A Subject Access Request (SAR) is a formal right granted under the UK GDPR and Data Protection Act 2018, allowing individuals to request access to the personal data that an organisation holds about them.
When a SAR is received, the organisation must:
-
Verify the identity of the requester.
-
Confirm what data is held and how it is used.
-
Provide a copy of the personal data within one calendar month.
In some cases, information may be redacted or withheld, for example, if disclosure would reveal another individual’s personal data, breach legal privilege, or prejudice ongoing investigations.
Public-sector organisations must ensure they have a clear, documented process for handling SARs efficiently and lawfully.
