Subject Access Requests

What is a Subject Access Request?

Subject Access Request (SAR) Under the Data Protection Act 2018, gives you the right to find out what information public bodies and other organisations hold about you, which can include how this data is being used and who it is being shared with. It is best to make the request in writing, so that you have a record of exactly what you requested, and when. It is illegal for an organisation to alter, conceal, or destroy data with the intent to prevent its disclosure when a SAR is made, and doing so can be a criminal offense under data protection laws.

Further information can be found on the Information Commissioner’s website click here.

What should I include when making a request for my personal information?

Include the following when making

• Details of the personal information you want - Be very specific, eg 'My employee file'; or 'Emails containing my name sent between 'person A' and 'person B'; or 'My medical record held by 'Dr C' at 'hospital D'. Being specific will help you get exactly what you need.
• Time period - Give a date range of the information you are requesting, eg 'From 1 April 2022 to 31 March 2023'. Give times if they're relevant, e.g. 2-3pm for CCTV footage, or say what time the call started if you're requesting a phone call transcript.
• Reason for requesting this information – Although you do not need to give a reason for your request (nor should the data controller ask you why you are making it), it can help the organisation find the information that you actually need and can help you get a better, faster response.
• How you want to receive information - If you would prefer to receive the information as hardcopy documents, make this clear. Otherwise, a response will usually be provided electronically. If you have any particular needs in relation to how you receive the information, e.g. large print, make this clear.
• Your information – You may need to provide your name, date of birth, email, address, phone number depending on the request and who you are asking. However, you may be asked for proof of identity such as a photo identity, utility bill etc – you can scan a copy of these.

Note: There is no fee which means the organisation should not charge you to respond to your subject access request.

What happens after I make a subject access request?

The data controller of the organisation must normally respond within one month of receipt of the request. If the data controller has requested information from you to verify your identify, the time period will start from the date you provide the required information. If your request is complex or you submit a number of requests, that period can be extended by an additional two months.

What is the organisation does not respond to my subject access request?

If the data controller fails to respond to your request, or only provides part of the information you asked for, you can file a complaint with the Information Commissioner, citing a breach of the GDPR (Article 77). The Commissioner is then required to assess the situation and may issue a notice compelling the employer to provide the requested information. Employers typically take such referrals to the Information Commissioner very seriously.