Updated ICO guidance on Data Subject Access Requests, what organisations need to know in 2026

The Information Commissioner’s Office (ICO) has published updated guidance on handling Data Subject Access Requests (DSARs). The update reflects changes introduced by the Data (Use and Access) Act 2025, alongside recent case law that clarifies how these changes should operate in practice.

While the right of access remains a fundamental data protection right, DSARs can be challenging to manage. Requests are often broad, unclear, repeated, or involve large volumes of data held across multiple systems. The updated guidance aims to help organisations handle these requests more consistently, while continuing to recognise the importance of transparency and accountability.

Understanding DSARs and the right of access

The right of access allows individuals to obtain confirmation as to whether their personal data is being processed and to receive a copy of that data, together with supplementary information about how and why it is processed.

This right sits at the core of UK data protection law and plays a critical role in enabling transparency, fairness, and accountability in how organisations handle personal data.

Key changes introduced by the Data Use and Access Act and ICO guidance

Stopping the clock where clarification is reasonably required

The updated guidance confirms that organisations may pause the one month response deadline where clarification is reasonably required to provide an effective response to a DSAR.

Importantly, the previous requirement that the organisation must be processing a large volume of personal data has been removed. Organisations may now seek clarification whenever it is genuinely necessary to understand the scope of a request.

The clock pauses only until sufficient clarification is received and resumes immediately afterwards. Organisations must still act without undue delay and should not use clarification requests to extend deadlines unnecessarily. Decisions to seek clarification should be documented clearly.

Increased transparency when refusing a DSAR

Individuals now have an explicit right to complain directly to the organisation if they believe their DSAR has not been handled in line with UK data protection law.

Where a DSAR is refused, organisations must inform the individual of the reason for refusal, their right to complain to the organisation, their right to complain to the ICO, and their right to seek a judicial remedy.

This change requires organisations to review refusal templates, ensure internal complaint processes are accessible, and respond to complaints without undue delay.

Reasonable and proportionate search assessments

The guidance reinforces that organisations are required to carry out reasonable and proportionate searches, rather than exhaustive searches in all circumstances.

When assessing proportionality, organisations should consider factors such as the volume of data involved, how information is stored and retrieved, technical or practical limitations, and the context of the request. These decisions should be documented so they can be justified if challenged.

Manifestly unfounded or excessive requests

Providing personal data in a commonly used electronic format, such as via a secure portal, will generally satisfy the obligation to provide a copy, unless the individual objects.

However, the ICO recognises that repeated requests for the same information in different formats, after it has already been provided, may be treated as manifestly unfounded or excessive. Any such assessment must be fact specific, narrowly applied, and clearly documented.

Disclosing identities of recipients

One of the most significant clarifications relates to the disclosure of recipients of personal data. The ICO states that organisations should disclose specific recipients by default.

Providing only categories of recipients should be the exception, permitted only where it is impossible to identify specific recipients or where disclosure would adversely affect the rights or freedoms of another person. Where categories are used, organisations must document their justification and any exemption relied upon.

Use of exemptions in supplementary information

The guidance confirms that exemptions may apply not only to the personal data disclosed, but also to supplementary information provided in response to a DSAR.

Where an exemption is relied upon, organisations should identify the specific exemption, document the balancing exercise undertaken, and record why disclosure would adversely affect the rights or freedoms of another individual.

What the courts have said

Harrison v Cameron

In Harrison v Cameron, the court confirmed that the right of access generally includes a right to know who personal data has been disclosed to. Reliance on categories of recipients alone requires justification, and organisations must be able to explain why naming specific recipients is not possible or appropriate.

The court also confirmed that exemptions, including the rights of others exemption, may apply to supplementary information in certain circumstances.

Ashley v HMRC

In Ashley v HMRC, the court clarified that not all information connected to an individual will qualify as personal data. Information must relate to an individual in a meaningful and biographical way.

The court confirmed that DSARs cannot be used as a means to access an organisation’s internal analysis or decision making processes, supporting a targeted and proportionate approach to searches.

Practical implications for organisations

Organisations should review and update SAR policies and procedures, including when stop the clock provisions may be used. Refusal templates should be updated, and internal complaint handling workflows established or revised.

Clear documentation should be maintained for clarification requests, search scoping decisions, recipient disclosures, exemption reliance, refusals, and any fees charged. Staff responsible for handling SARs should receive targeted training to ensure consistent application of the updated guidance.

Conclusion

The ICO’s updated guidance reinforces the importance of transparency, proportionality, and procedural fairness in DSAR handling. While organisations now have greater clarity and flexibility in managing complex requests, expectations around reasoning, documentation, and accountability have increased.

Organisations should ensure their DSAR processes reflect these expectations to reduce both regulatory and reputational risk.

How Data Protection People can help

Data Protection People support organisations with DSAR process reviews, policy development, and staff training to help ensure requests are handled consistently and in line with ICO expectations.

Sources

Updated ICO guidance on Data Subject Access Requests.
Data (Use and Access) Act 2025.
Harrison v Cameron [2024] EWHC 1377 (KB).
Ashley v HMRC.