Subject Access Requests

What is a SAR?

Subject Access Request (SAR) is a written request to find out what personal data a business or organisation is holding about them, why it is held and who it is disclosed to. The Data Protection Act (1998) and (2018)  gives individuals the right to access  their data by making a request. Subject access is a fundamental right for individuals, and provides a great opportunity for organisations to build trust with their customers by improving the quality of data they hold, by being transparent and by responding quickly to SARs.

  • The SAR simply needs to be made in writing, and you cannot insist on a particular form
  • Individuals can make a SAR using social media channels, but you may respond via other means
  • Individuals need not provide a reason for the request
  • You must respond promptly, and in any case within 40 calendar days of receiving it
  • You must ensure the identity of the requester
  • SARs can be made via a bulk request, but each must be handled individually
  • You would have to balance providing SAR information with the rights of another individual who could be identified by providing the information to the requester

What is Personal Data?

Personal data is information that relates to a living individual and allows that individual to be identified from it (either on its own or with other information).

Individual’s Rights

The individual is entitled to the following:

  • Knowing whether any personal data is being processed
  • A description of the personal data, the reasons for the processing and whether the information is shared
  • A copy of the personal data
  • Where available, the source of the personal data
  • But not data related to legal privilege or negotiation, for example

Organisation Good Practice

The Information Commissioners Office (ICO) sets out good practice in an organisation’s approach to SARs as follows:


All staff are trained to recognise a SAR as part of general data protection training. More detailed training on handling SARs is provided to relevant staff, dependent on job role.


A dedicated data protection page is available for staff on the organisation’s intranet with links to SAR policies and procedures.

Request Handling Staff

A specific person or central team is responsible for responding to requests. More than one member of staff is aware of how to process a SAR so there is resilience against absence. In case requesters are dissatisfied with the initial response, arrangements are in place for a senior manager to review them.

Data Protection Experts

In a large organisation, there are data protection experts or ‘information champions’ to provide data protection expertise, including SAR advice, within departments where personal data is processed.

Monitoring Compliance

Compliance with SARs is monitored and discussed at information governance steering group meetings, and management information is kept showing the number of SARs received. Details of any requests that have not been actioned within the statutory time limit are escalated to a suitably senior forum, so that any breach is tackled at a high level.

This is a brief overview - for more information and guidance in handling SARs in your business, please get in touch