Your Guide To Subject Access Requests

Written by Myles Dacres - Data Protection People

sar services purple icon

Subject Access Request (SAR) under UK GDPR: A Comprehensive Guide

The right to access personal data is a fundamental right under data protection laws, including the UK GDPR. This right allows individuals to request a copy of their personal data that is held by an organisation. This right is exercised by submitting a Subject Access Request (SAR) to the organisation that holds personal data.

When can individuals submit a SAR request?

Individuals have the right to submit a SAR to an organisation if they want to access their personal data. A SAR can be submitted for any reason, and the individual does not have to explain why they want access to their personal data. The organisation must respond to the SAR within one calendar month of receiving it, and they must provide a copy of the personal data that the individual has requested.

The individual can request access to any personal data that the organisation holds, including information about:

      • Personal details (such as name, address, and contact information)
      • Employment information
      • Financial information
      • Health information
      • Criminal record information

Organisations must also provide information about how they process personal data, including the purpose for which they process the data, the categories of personal data that they hold, and who they share the personal data with.

When can organisations refuse a SAR request?

Under certain circumstances, an organisation may refuse to provide access to personal data in response to a SAR. This can happen if:

      • The personal data is exempt from the right of access – For example, if the personal data is subject to legal professional privilege, or if the data relates to the prevention, detection, or investigation of a crime.
      • The request is manifestly unfounded or excessive – If the organisation believes that the request is unfounded or excessive, they may refuse to provide access to the personal data. An unfounded request is one that has no basis in law, while an excessive request is one that is unreasonable or excessive in nature.
      • The request is repetitive – If the individual has already made a similar request, and the organisation has already provided access to the personal data, the organisation may refuse to provide access to the personal data again.
      • Providing access would adversely affect the rights and freedoms of others – If providing access to the personal data would adversely affect the rights and freedoms of others, the organisation may refuse to provide access to the personal data.

If an organisation refuses a SAR, it must provide a written response explaining why they have refused the request. The individual has the right to complain to the Information Commissioner’s Office (ICO) if they believe that their SAR has been unfairly refused.

In conclusion, individuals have the right to submit a SAR to an organisation if they want to access their personal data. However, organisations may refuse a SAR if the personal data is exempt from the right of access, if the request is manifestly unfounded or excessive, if the request is repetitive, or if providing access would adversely affect the rights and freedoms of others.

It is important for both individuals and organisations to understand their rights and obligations under the UK GDPR to ensure that personal data is processed in a fair and transparent manner.

Outsourcing Your Subject Access Request

In addition to understanding their rights and obligations under the UK GDPR, organisations can benefit from working with a data protection consultancy to handle Subject Access Requests. At our consultancy, we offer a wide range of services to support organisations with all kinds of information requests at any stage, from discovery to redaction.

Our team of experienced redactors work around the clock to ensure that our client’s sensitive data is protected during the SAR process. This ensures that organisations can focus on their core business activities while we handle the SAR for them.

Readers can visit our SAR service page to see the details of our service or visit the contact page to get in touch with our team to discuss their requirements.

Listen To What Our Experts Have To Say

In addition, we would like to invite our readers to our next podcast episode, called ‘Balancing Act – Protecting Data And Confidentiality In SARs. In this session, our experts will be discussing the challenges and best practices for managing SARs while balancing the need to protect sensitive data and confidentiality.

To register and attend this session, readers can visit our events page and sign up. Additionally, readers can request to be a subscriber of the Data Protection Made Easy Podcast, where they will benefit from weekly invites to our live discussions covering various topics related to data protection. Our community now has well over 1000 members and grows on a weekly basis.

Being part of our community offers numerous benefits, including being part of one of the UK’s number one data protection networks where like-minded people support one another. Members will also gain access to top tips and expert insights, and they will have the opportunity to share their own experiences and insights with the community.

In summary, working with a data protection consultancy like ours can help organisations to manage SARs more efficiently and effectively, allowing them to focus on their core business activities. Additionally, our podcast and community offer readers the opportunity to stay up-to-date with the latest developments in data protection and network with other professionals in the field.