Subject access requests (SAR) and Freedom of Information (FOI) empower individuals to hold organisations accountable. Whether to uncover council spending or receive copies of personal data, these requests are crucial to understand and identify. 

In this blog, you’ll discover the key differences between SARs and FOI requests and if your sector is responsible for responding to them. 

What Is a FOI Request?

The Freedom of Information Act (FOI or FOIA) allows public access to data held by public authorities in England, Wales, Northern Ireland and UK authorities in Scotland. For the Scottish public, information requests are handled through Scotland’s Freedom of Information Act 2002. 

A public authority is defined as an organisation that is publicly funded to offer public or government services. These bodies include:

• Government departments;
• The NHS;
• State schools;
• Police forces;
• Local authorities;
• GPs, dentists and health practitioners (NHS work only);
• Companies owned by the Crown; 
• Companies owned by the public sector; and, 
• Companies owned by the Crown and public sector. 

The primary purpose of the FOIA is to improve trust and confidence between the public and its authorities. When submitting a FOI request, the individual can access any (non-personal) information about them. The Act covers official documentation, emails, notes, CCTV recordings, telephone call recordings and more.  

What Is a SAR?

A (data) subject access request (SAR or DSAR) is one of several data subject rights that allow individuals access to personal data held by organisations. A DSAR falls under the UK GDPR and applies to any business that handles personal information. 

The individual will receive copies of their data, including why it’s being processed, who it’s disclosed to, how long it’s stored and whether it’s being used for automated decision-making. To learn more, head to our blog on AI and GDPR compliance. 

SARs vs FOI: How Do They Differ? 

1. Request Format

A DSAR can be submitted as a verbal request, in writing or on social media. You must submit FOI requests in writing to the appropriate public authority. This could be in an email, a letter or via a contact form. 

2. Response Time

A public authority has 20 working days to send individuals information in response to their FOI request (extensions are allowed). Scottish authorities can extend this by six days if the request is sent in the post. 

Once a SAR is submitted, you must respond within one calendar month of receiving it. You can apply for extensions if the SAR requires extensive resources or multiple requests have been made. 

3. Data Type 

The biggest difference between a SAR and FOI request is the information requested. Under the FOI Act, anyone can ask for information a public authority has. For example, an individual might want to know how much their local council spent on pothole repairs. No personal information is included. 

A subject access request covers only personal information about the person (a third party can also request on a person’s behalf). You cannot publicly access this data, which will only be made available to the individual.  

4. Refusal to Comply 

An organisation can refuse SAR and FOI requests if exemptions apply. You can deny SARs if they are manifestly unfounded or excessive. Under the FOI Act, public authorities can decline requests on the following grounds:

• The request is vexatious; 
• If the request would take up too many resources or cost too much (i.e., over £600);
• An individual has already made the same request; 
• Absolute exemption – the requested information cannot be disclosed under any circumstance;
• Qualified exemption – if the request is not in the public’s interest.

Individuals can easily mix up these requests, so you must get clarification from them on what information they require. Through our SAR support and FOI service, we’ll respond to and handle any request you need help with so you can focus on what matters most. 

Handle SARs & FOI Requests Compliantly with GDPR Training

Master the complexities of SAR and FOI requests with our bespoke GDPR training courses. Our SAR training and FOI request training offers the following:

• Expert-led training: Our training team offers extensive experience in SAR and FOI legislation and will equip you with the knowledge to handle requests easily.  
• Interactive learning: We use real-world scenarios and practical exercises so all participants (in any role) can get involved. 
• Plain English approach: Our philosophy is simple: We make data protection easy. We’ll break legal concepts into actionable steps and tailor learning to your skill level.

Looking for a GDPR Consultancy? 

At Data Protection People, we’ve worked with various industries, including the public, multinationals and the commercial sectors. Our data protection services meet the unique needs of any organisation, so whatever you need help with, we’ll be at hand.

Contact our team to learn more.