A subject access request, (known as a SAR or DSAR), is a request to a company or organisation asking for access to the personal data they may hold about you.
We’ve talked before about what a subject access request is. This short guide explains how you can make a subject access request and what to expect of organisations from which you’re requesting information.
Your right to make a subject access request
The right existed under the Data Protection Act 1998, but organisations were allowed to charge a fee of £10 to provide you with the information.
Following changes to data protection legislation introduced by EU-wide regulation called GDPR, you can now make a subject access request for free.
This right of access allows you to be aware of and verify the lawfulness of the processing of your personal data. For example, you might want to make a subject access request if you’re not convinced the company is processing your data lawfully.
You might also want to ask about any logic involved in any automated decisions made about you or get confirmation that your data is being processed and request access.
How to make a subject access request
There isn’t a particular format to sending an SAR to an organisation. You may wish to email, write, phone, DM or tweet the organisation and ask them to provide all the information they may hold about you, who they share it with and request copies of it.
If an organisation tries their luck and wants to charge you a fee, inform them that, as of 25 May 2018, subject access requests can be made for free when GDPR became law in the UK as the Data Protection Act 2018. You do not have to pay!
To make a subject access request (SAR), you may wish to follow these steps:
- Note down all all the information you need, so you can ask for this in the same request
- Write to the organisation, including your full name, address and contact telephone number; any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique IDs, etc); and include details of the specific information you require and any relevant dates
- Include a reference to the one month deadline that applies when dealing with requests to provide personal information
- Reference that you have the right to make a subject access request for free under the Data Protection Act 2018.
Feel free to use this free template letter available on the Information Commissioner’s Office (ICO) website to make a subject access request.
Record and copy everything
You should try to send your request by recorded delivery, or by email and you should keep a copy of the SAR and all other materials sent and received to and from the organisation.
By doing all the above you can then provide these as evidence later down the line if you wish to complain to the Information Commissioner’s Office (ICO) about the organisation and that they didn’t give you the information you think you are entitled to after you made the SAR.
Work smart with SAR’s – Use a tool!
We built TAP to take the headache and workload out of making and managing requests for citizens, keep a record of their communications with organisations and as a safe store for their personal data. The app is free on Apple and Android.
What organisations need to do
The Data Protection Act 2018 requires companies to let you know what information is held about you, whether it is on a computer or paper.
Here are the steps an organisation would need to take when dealing with a subject access request:
- It has to reply to you without delay and at the latest within 30 days, starting from the day they receive the SAR.
- It is allowed to extend the period of compliance by a further two months where requests are complex or numerous, but it must inform you within one month of the receipt of the request and explain why an extension is necessary.
- It must provide you with a copy of the personal data requested in the SAR free of charge.
- It can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- It may charge a reasonable fee for requests of further copies of the same information, but this doesn’t mean it can charge you for all subsequent access requests.
- It should give you the information in a commonly used format, but it need not do this if it is not possible, if it takes ‘disproportionate effort’ or if you agree to some other form, such as seeing it on screen.
Can organisations withhold my personal data?
Organisations can, and are allowed, in certain situations to withhold information from you.
- If the information could identify someone else, and it would not be reasonable to disclose that information to you.
- If you are being investigated for a crime, or in connection with taxes, and the investigation would be prejudiced if you had access to the information.
We hope you found this guide useful and please get in touch if you’re having problems accessing your personal data from an organisation. Alternatively you read what steps you can do next if you don’t get a response.