United Kingdom flag


Contend logo and icon in white

Menu

United Kingdom flag


Contend logo and icon in white

Menu

How to Make a Subject Access Request for Your Data

People signing legal court documents
Courts and Procedure Human and Civil Rights Privacy and Data Protection

By:

Contend Legal

Published:

|

Updated:

As featured in

Times UK logo white horizontal

What is a Subject Access Request (SAR)?

A Subject Access Request (SAR) is a legal right under UK data protection law, specifically the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It allows you to ask any organisation – such as a business, public authority, employer, or charity – for a copy of the personal information they hold about you. This right is designed to help you understand what data is being collected, how it is used, and who it is shared with, giving you more control over your privacy.

The main purpose of making a SAR is to see what personal data an organisation has about you. This could include things like your contact details, account information, emails, call recordings, CCTV images, or notes about you kept by the organisation. By reviewing this information, you can check that your data is accurate, being used lawfully, and not held for longer than necessary.

Anyone can make a SAR, regardless of age or nationality, as long as the request is about your own personal data. You can also make a request on behalf of someone else, such as a child or someone who has given you written permission. Most organisations that process personal data – including private companies, public bodies, schools, and healthcare providers – are required to respond to SARs. There are some exceptions, such as certain law enforcement or national security bodies, but in general, if an organisation holds information about you, you have the right to request it.

When you submit a SAR, the organisation must respond without undue delay and within one month of receiving your request. In some cases, if your request is complex or you have made multiple requests, they can extend this deadline by up to two additional months, but they must inform you if they need more time.

In most situations, making a SAR is free of charge. However, if your request is “manifestly unfounded or excessive,” the organisation may charge a reasonable fee to cover administrative costs, or they may refuse to respond altogether. They must explain their reasons if they decide to do this.

Understanding your right to access your personal data is just one part of your broader legal protections under UK data protection law. To learn more about your full range of rights, including the right to rectification, erasure, and data portability, see our overview of your data rights.

How to Make a Subject Access Request

How to Make a Subject Access Request

Making a Subject Access Request (SAR) is your legal right under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This process allows you to ask any organisation – such as your employer, a business, or a public authority – for a copy of the personal data they hold about you. Here’s a step-by-step guide to help you make your request clearly and effectively.

Step 1: Identify the Right Organisation

Start by confirming which organisation holds your data. If you’re unsure, check any correspondence, privacy notices, or the organisation’s website for contact details. Most companies and public bodies have a dedicated data protection officer (DPO) or a specific team that handles data requests.

For requests to public authorities, there may be a different process. For more details on this, see our guidance on requesting information from public bodies.

Step 2: Decide How to Send Your Request

You can make a SAR in writing (by email or letter), or sometimes through an online form on the organisation’s website. There’s no requirement to use legal language or quote the law. The key is to make your request clear and specific.

  • Email: This is often the quickest and easiest way. Look for a contact address for data protection or privacy queries.
  • Letter: If you prefer, you can send a letter to the organisation’s registered address.
  • Online form: Some organisations provide a dedicated online form for SARs on their website.

Step 3: What to Include in Your Request

To help the organisation locate your data efficiently, include the following information:

  • Your full name and contact details (such as address, email, and phone number).
  • Any relevant account or reference numbers (for example, customer ID or employee number).
  • Details of the information you’re seeking – for example, “all emails containing my name sent between January and March 2024” or “a copy of my personnel file”.
  • How you would like to receive the data (for example, by email or post).

You do not have to explain why you are making the request, but being specific can help speed up the process.

Step 4: Submitting Your Request

Once your request is ready, send it via your chosen method. Keep a copy of your request and any response you receive.

If you need a template or want more advice, the Information Commissioner’s Office (ICO) provides detailed guidance and example wording.

Step 5: What Happens Next

Organisations must respond to your SAR without undue delay, and at the latest within one month of receiving your request. In some cases – for example, if your request is complex or you have made multiple requests – they can extend the deadline by up to two further months. If they need to extend the timeframe, they must let you know within the original one-month period and explain why.

ID Verification and Further Information

Sometimes, the organisation may ask you to provide proof of your identity before processing your request, especially if sensitive information is involved. This is to protect your privacy and ensure data isn’t released to the wrong person. If this happens, the one-month time limit starts once they have received the necessary ID.

Tips for an Effective SAR

  • Be clear and specific: The more detail you provide, the easier it is for the organisation to find the right information.
  • Check for SAR contact details: Look for a dedicated email address or online form on the organisation’s website.
  • Keep records: Save copies of your request and any correspondence.
  • Know your rights: You are entitled to your personal data, but organisations can refuse requests that are manifestly unfounded or excessive.

If you’re making a request to a public authority, remember that the process may differ. See our page on requesting information from public bodies for more details.

