What Is A Subject Access Request?

Dan Nailer
Dan NailerLegal Assessment Specialist
Updated on 2nd May 2024

Subject Access Requests give individuals the power to ask a company if they're using their personal information, and request copies of that information along with additional details.

what-is-a-subject-access-request

UK GDPR laws prioritise protecting the rights of individuals and giving everyone, including employees and clients, more control over their data. Part of this is the right to a Subject Access Request (SAR).

In this article, we'll take a closer look at SARs, focusing on the essential systems every organization, regardless of size, should have to manage Subject Access Requests and respond to them in compliance with the law.

What is a Subject Access Request?

A Subject Access Request is when someone asks to see the personal information a company has about them, including how it's used, who it's shared with, and where it came from.

They are sometimes used by employees as part of settlement negotiations with employers in the course of employment disputes.

What should a Subject Access Request include?

Subject Access Requests don't have to be written down, nor do they need to follow a specific format.

All required for a valid Subject Access Request is for the individual to ask for their personal data.

That being said, if a company receives a verbal subject access request, it's best practice to ask them to follow up in writing so there is a record of it and the date it was received.

How should you handle a Subject Access Request?

In the first instance, you must ensure the person making the SAR is who they claim to be. If there's any doubt, you can ask for proof of their identity providing it's reasonable.

Once the requester's identity is confirmed, you should search all company databases, systems, and data processors where their data might be stored and collate it.

There are no rules on how to share the information (i.e. via email or letter) but it should be presented clearly, in a way the requester can understand.

Finally, you should record how you responded to the SAR, including why you provided certain information. If the requester isn't happy with your response, they might complain to the ICO, so it's important to document your decision-making process.

How long do you have to reply to a Subject Access Request?

You have one month to reply to a SAR, but you can extend it by two months with a valid reason. Lack of time or resources won't cut it, though. Confirming the requester's identity might be reasonable and justify an extension.

What counts as personal data for a Subject Access Request?

Personal data is any information relating to an identified or identifiable individual like:

  • Name

  • Telephone number

  • Email address

  • Initials

  • ID Number

  • IP Address

  • Recorded opinions about them.

It doesn't matter if the information directly names the individual. If you have data that could identify them, you must give it to them.

However, it's essential to know that while a subject access request allows access to personal data, companies don't have to give the entire document. They only need to provide the parts containing the requester's data.

When can you refuse a subject access request?

Information protected by legal professional privilege and data that could incriminate the company is exempt from disclosure in a Subject Access Request.

You can also refuse to provide information if the request is:

  1. Unreasonable

  2. Excessive.

If you refuse a Subject Access Request, you should be able to explain why.

Can you charge a fee for a Subject Access Request?

If a request seems excessive or unfounded, or the requester asks for extra copies of their data, you can ask for a reasonable fee.

However, you can't charge a fee for ordinary SARs.

How long should you keep data?

There's no fixed time limit on how long you should keep data, but you shouldn't keep personal data longer than necessary.

For practicality, it's a good idea to set aside time now and then to review and delete what you don't need.

What happens if you don't comply with a Subject Access Request?

If you don't respond properly to a SAR, the person who made it can complain to the ICO and claim compensation. The ICO can also legally enforce the SAR and may take action for non-compliance.

Can employees make a subject access request?

Employees can request access to their data, and employers must respond promptly. Even if an employee has signed a settlement agreement or there are ongoing tribunal proceedings or grievances, they can still make a SAR, and employers must comply.

In May 2023, the ICO provided guidance for employers on SARs. It included examples of valid SARs and additional details on whistleblowing, witness statements, withholding information, and refusing SARs.

How can Lawhive help?

If you're a business or employer seeking guidance on SARs, our network of expert small business lawyers is here to assist you.

Contact us for detailed advice and receive a free fixed-fee quote for the services of a skilled lawyer if you require help responding to an SAR.

Share on:

Get legal help the hassle-free way

We have expert solicitors ready to resolve any type of legal issue in the UK.

Remove the uncertainty and hassle by letting our solicitors do the heavy lifting for you.

Get Legal Help

Takes less than 5 mins

We pride ourselves on helping consumers and small businesses get greater access to their legal rights.

Lawhive is your gateway to affordable, fast legal help in the UK. Lawhive uses licensed solicitors you can connect with online for up to 50% of the cost of a high-street law firm.

Lawhive Ltd is not a law firm and does not provide any legal advice. Our network includes our affiliate company, Lawhive Legal Ltd. Lawhive Legal Ltd is authorised and regulated by the Solicitors Regulation Authority with ID number 8003766 and is a company registered in England & Wales, Company No. 14651095.

Lawhive Legal Ltd is a separate company from Lawhive Ltd. Please read our Terms for more information.

© 2024 Lawhive
86-90 Paul Street, London EC2A 4NE

Version: 42aba40