Skip to content

Subject Access Request Procedures

Approved 1 December 2021

  • Inform data subjects of their right to access data and provide an easily accessible mechanism through which such a request can be submitted (e.g. a dedicated email address).
  • Make sure a SAR policy is in place within the organisation and that internal procedures on handling of SARs are accurate and complied with. Include, among other elements, provisions on:
    • Responsibilities (who, what)
    • Timing
    • Changes to data
    • Handling requests for rectification, erasure or restriction of processing.
  • Ensure personal data is easily accessible at all times in order to ensure a timely response to SARs and that personal data on specific data subjects can be easily filtered.
  • Implement the following standards to respond to SARs, including a standard response

Upon receipt of a SAR:

  1. Verify whether you are controller of the data subject’s personal data. If you are not a controller, but merely a processor, inform the data subject and refer them to the actual controller.
  2. Verify whether you are controller of the data subject’s personal data. If you are not a controller, but merely a processor, inform the data subject and refer them to the actual controller.
  3. Verify whether you are controller of the data subject’s personal data. If you are not a controller, but merely a processor, inform the data subject and refer them to the actual controller.
  4. Verify whether you are controller of the data subject’s personal data. If you are not a controller, but merely a processor, inform the data subject and refer them to the actual controller.
  5. Verify whether you are controller of the data subject’s personal data. If you are not a controller, but merely a processor, inform the data subject and refer them to the actual controller.
  6. Verify whether you are controller of the data subject’s personal data. If you are not a controller, but merely a processor, inform the data subject and refer them to the actual controller.
  7. Verify whether you are controller of the data subject’s personal data. If you are not a controller, but merely a processor, inform the data subject and refer them to the actual controller.
  8. Verify whether you are controller of the data subject’s personal data. If you are not a controller, but merely a processor, inform the data subject and refer them to the actual controller.

Responding to a SAR

1. Respond to a SAR within one month after receipt of the request:

(a)If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within the first month;

(b)if the organisation cannot provide the information requested, it should inform the data subject on this decision without delay and at the latest within one month of receipt of the request.

2. If a SAR is submitted in electronic form, any personal data should preferably be provided by electronic means as well.

3. If data on the data subject is processed, make sure to include as a minimum the following information in the SAR response:

(a)the purposes of the processing;

(b)the categories of personal data concerned;

(c)the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data, such as Binding Corporate Rules or model clauses

(d)where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;

(e)the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(f)the right to lodge a complaint with the Information Commissioners Office (“ICO”);

(g)if the data has not been collected from the data subject: the source of such data;

(h)the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

4. Provide a copy of the personal data undergoing processing.

Sample Subject Access Requests Policy

What must I do?

MUST: On receipt of a subject access request you must forward it immediately to the appointed Data Protection Officer

MUST: We must correctly identify whether a request has been made under the Data Protection legislation

MUST: The nominated member of staff who receives a request to locate and supply personal data relating to a SAR must make a full exhaustive search of the records to which they have access.

MUST: All the personal data that has been requested must be provided unless an exemption can be applied. 

MUST: We must respond within one calendar month after accepting the request as valid.

MUST: Subject Access Requests must be undertaken free of charge to the requestor unless the legislation permits reasonable fees to be charged.

MUST: Managers must ensure that the staff they manage are aware of and follow this guidance. 

MUST: Where a requestor is not satisfied with a response to a SAR, the organisation must manage this as a complaint.

How must I do it?

Notify the Data Protection Officer upon receipt of a request.

We must ensure a request has been received in writing where a data subject is asking for sufficiently well-defined personal data held by the organisation relating to the data subject. You should clarify with the requestor what personal data they need. They must supply their address and valid evidence to prove their identity. The organisation  accepts the following forms of identification (* These documents must be dated in the past 12 months, +These documents must be dated in the past 3 months):

  • Current UK/EEA Passport
  • UK Photocard Driving Licence (Full or Provisional)
  • Firearms Licence / Shotgun Certificate
  • EEA National Identity Card
  • Full UK Paper Driving Licence
  • State Benefits Entitlement Document*
  • State Pension Entitlement Document*
  • HMRC Tax Credit Document*
  • Local Authority Benefit Document*
  • State/Local Authority Educational Grant Document*
  • HMRC Tax Notification Document
  • Disabled Driver’s Pass
  • Financial Statement issued by bank, building society or credit card company+
  • Judiciary Document such as a Notice of Hearing, Summons or Court Order
  • Utility bill for supply of gas, electric, water or telephone landline+
  • Most recent Mortgage Statement
  • Most recent council Tax Bill/Demand or Statement
  • Tenancy Agreement
  • Building Society Passbook which shows a transaction in the last 3 months and your address

DATA SEARCH

Depending on the degree to which personal data is organised and structured, you will need to search emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks, floppy disks, CDs), tape recordings, paper records in relevant filing systems etc, and any other relevant category of electronic or manual file.

FORMAT OF DATA

You must not withhold personal data because you believe it will be misunderstood; instead, you should provide an explanation with the personal data. You must provide the personal data in an “intelligible form”, which includes giving an explanation of any codes, acronyms and complex terms. The personal data must be supplied in a permanent form except where the person agrees or where it is impossible or would involve undue effort. You may be able to agree with the requester that they will view the personal data on screen or inspect files on our premises. You must redact any exempt personal data from the released documents and explain why that personal data is being withheld.

Make the rights of access clear on policies/notices and on the organisation website

You should educate staff through the use of induction, performance management and training, as well as through establishing and maintaining appropriate day to day working practices.

A database should be maintained allowing the organisation to report on the volume of requests and compliance against the statutory timescale.

When responding to a complaint, we must advise the requestor that they may complain to the Information Commissioners Office (“ICO”) if they remain unhappy with the outcome.

Letters

All letters must include the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data, such as Binding Corporate Rules
  • where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with the Information Commissioners Office (“ICO”);
  • if the data has not been collected from the data subject: the source of such data;
  • the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.