How to handle a Subject Access Request

What a Subject Access Request is

Under Article 15 of UK GDPR, any individual (a data subject) has the right to ask a data controller whether it processes personal data about them, and if so, to receive a copy of that data along with supplementary information. This is the right of access — one of eight data subject rights under UK GDPR.

A SAR does not have to use the phrase "subject access request" or reference any legislation to be valid. If someone asks "can you tell me what information you hold about me?" or "please send me all my data" — that is a SAR. The ICO has confirmed that requests made verbally, by email, via social media, or in any other format are all valid. The response clock starts from the date of receipt regardless of the format.

What you must provide

Article 15(1) requires you to confirm whether you process personal data about the individual, and if so, to provide access to that data along with the following information:

• The purposes for which the data is processed
• The categories of personal data concerned
• The recipients or categories of recipients to whom the data has been or will be disclosed
• The retention period, or the criteria used to determine it
• The individual's rights to rectification, erasure, restriction, and the right to object
• The right to lodge a complaint with the ICO
• Where data was not collected directly from the individual, information about its source
• Whether any automated decision-making is used, including profiling, and meaningful information about the logic involved

You must also provide a copy of the personal data itself — Article 15(3). This is the "copy" element of the right of access. The format should be in a commonly used electronic form unless the individual requests otherwise or the request was made in paper form.

Deadlines and extensions

You must respond without undue delay, and in any event within one calendar month of receiving the request. The one-month period runs from the date of receipt. Where you have reasonable doubt about the requester's identity, this period may be paused while identity verification is sought — but only where genuinely necessary — if received on 10 March, the response is due by 10 April regardless of bank holidays or weekends.

You can extend the deadline by a further two months where the request is complex or you have received a large number of requests from the same individual. If you apply an extension, you must notify the individual within the first month — before the original deadline — that an extension is being applied and explain why. Applying an extension without notifying the individual is itself a breach.

Where you decide not to act on a request (because it is manifestly unfounded or excessive, or because an exemption applies), you must still notify the individual within one month, informing them of your reasons and their right to complain to the ICO and seek a judicial remedy.

Identity verification

Where you have reasonable doubt about the identity of the person making the request, you may ask for additional information to confirm identity. However, you should only request the minimum information necessary — the ICO has warned against using identity verification as a way to delay or avoid responding. You cannot ask for a passport or driving licence as a matter of course if identity is not genuinely in doubt.

The response clock is paused while you wait for the additional information, but resumes immediately once it is received. If the individual does not provide the requested information, you may decline to respond — but you must document your reasoning.

Fees

Responses to subject access requests must be provided free of charge. The only circumstances in which a fee can be charged are where a request is manifestly unfounded or excessive, or where an individual requests further copies of information already provided. The fee must be reasonable and proportionate to the administrative cost of providing the information.

Exemptions

DPA 2018 Schedule 2 sets out a range of exemptions from the right of access. These include legal professional privilege (information subject to legal privilege can be withheld), crime and taxation (where disclosure would prejudice a criminal investigation or tax assessment), references (employment references given in confidence), and negotiations (where disclosure would prejudice the organisation's negotiating position).

Exemptions are not blanket — they must be assessed on a case-by-case basis. If an exemption applies to part of the data but not all of it, you must redact the exempt portions and provide the rest. The ICO expects a documented assessment of why each exemption was applied, not a bare assertion.

Third-party data in the response

A common complication arises when the data you hold about the requester also contains information about third parties — for example, an email chain that includes a colleague's opinions. You must balance the requester's right of access against the third party's right to privacy. In practice, this often means redacting third-party identifying information before providing the response.

You are not required to provide data about third parties, but you cannot use the presence of third-party data as a reason to withhold all information — only the specific information that would identify or relate to the third party.

AML-regulated firms — additional complexity

For accountants, solicitors, and other AML-regulated professional services firms, a DSAR creates a potential conflict with the tipping-off provisions of the Proceeds of Crime Act 2002. Where a client who is the subject of a Suspicious Activity Report (SAR) filed with the NCA submits a data subject access request, responding fully could disclose the existence of the SAR — which would constitute the criminal offence of tipping off under POCA 2002 s.333A.

The exemption in DPA 2018 Schedule 2 paragraph 2 permits withholding information where disclosure would prejudice a criminal investigation. A documented procedure for checking the firm's SAR log on receipt of every DSAR, escalating to the MLRO where a match is found, and recording the selective withholding basis is essential. This is not a scenario where improvisation is acceptable — the criminal liability for tipping off is serious and the procedure must be in place before the situation arises.

This is what a regulator will look for when a SAR complaint is made. The log and the response record are the primary evidence.

ICO complaints and enforcement

Failure to respond to a SAR on time is the most common subject matter of ICO complaints. The ICO's first step when a complaint is received is typically to contact the organisation and ask for a copy of the response provided and the date it was sent. If no response was provided, or if the response was late, the ICO will investigate further.

The ICO can issue a reprimand, enforcement notice, or financial penalty for SAR failures. In serious cases — particularly where there is a pattern of non-compliance or where the organisation failed to engage with the ICO's investigation — fines have been issued. Documented evidence of your SAR procedure, each request received, and the date and content of each response is your primary protection.

In practice: what a SAR procedure covers

A documented SAR procedure should address each of the following before a request arrives:

• Recognition — any communication clearly requesting personal data is a SAR, regardless of format or terminology
• Logging — date received, requester, and method of receipt recorded immediately
• Identity verification — protocol for when and how to seek verification, without using it as a delay tactic
• Deadline tracking — one-month deadline (from receipt) tracked from day one
• Exemption assessment — systematic check of applicable exemptions before responding
• Third-party data — process for identifying and redacting third-party information
• Response record — what was provided, what was withheld, why, and the date sent