard form for you to use when making an SAR. You do not have to use this form if you prefer to make a request by letter, email or some other way.
2. Send it to the right person
The best place to send the request is usually the main contact address or email address for the organisation, such as their head office.
However, some organisations will have a Data Protection Officer who is responsible for responding to SARs. Check the organisation’s website or contact them directly to ask for the correct contact details if you are not sure.
3. You don’t have to pay
Organisations are not allowed to charge you money for responding to your request unless they think it is “manifestly unfounded or excessive” (for example, the person making the request is only doing so to cause disruption or annoyance), or you ask for more copies of the documents they give you.
4. Someone can make the SAR for you
Someone else (such as a parent, guardian, or solicitor) can make an SAR for you.
You’ll likely have to provide evidence that you asked that person to make the SAR for you, so it’s good to have this ready.
What should I include?
Your SAR should include:
- A clear label for your request (use ‘subject access request’ as your email subject line or a heading for your letter)
- The date of your request
- Your name
- Any other information used by the organisation to help prove to them that you are who you say you are
- Your current contact details
- A full list of what personal data you want to access
- Any details, relevant dates, or search criteria that will help the organisation identify what you want
- How you would like to receive the information (e.g. by email, letter or speak to someone on the phone).
The ICO has more information on its website.
What happens next?
The organisation must make a reasonable search for the information and provide it to you securely and in a way you can access it.
They usually have to respond within 1 month, but if the request is particularly complex, they can take up to 3 months. If it will take longer than 1 month, they should let you know and tell you why.
They also have to give you other information, including:
- what they are using your data for
- who they are sharing it with
- how long they will store it
- your rights to correct inaccurate information about you, to have your information deleted, or to argue against its use
- your right to complain to the ICO
- where they got your information from
- whether they are using your information to make decisions or assessments about you by automated means, without any human involvement (“automated decision-making”).
Do organisations have to comply with every SAR?
Exemptions: Under data protection law, organisations can refuse to provide some or all of the information you request in certain circumstances. These exemptions include:
- Manifestly unfounded or manifestly excessive requests – for example, the person making the request is only doing so to cause disruption or annoyance
- where sharing the information would identify other people who have not consented to having their information shared
- where sharing the information would likely cause serious harm to you or another person
- where sharing the information would make it harder for law enforcement agencies to prevent and detect crime, or arrest or prosecute offenders.
The ICO has published a full list of exemptions.
Can I challenge the outcome?
Complain to the organisation
Contact the organisation as soon as possible if the organisation does not give you all the information you asked for, or you are not happy with their response.
Complain to the ICO
Complain to the ICO if the organisation still does not give you the information you requested.
- The ICO can: investigate your complaint, tell you if they think your rights have been breached and recommend steps that the organisation can take to put it right.
- The ICO cannot: give you compensation, act as your representative or punish an organisation for breaching data protection law, except in the most serious cases.
To complain to the ICO, use the ICO’s online form, as well as copies of any letters, emails or other evidence containing the details of your complaint.
You should complain to the ICO within 3 months of your last contact with the organisation you sent the SAR to.
Take the organisation to court
If you believe that your rights have been breached, you can apply to a court for an order requiring the organisation to follow the UK GDPR.
If you want to take legal action, you should contact a solicitor specialising in data protection law.
Other pages you might be interested in
What are my rights on this?
Find out more about your rights and how the Human Rights Act protects them
Did you find this content useful?
Help us make our content even better by letting us know whether you found this page useful or not