Subject Access Request Policies for UK Organisations

A Subject Access Request (SAR) is a legal right that allows any individual to request a copy of the personal data that an organisation holds about them. This right is enshrined in Article 15 of the UK General Data Protection Regulation (UK GDPR) and is further supported by the Data Protection Act 2018. Every UK organisation that processes personal data must have a documented SAR policy to ensure that requests are handled accurately, consistently and within the legal timeframes. Failing to respond properly to a SAR can result in complaints to the Information Commissioner's Office (ICO), regulatory enforcement and significant reputational harm.

What Is a Subject Access Request and Who Can Make One

A subject access request is a request made by an individual (known as the “data subject”) to an organisation (the “data controller”) for access to the personal data that the organisation holds about them. Under Article 15 of the UK GDPR, the data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed and, where that is the case, access to the personal data together with certain supplementary information.

The following individuals can make a subject access request:

Any living individual: There is no restriction on who can make a SAR. Employees, former employees, customers, service users, job applicants, contractors and members of the public can all exercise this right.
Third parties acting on behalf of the data subject: A SAR can be made by a solicitor, trade union representative, parent (on behalf of a child, where appropriate), or any other person authorised by the data subject. The organisation must be satisfied that the third party is entitled to act on the individual's behalf.
Children: Children can make their own SARs if they are considered competent to do so. The ICO generally considers that children aged 13 and over are likely to have sufficient understanding, although this must be assessed on a case-by-case basis.

A SAR does not need to be in writing, although written requests are strongly recommended. The individual does not need to use the words “subject access request” or cite the UK GDPR — any clear request for personal data is sufficient to trigger the organisation's obligations.

The One-Month Response Deadline

Under Article 12(3) of the UK GDPR, organisations must respond to a SAR without undue delay and in any event within one calendar month of receiving the request. The clock starts on the day the request is received, regardless of whether the request was made verbally or in writing. If the request is received on 15 January, for example, the deadline is 15 February.

Where requests are complex or where the organisation has received a large number of requests from the same individual, the deadline may be extended by a further two months (giving a total of three months). However, the organisation must inform the individual within the original one-month period that an extension is necessary and explain the reasons for the delay. The ICO has made clear that extensions should be used sparingly and that complexity must genuinely justify the additional time.

If the final day of the response period falls on a weekend or bank holiday, the response must still be provided by that date. Organisations should build in sufficient time to allow for review, redaction and quality assurance before the deadline.

What Must Be Provided and What Can Be Withheld

When responding to a SAR, the organisation must provide the following information, as set out in Article 15(1) of the UK GDPR:

A copy of the personal data being processed
The purposes of the processing
The categories of personal data concerned
The recipients or categories of recipients to whom the data has been or will be disclosed
The envisaged retention period or the criteria used to determine it
The existence of the right to request rectification, erasure, restriction of processing or to object to processing
The right to lodge a complaint with the ICO
Where the data was not collected from the individual, any available information about the source
The existence of automated decision-making, including profiling, and meaningful information about the logic involved

However, there are circumstances in which information may be withheld. The Data Protection Act 2018 and the UK GDPR provide several exemptions, including:

Legal professional privilege: Information subject to legal privilege does not need to be disclosed
Third-party data: Where disclosing the information would involve revealing personal data about another individual, the organisation may redact or withhold that data unless the third party has consented or it is reasonable in all the circumstances to disclose without consent
Crime prevention and detection: Disclosure may be refused where it would prejudice the prevention or detection of crime or the apprehension or prosecution of offenders
Management forecasting: Information relating to management forecasting or management planning may be exempt in certain circumstances
Confidential references: Confidential employment references given by the organisation are exempt from disclosure
Regulatory functions: Where disclosure would prejudice certain regulatory functions

Organisations must apply exemptions on a case-by-case basis and must be able to justify any decision to withhold information. Blanket refusals are not permitted.

Charging for Subject Access Requests

Under the UK GDPR, organisations cannot charge a fee for responding to a SAR in most circumstances. This is a significant change from the previous regime under the Data Protection Act 1998, which permitted a £10 fee. However, Article 12(5) of the UK GDPR does allow a “reasonable fee” to be charged where requests are manifestly unfounded or excessive, particularly where they are repetitive. Alternatively, the organisation may refuse to act on the request entirely. In either case, the organisation must be able to demonstrate why it considers the request to be manifestly unfounded or excessive.

Identity Verification Before Responding

Before disclosing any personal data in response to a SAR, the organisation must take reasonable steps to verify the identity of the person making the request. This is essential to prevent unauthorised disclosure, which would itself constitute a personal data breach under the UK GDPR. Identity verification measures may include:

Requesting a copy of a government-issued photo ID (such as a passport or driving licence)
Asking the individual to confirm details that only they would know (such as an account number or date of birth)
Where the request is made through an online account, verifying through the existing authentication process
For requests made by third parties, obtaining written authorisation from the data subject

The ICO advises that identity verification should be proportionate. Organisations should not request more information than is necessary to confirm the individual's identity, and the verification process should not be used as a means of discouraging or delaying the request.

How a SAR Policy Documents the Process

A well-drafted SAR policy ensures that every request is handled in a consistent, compliant and timely manner. The policy should document:

How SARs can be submitted (email, letter, verbal request, online form)
The designated point of contact for SARs (typically the Data Protection Officer or a named individual)
The identity verification procedure
How the request is logged and tracked, including the date received and the response deadline
The process for searching for and retrieving relevant personal data across all systems, departments and formats (electronic and paper)
The review and redaction process, including how third-party data and exempt material are handled
The approval process before the response is sent
How the response is delivered securely to the data subject
Record-keeping requirements, including retaining a copy of the response and supporting documentation
The escalation procedure for complex, high-risk or contentious requests

Having a documented policy is not only good practice but is also a key element of demonstrating accountability under Article 5(2) of the UK GDPR. Organisations should also ensure that all staff who may receive a SAR — particularly those in HR, customer service and IT — are trained to recognise a request and know how to escalate it to the appropriate person.

ICO Enforcement Consequences

The ICO takes a proactive approach to enforcing data subject rights, including the right of subject access. Consequences of failing to comply with SAR obligations can include:

Assessment notices: The ICO may issue an assessment notice requiring the organisation to demonstrate its compliance with the UK GDPR
Enforcement notices: An enforcement notice can require the organisation to take specific steps to comply, such as responding to an outstanding SAR within a specified period
Penalty notices (fines): The ICO can impose fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious infringements of the UK GDPR. Whilst SAR failures alone may not always attract the maximum fine, repeated or wilful non-compliance significantly increases the risk
Reputational damage: ICO decisions are published and can attract media attention. Organisations that are seen to obstruct or ignore individuals' data rights face significant reputational harm
Compensation claims: Data subjects who suffer damage (including distress) as a result of a failure to comply with a SAR may bring a claim for compensation under Article 82 of the UK GDPR

The ICO has published detailed guidance on responding to SARs, and organisations should ensure their policies and procedures are aligned with this guidance. Proactive compliance is always preferable to reactive enforcement.

For related guidance, see our pages on creating an Information Asset Register (IAR) and data protection and GDPR policies. Policy Pros can write, review or update your SAR policy to ensure full compliance with the UK GDPR and the Data Protection Act 2018. Get in touch to discuss your requirements.