A Subject Access Request is your legal right under Article 15 of the UK GDPR and the Data Protection Act 2018 to request a copy of all personal data an organisation holds about you. This includes emails, call recordings, files, CCTV footage, and database records. The organisation must respond within one calendar month and cannot charge a fee in most cases.

Any organisation that processes your personal data — including employers, banks, insurers, NHS trusts, GP surgeries, schools, local councils, solicitors, landlords, and retailers. If they hold personal data about you, they are legally obliged to provide it in response to a valid SAR, subject to limited exemptions.

Organisations can withhold data that would identify a third party who has not consented to disclosure, information covered by legal professional privilege, data relating to ongoing legal proceedings, national security or crime prevention information, and certain management information (such as salary review data) where disclosure could prejudice the relevant activity. They must inform you if they are withholding information and the reason why.

If an organisation fails to respond within one calendar month, or provides an inadequate response, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk. The ICO can investigate and take enforcement action. You can also apply to court for a compliance order. Before escalating, send a formal follow-up letter stating that you will report the matter to the ICO if no response is received within 14 days.