What is a subject access request?

A subject access request, (known as a SAR or DSAR), is a request to a company or organisation asking for access to the personal data they may hold about you.

This short guide explains how you can make a subject access request and what to expect of organisations from which you’re requesting information.

Your right to make a subject access request

The right existed under the Data Protection Act 1998, but organisations were allowed to charge a fee of £10 to provide you with the information.

Following changes to data protection legislation introduced by EU-wide regulation called GDPR, you can now make a subject access request for free.

This right of access allows you to be aware of and verify the lawfulness of the processing of your personal data. For example, you might want to make a subject access request if you’re not convinced the company is processing your data lawfully.

You might also want to ask about any logic involved in any automated decisions made about you or get confirmation that your data is being processed and request access.

How to make a subject access request

There isn’t a particular format to sending an SAR to an organisation. You may wish to email, write, phone, DM or tweet the organisation and ask them to provide all the information they may hold about you, who they share it with and request copies of it.

The organisation should offer a few methods for you to send a subject access request but many may just have one way to do this, for example a web form (by the way it’s not best practice for an organisation to offer just one way for customers to send a SAR). All details of sending a SAR need to be clearly shown in their privacy policy and the link to their policy will generally be located toward the bottom of their website.

If an organisation tries their luck and wants to charge you a fee, inform them that, as of 25 May 2018, subject access requests can be made for free when GDPR became law in the UK as the Data Protection Act 2018. You do not have to pay!

To make a subject access request (SAR), you may wish to follow these steps:

  1. Find out the right department and person to send the request to, normally they have a dpo@ email address (these are usually buried somewhere in a privacy policy at the bottom of their website)
  2. Note down all all the information you need, so you can ask for this in the same request
  3. Write to the organisation, including your full name, address and contact telephone number; any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique IDs, etc); and include details of the specific information you require and any relevant dates
  4. Include a reference to the one month deadline that applies when dealing with requests to provide personal information
  5. Reference that you have the right to make a subject access request for free under the Data Protection Act 2018.

Feel free to use this free template letter available on the Information Commissioner’s Office (ICO) website to make a subject access request.

Record and copy everything

You should try to send your request by recorded delivery, or by email and you should keep a copy of the SAR and all other materials sent and received to and from the organisation.

By doing all the above you can then provide these as evidence later down the line if you wish to complain to the Information Commissioner’s Office (ICO) about the organisation and that they didn’t give you the information you think you are entitled to after you made the SAR.

Work smart with SAR’s — Use a tool!

We built TAP to take the headache and workload out of making and managing requests for citizens, keep a record of their communications with organisations and as a safe store for their personal data. The app is free on Apple and Android and you can download here: www.tapmydata.com

What organisations need to do

The Data Protection Act 2018 requires companies to let you know what information is held about you, whether it is on a computer or paper.

Here are the steps an organisation would need to take when dealing with a subject access request:

  1. It has to reply to you without delay and at the latest within 30 days, starting from the day they receive the SAR.
  2. It is allowed to extend the period of compliance by a further two months where requests are complex or numerous, but it must inform you within one month of the receipt of the request and explain why an extension is necessary.
  3. It must provide you with a copy of the personal data requested in the SAR free of charge.
  4. It can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
  5. It may charge a reasonable fee for requests of further copies of the same information, but this doesn’t mean it can charge you for all subsequent access requests.
  6. It should give you the information in a commonly used format, but it need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen.

Can organisations withhold my personal data?

Organisations can, and are allowed, in certain situations to withhold information from you.

For example:

  • If the information could identify someone else, and it would not be reasonable to disclose that information to you.
  • If you are being investigated for a crime, or in connection with taxes, and the investigation would be prejudiced if you had access to the information.

We hope you found this guide useful and please get in touch if you’re having problems accessing your personal data from an organisation. Alternatively if you wish to make a formal complaint you can go to the ICO who have a dedicated page on making a complaint.