The following guide sets out how to make a SAR request and what you should expect from the organisation you’re requesting the information from.
What is a SAR request?
By law you have a right to find out if any company or organisation is using or storing your personal data, and to be provided with copies of that data. This is commonly referred to as a subject access or SAR request.
This right of access allows you to establish exactly how and why your personal data is being held, and whether your data is being used lawfully under the Data Protection Act 2018.
Who can make a SAR request?
Making a SAR request is a legal right conferred upon every individual in the UK, and is a right that you can exercise at any time.
Moreover, following recent changes to data protection legislation introduced by EU-wide regulation known as GDPR (General Data Protection Regulation), you can now make a SAR request free of charge.
You can be charged a reasonable fee for administrative costs associated with a SAR request, but typically only where a request is manifestly unfounded or excessive, for example, where a request is repetitive.
You may also be charged an administrative fee for any request for additional copies of your personal data.
What can I ask for under a SAR request?
Under a SAR request you can ask for any personal data held about you by a company or organisation. However, you are only entitled to your own personal data, and not to information relating to other people.
Personal data is defined by reference to whether information relates to an identified or identifiable individual.
For information to be personal data, it must therefore relate to you as an individual and allow you to be identified from it, either on its own or along with other information such as an account number or unique reference number.
How do I make a SAR request?
There is no set format for making a SAR request. It can be made either physically or electronically, including by way of letter, email or web contact form.
If you make a request verbally, you should follow this up in writing to provide a clear paper trail of correspondence. This may prove to be crucial in the event that you subsequently decide to lodge a complaint.
When making a SAR request you should also bear in mind the following guidance:
Try to identify the right person or department to send your SAR request to. While the request does not have to be addressed to any specific point of contact within a company or organisation, in this way you can help to avoid your request being inadvertently overlooked.
Your SAR request does not have to include the words ‘subject access’ or refer to the Data Protection Act for it to constitute a SAR, rather it just needs to be clear that you are asking for your personal data. You are also not bound to use any specified contact form provided by the company or organisation in question, although this is more likely to reach the right person to deal with your request.
Describe the information that you require. If you do not want all the personal data that the company or organisation holds about you, you should specify exactly what information you require, together with any relevant dates. In this way, you may help to expedite the process.
Include your full contact details, as well as any information used by the company or organisation to identify or distinguish you from others of the same name, for example, an account number or unique ID. If you cannot be easily identified, you may be asked to provide additional information.
Send your SAR request by recorded delivery or email, keeping a copy of your request and any further correspondence in the event that you later need to complain about how your request has been handled.
You are not legally obliged to give your reasons for submitting a SAR request, however if you fail to provide sufficient information to verify your identity or to locate the information that you seek, the company or organisation may ask for additional information to enable it to handle your request.
How long will it take to comply with my SAR request?
A response to your SAR request must be provided without undue delay, and within one month at most, starting with the day on which the request is received.
This may be extended by two months, but only if your SAR request is complex or numerous. In this case you must be notified within one month of receipt of the request with an explanation as to why an extension is necessary.
If more information is reasonably required to help find your data or identify you, the company or organisation holding your data will have to ask you for the information it needs. It can then wait until it is in receipt of all the necessary information before dealing with your SAR request.
What can I expect to receive in response to my SAR request?
In response to your SAR request you are entitled to confirmation that your personal data is being processed and a copy of that personal data.
You are also entitled to other supplementary information including, but not limited to, the following:
- What your information is being used for
- Why it is being used
- Where this information originated from
- Who can see this information
- How long this information will be stored
- Your right to challenge the accuracy of this information and have inaccurate information rectified.
The response should be given in an easily accessible format, either electronically or by providing hard copies, and written in clear plain language capable of being understood by the average person.
There are some limited circumstances in which a company or organisation can withhold certain information from you, for example, if your data includes information about another individual. This will be the case except where the other individual has agreed to the disclosure, or it is reasonable to provide you with this information without their consent.
In deciding this, the organisation will have to balance your right to access your data against the other individual’s rights regarding their own information.
Your SAR request can also be refused if it is manifestly unfounded or excessive, or falls within a statutory exemption. In any case, you must be notified of this decision within the same timeframe for handling a SAR request. The company or organisation should also inform you about your right to lodge a complaint or to seek a judicial remedy.
What can I do if I am not satisfied with the response to my SAR request?
If you are unhappy with how a company or organisation has handled your SAR request, in particular that the organisation didn’t give you the information you think you are entitled to, you should first make a complaint to it directly.
If you remain dissatisfied, you can lodge a complaint to the Information Commissioner’s Office (ICO). The ICO has the power to investigate and impose sanctions on companies and organisations found to be in breach of data protection law.
You can also seek to enforce your rights through the courts, although you should always seek independent legal advice first if you opt to take this course of action.
Can I resubmit my SAR request?
You are entitled to ask a company or organisation for access to your personal data more than once, although this ought to be at reasonable intervals. This may prove necessary where you are of the belief that your data has changed since your last request.
However, any further SAR request may be refused on the grounds that your request is manifestly unfounded or excessive.
If you are considering resubmitting a request for an update on what personal data is being held, you should think about whether it is likely that your data has changed since your last request and sufficient time has passed for your SAR request to be construed as reasonable.
The matters contained in this article are intended to be for general information purposes only. This article does not constitute legal advice, nor is it a complete or authoritative statement of the law, and should not be treated as such. Whilst every effort is made to ensure that the information is correct, no warranty, express or implied, is given as to its accuracy and no liability is accepted for any error or omission. Before acting on any of the information contained herein, expert legal advice should be sought.