For further official guidance, visit the Information Commissioner’s Office (ICO), which offers up-to-date information on your rights and the SAR process.

By following these steps, you can take control of your personal information and ensure your privacy rights are respected.

Can I request my data if the organisation refuses or delays?

What Information Will You Receive?

When you make a Subject Access Request (SAR), you are entitled to receive a copy of the personal data an organisation holds about you. This includes a broad range of information that can directly or indirectly identify you. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, organisations must provide you with:

  • Personal details such as your name, address, date of birth, and contact information.
  • Correspondence and communications involving you, including emails and call records.
  • Account or service information – for example, transaction histories, membership details, or records of your interactions with the organisation.
  • Employment records if you are requesting data from your employer, which might include HR files, performance reviews, payroll data, and disciplinary records.

The information is usually supplied as a copy of the original records, though sometimes you may receive a summary, especially if the data is extensive or includes information about other people. Organisations can provide your data in electronic or paper format, depending on how you made your request and their usual way of holding information. If you request it, the organisation should provide the data in a commonly used electronic format.

Exemptions and Redactions

Not all information must be disclosed. Organisations can withhold or redact (black out) certain details if:

  • The information includes data about other people (unless those individuals have consented, or it is reasonable to provide it without their consent).
  • Disclosure would reveal confidential references given for employment, training, or education.
  • Legal professional privilege applies (for example, advice from a solicitor).
  • There are concerns about national security, crime prevention, or ongoing investigations.

If any data is withheld, the organisation should explain why, unless doing so would reveal the very information they are trying to protect.

Understanding How Your Data Is Used

The information you receive should help you understand:

  • What personal data is being processed.
  • The purposes for which your data is used.
  • Who your data is shared with, including any third parties or overseas recipients.
  • How long your data is kept.

This insight allows you to check that your data is accurate, up to date, and being handled lawfully. It also empowers you to challenge any errors or misuse.

Reviewing Your Data

It’s important to review the information you receive carefully. Check that it is complete and correct. If you find inaccuracies or missing data, you can ask the organisation to correct or complete your records. If you are unhappy with the response, you have the right to raise a complaint.

If you’re making a SAR to your employer, you may find it helpful to read more about your employee privacy and data protection rights in the UK workplace. This can give you a clearer idea of what to expect and how your data should be handled at work.

By understanding what information you will receive and how to use it, you can take control of your personal data and ensure your privacy rights are respected.

How can I challenge errors in the data I receive from a SAR?

What to Do if You Find Issues with Your Data

What to Do if You Find Issues with Your Data

When you receive your personal data after making a Subject Access Request (SAR), it’s important to review it carefully. Sometimes, you might spot errors, outdated details, or signs that your information has been handled incorrectly. Here’s what you should do if you find any issues:

1. Check for Errors or Outdated Information

If you discover that your data is incorrect or no longer up to date – for example, an old address, misspelled name, or inaccurate account details – you have the right under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 to ask the organisation to put things right.

Steps to take:

  • Contact the organisation: Write to them, clearly identifying the incorrect or outdated information and explaining what needs to be corrected.
  • Provide evidence: If possible, include documents or proof that support your request (such as a recent utility bill to update your address).
  • Keep records: Save copies of your correspondence and any responses.

Organisations are legally required to respond to your request to rectify inaccurate data, usually within one month.

2. Requesting Corrections or Deletions

If you find information that should not be held or is irrelevant, you can ask the organisation to delete it. This is known as the "right to erasure" or "right to be forgotten." While this right is not absolute, organisations must consider your request and respond within one month. They must delete data if:

  • It’s no longer needed for the purpose it was collected.
  • You withdraw consent (where consent was the legal basis for holding it).
  • The data has been processed unlawfully.

To make a correction or deletion request, contact the organisation directly, clearly stating what you want changed or removed and why.

3. If Your Data Has Been Misused or Handled Improperly

Sometimes, reviewing your data may reveal that your information has been shared without your consent, used for purposes you didn’t agree to, or otherwise mishandled. This could be a breach of the UK GDPR.

If you suspect misuse:

  • Raise the issue with the organisation first: Ask them to explain how your data was used and why.
  • Escalate if necessary: If you’re not satisfied with their response, you have the right to take further action.

Making a SAR can be the first step in identifying if your data has been misused, which is especially important if you are considering compensation for data breaches. Evidence from your SAR can support your claim.

4. Reporting Data Misuse to the ICO

If the organisation fails to correct, delete, or properly explain their handling of your data, you can escalate your complaint to the Information Commissioner’s Office (ICO), the UK’s data protection regulator. The ICO can investigate and may take action against organisations that break the law.

For a step-by-step guide on how to escalate your complaint, see reporting data misuse to the ICO. You can also find official guidance and updates directly from the Information Commissioner’s Office (ICO).

