How do I make a subject access request (SAR)?
Anyone in the UK can make a subject access request if they want to see what information a company has about them.
This is usually a free service and companies must follow strict procedures and timescales. If they don’t, you can complain to the Information Commissioner’s Office (ICO).
1. What is a subject access request (SAR)?
A subject access request (SAR) is a written or verbal request to a company or organisation asking for access to the personal information it holds on you.
Following EU-wide changes to data protection rules introduced in the UK as the Data Protection Act 2018 (GDPR), everyone has the right to make a subject access request for free.
There are many reasons for making a subject access request, including if you want to:
- Review and verify the lawfulness of the processing of your personal data, for example if you’re not convinced a company is processing your data lawfully, or if you want to understand what an organisation knows about you.
- Ask about the logic involved in any automated decisions made about you
- See confirmation that your data is being processed legally
GDPR gives you the right not to be subject to a decision based solely on automated processing if it affects you legally or substantively.
2. How to make a subject access request
To make a subject access request (SAR), follow these steps:
- Find out the right department and person to send the request to, such as the company's data protection officer. This will usually be specified on the company’s website.
- Make a list of all the information you would like from the company.
- Contact the organisation. This can be via letter, phone, or social media, but it’s a good idea to follow up verbal requests by letter or email.
- Include your full name, address and contact telephone number, and any account numbers where relevant.
- Include a reference to the one month deadline that applies when dealing with requests.
- Mention that you have the right to make a subject access request for free under the Data Protection Act 2018.
You can use the ICO's free service to make a subject access request.
Top tip: It is best to send your request by recorded delivery or by email, and you should keep a copy of the SAR and all other correspondence.
This evidence will be important if you later need to complain to the ICO that the organisation failed to give you the information you were entitled to.
What is the ICO?
The Information Commissioner's Office (ICO) is an independent authority set up to work with organisations to uphold information rights in the public interest and protect data privacy for individuals.
It can investigate and fine organisations found to be in breach of data protection rules, but it cannot award compensation to individuals.
3. What is the time limit of a subject access request?
There is a timescale companies must follow with subject access requests.
A company must reply to you without delay and at the latest within one month, starting from the day they receive the SAR.
It can extend the period by a further two months where requests are complex or numerous. To do this, it must inform you within one month of receipt of the request and explain why an extension is necessary.
If your subject access request is ignored, or the company doesn’t meet this timescale, you can complain to the ICO.
4. How must companies respond?
The Data Protection Act 2018 (GDPR) requires companies to let you know what information is held about you, regardless of whether it is stored on computers or on paper.
The organisation must follow these steps when dealing with a subject access request:
- It must provide you with a copy of the personal data requested in the SAR free of charge.
- It can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- It may charge a reasonable fee for requests of further copies of the same information, but this doesn’t mean it can charge you for all subsequent access requests.
- It should give you the information in a commonly used format.
5. Can companies withhold information?
Companies are allowed to withhold certain information from you, for example:
- If the information could identify someone else.
- If you are being investigated for a crime.
- If the information is in connection with a tax investigation which would be prejudiced if you had access to it.