How to Make a Subject Access Request in the UK
You have the legal right to access all personal data an organisation holds about you. This guide explains how to make a Subject Access Request and what to do if it is ignored.
What is a Subject Access Request?
A Subject Access Request (SAR) is your right under Article 15 of the UK GDPR and the Data Protection Act 2018 to request a copy of all personal data an organisation holds about you — emails, call recordings, files, CCTV footage, database records, and more. The organisation must respond within one calendar month and cannot charge a fee in most cases.
Who can you send a SAR to?
Any organisation that processes your personal data — employers, former employers, banks, insurers, NHS trusts, GP surgeries, schools, universities, local councils, solicitors, letting agents, and retailers.
What to include in your SAR
- —Your full name and any previous names
- —Your date of birth (to help identify your records)
- —A description of the information you want — be as specific as possible
- —Relevant dates or reference numbers
- —Proof of identity if the organisation requires it
The organisation’s obligations
The organisation must respond within one calendar month, provide the data in a clear and accessible format, and explain what the data is used for, who it is shared with, and how long it is kept.
What can be withheld?
Organisations can withhold data that would identify a third party who has not consented, information covered by legal professional privilege, data relating to ongoing proceedings, and certain management information. They must tell you that information is being withheld and the reason.
What if you are ignored?
Send a formal follow-up giving 14 days’ notice that you will report to the ICO. Complain to the Information Commissioner’s Office at ico.org.uk — the ICO can investigate and take enforcement action. You can also apply to court for a compliance order.
Common uses of SARs
- —Obtaining employer emails before an employment tribunal
- —Reviewing NHS records before a medical negligence complaint
- —Checking what a debt collector holds about you before disputing a debt
- —Reviewing data an insurer used to reject a claim