5. If You’ve Been a Victim of a Scam

If you discover through your SAR that your personal data has been used in a scam or fraud, it’s vital to act quickly to protect yourself. Steps include:

  • Notifying your bank and other affected organisations.
  • Changing passwords and securing your online accounts.
  • Requesting that any fraudulent or incorrect information is removed from your records.

For more detailed advice on protecting yourself and using SARs effectively after a scam, see what to do if you’ve been scammed.

By carefully checking the data you receive and taking prompt action if you spot any issues, you can help ensure your personal information is accurate and protected. If you need further advice or want to learn more about your rights, the Information Commissioner’s Office (ICO) offers up-to-date guidance on making and following up on subject access requests.

How do I formally request corrections or deletions to my data?

Special Considerations for Different Types of Organisations

When making a Subject Access Request (SAR), it’s important to know that the process can vary depending on the type of organisation holding your data. Whether you’re dealing with a private company, a public body, or a financial institution, understanding these differences will help you make your request more effectively and get the information you need.

Private Companies

Most private companies – such as retailers, tech firms, or service providers – are required under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 to respond to SARs within one month. They must provide you with copies of your personal data, explain how it’s used, and outline your rights. However, companies may ask for proof of identity before releasing information and can refuse requests that are “manifestly unfounded or excessive.” If your request is complex, they may extend the deadline by up to two months, but they must inform you of this.

Banks and Financial Service Providers

Banks and other financial institutions also fall under UK GDPR rules, but there are some specific considerations. Because of the sensitive nature of financial data, banks will almost always require thorough identity verification before processing a SAR. They are generally expected to provide you with copies of your bank statements, transaction records, and any other personal information they hold about you.

However, banks might withhold certain information if it would reveal details about other people, breach confidentiality, or conflict with anti-money laundering regulations. For more detailed guidance on accessing your data from banks, see our dedicated overview.

Public Bodies

Public bodies – such as government departments, councils, or the NHS – must also comply with SAR rules, but may have additional procedures in place. For example, some public authorities have dedicated data protection teams or online portals for SAR submissions. Public bodies can also withhold information if releasing it would prejudice law enforcement, national security, or the rights of others.

It’s also worth noting that if you’re seeking information that isn’t strictly your personal data – such as general records or policy documents – you may need to use the Freedom of Information Act 2000 instead. For more on requesting information from public bodies, visit our specialist guide.

Making Your SAR More Effective

To get the best results, tailor your request to the type of organisation you’re contacting. Clearly state what information you’re seeking, provide any relevant account or reference numbers, and be prepared to verify your identity. Understanding the specific rules and processes for each type of organisation will help you avoid delays and ensure you receive the information you’re entitled to.

By recognising these differences, you can make more targeted requests and better protect your privacy rights. If you need more information on accessing your data from banks or public authorities, explore our linked guides for further support.

How do SAR rules differ for my bank versus a public authority?

Your Privacy Rights and Related Topics

Your Privacy Rights and Related Topics

In the UK, your right to access personal data held by organisations is just one part of a much wider set of privacy and data protection rights. The law, primarily through the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, gives you control over how your personal information is collected, used, and shared.

A Subject Access Request (SAR) is a key tool within this legal framework. By making a SAR, you can ask any organisation – such as your employer, a business, or a public body – for a copy of the personal data they hold about you. This right is designed to ensure transparency and accountability, allowing you to see what information is being kept and check that it is accurate and lawfully processed.

However, your rights do not stop at accessing your data. You also have the right to have incorrect data corrected, to object to certain uses of your data, and to ask for your data to be deleted in some circumstances. For a broader understanding of these entitlements, see our overview of your data rights and more detailed information about privacy and data protection rights.

Subject Access Requests are particularly relevant in situations where privacy concerns arise, such as in the workplace or in relation to recordings. For example, if you believe you have been recorded without your consent, or you are concerned about how your employer is handling your personal information, a SAR can help you discover exactly what data has been collected and why. To learn more about how the law deals with unauthorized recording and privacy, including your rights in these situations, visit our dedicated page.

Understanding your rights empowers you to take action if something seems wrong – whether that means challenging how your data is used, requesting corrections, or making a complaint if your information is mishandled. By exploring related topics, you can build a fuller picture of your legal protections and make informed decisions about your personal information. Remember, knowing your rights is the first step in safeguarding your privacy in an increasingly digital world.

Stand up for your legal rights

Get instant and affordable answers to your legal questions

Check if Contend can help you with your issue

Solve your legal question quickly
and easily with Contend.



Get Legal Help



Copyright © Contend Inc.

This material is for general information only and does not constitute
tax, legal or any other form of advice. You should not rely on any
information contained herein to make (or refrain from making) any
decisions. Always obtain independent, professional advice for your
own particular situation. Contend Inc is not regulated by the
Solicitors Regulation Authority.