Know your rights. A subject access request, (known as a SAR or DSAR), is a request to a company or organisation asking for access to the personal data they may hold about you.
We’ve talked before about what a subject access request is. This guide will show you how to make a subject access request and what to expect of organisations from which you’re requesting information.
Your right to make a subject access request
The right existed under the Data Protection Act 1998, but organisations were allowed to charge a fee of £10 to provide you with the information.
Following changes to data protection legislation introduced by EU-wide regulation called GDPR, you can now make a subject access request for free.
This right of access allows you to be aware of and verify the lawfulness of the processing of your personal data. For example, you might want to make a subject access request if you’re not convinced the company is processing your data lawfully.
You might also want to ask about any logic involved in any automated decisions made about you or get confirmation that your data is being processed and request access.
How to make a subject access request
There isn’t a particular format to sending an SAR to an organisation. You may wish to email, write, phone, DM or tweet the organisation and ask them to provide all the information they may hold about you, who they share it with and request copies of it.
If an organisation tries their luck and wants to charge you a fee, inform them that, as of 25 May 2018, subject access requests can be made for free when GDPR became law in the UK as the Data Protection Act 2018.
To make a subject access request (SAR), you may wish to follow these steps:
- Find out the right department and person to send the request to, normally they have a dpo@ email address on their website, or they might have a general contact or support email address
- Note down all the information you need, so you can ask for this in the same request
- Write to the organisation, including your full name, address and contact telephone number ; any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique IDs, etc); and include details of the specific information you require and any relevant dates
- Include a reference to the one month deadline that applies when dealing with requests to provide personal information
- Reference that you have the right to make a subject access request for free under the Data Protection Act 2018
Feel free to use this free template letter available on the Information Commissioner’s Office (ICO) website to make a subject access request.
Record and copy everything
You should try to send your request by recorded delivery, or by email and you should keep a copy of the SAR and all other materials sent and received to and from the organisation.
By doing all the above you can then provide these as evidence later down the line if you wish to complain to the Information Commissioner’s Office (ICO) about the organisation and that they didn’t give you the information you think you are entitled to after you made the SAR.
Work smart with SAR’s – Use a tool!
You can use our free secure tool to make a subject access request. We built the Tapmydata app to take the headache and workload out of sending subject access requests. We also don’t collect or hold your personal data.
What organisations need to do
The Data Protection Act 2018 requires companies to let you know what information is held about you, whether it is on a computer or paper.
Here are the steps an organisation would need to take when dealing with a subject access request:
- It has to reply to you without delay and at the latest within 30 days, starting from the day they receive the SAR.
- It is allowed to extend the period of compliance by a further two months where requests are complex or numerous, but it must inform you within one month of the receipt of the request and explain why an extension is necessary.
- It must provide you with a copy of the personal data requested in the SAR free of charge.
- It can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- It may charge a reasonable fee for requests of further copies of the same information, but this doesn’t mean it can charge you for all subsequent access requests
- It should give you the information in a commonly used format, but it need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen.
Can organisations withhold my personal data?
Organisations can, and are allowed, in certain situations to withhold information from you.
- If the information could identify someone else, and it would not be reasonable to disclose that information to you.
- If you are being investigated for a crime, or in connection with taxes, and the investigation would be prejudiced if you had access to the information.
We hope you found this guide useful. Go to the My Data Rights section of our blog for more guides.