BLS Stay Compliant

News and Information

Subject Access Request - envelopes are spread across a table in a variety of shapes and sizes, in various shades of yellow, cream and white.
Picture of Helen Clifton

Helen Clifton

Subject Access Requests – what are the legal requirements?

  • • News

Subject Access Requests, or “SARs”, are a legal right of individuals under the Data Protection Act 2018.  

Under UK law, the primary legal framework governing access to personal data is the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR) 

What is a Subject Access Request? 

A Subject Access Request allows all members of the public the right to access their personal data held by organisations under the following rights: 

  • Right to be informed: the right to know what data is collected, how it is collected, why it is collected, where it is stored and whether it is shared, amongst others.  
  • Right to be forgotten: the right for individuals to request all data held about them be removed, for various reasons.  
  • Right to access: the right to know what personal data an organisation holds about you. 
  • Right to rectification: the right to request to correct any inaccurate or incomplete data. 
  • Right to erasure: the right to request for data to be deleted, under certain conditions. 
  • Right to restrict processing: the right to limit how an organisation processes your personal data. 
  • Right to data portability: the right to ask for data to be transferred to another service provider, under certain conditions. 
  • Rights related to automated decision making and profiling: strict rules apply, under GDPR, for businesses looking to process data without human involvement.  

Subject Access Requests can be submitted to any organisation, including businesses, government departments like the NHS, the police, or other public authorities. 

How are Subject Access Requests submitted? 

  1. In writing or by verbal request. This can be email, letter or any other method of contacting an organisation that is in written or verbal form. An organisation may ask for the request to be submitted via a more direct channel if the request is received via social media, for example but the data subject is not required to comply.
  2. Specific. It should be clear what data is being requested and organisations may ask for clarification on exactly what the subject access request is for and whether the request is for all data, or categories of data. Individuals can, however, simply request for ‘all’ data held about them with no requirements to clarify further. 
  3. Identification. An organisation will usually ask for a copy of personal identification to ensure that they are giving personal information to the right person. This could be a passport, driving license or even a utility bill but should not be overly challenging for the individual to produce.

Depending on the information sought, the organisation must respond within one month from the date the subject access request is received. 

How should an organisation handle a subject access request? 

Organisations should respond, within the required timeline, in line with the Data Protection Regulation 2018 and the UK GDPR.  

  • The first thing to do is to acknowledge the subject access request. Confirm the request has been received, ask for any clarification needed and check personal identification. 
  • When replying to the individual be transparent about the data held, what it is used for, how it is processed and where it is stored. The individual may already understand this but being clear about how the organisation is handling the data ensures compliance with legislation.
  • The largest element of the workload of a Subject Access Request is finding and collating the data and usually involves a thorough search of records and databases, either physical or electronic. Organisations should start work on this promptly, to ensure the work is completed within the relevant timeframe, however if the request is particularly large or there are multiple requests, an extension can be made for up to two months
  • Ensure the data is provided to the individual in an accessible format, such as a PDF or an Excel document, unless the person who submitted the Subject Access Request has asked for the information in a specific format.

It is very important to redact third-party information or information that is not associated with the individual who submitted the Subject Access Request.

This could be anything from the name of a member of staff who is listed as a processor of the information to another person linked to the same file, such as a relative, friend or colleague. In some cases, it may be relevant to ask for consent from the third-party involved, before releasing the information. 

When releasing the data to the individual who submitted the Subject Access Request, information should be included on the organisation’s handling of the data, including the legal basis for processing, the retention schedule and any other rights the individual may have in relation to the data, such as the right to erasure or the right to correct any inaccuracies. 

Should a fee be charged for managing a Subject Access Request? 

Generally, Subject Access Requests should be free of charge. There are certain circumstances where a fee may be charged to reflect the administrative costs of completing the Subject Access Request however, in almost all cases, charges are not applicable.  

What data should not be released? 

On occasions, it may be necessary to withhold information in a Subject Access Request when the data is exempt, such as in data relating to criminal investigations, national security or where the privacy of third parties may be too difficult to avoid breaching.  

Organisations should have clear policies and procedures in how to manage a Subject Access Request and, given that a request could come to any member of an organisation, all staff should be trained in recognising and responding to a Subject Access Request. In larger organisations, an information governance team is generally in charge of the handling of Subject Access Requests but this is not always the case for smaller companies or public authorities.

Regardless of who manages the request itself, all members of the team should know to recognise one and how to deal with it in the first instance, given that the timeframe for responses can feel short.  

BLS Stay Compliant offers Subject Access Request online training, which is a popular option since we also cover redaction and communications surrounding the request itself. This can be delivered as a bespoke option or by joining one of our regular sessions bookable online. We offer both a training session and an advanced workshop, for those who feel they would benefit from further guidance. 

We also offer a Managed Service, so the onus of handling the Subject Access Request can be left in our expert guidance. It is a popular service, with our team managing three requests this week alone. Our team handle the request from the start, if requested, including redacting information, replying to the request and keeping track of the timeframes. Bear in mind that the timeframe begins from the moment the request is received, so if you would like guidance, get in touch with us as soon as you can. 

If we can be of any assistance, whether through guiding you through a Subject Access Request or by training your team to manage it, please just get in touch.  

Share this post

More News