At a glance
- Individuals have the right to access and receive a copy of their personal data, and other supplementary information.
- This is commonly referred to as a subject access request or ‘SAR’.
- Individuals can make SARs verbally or in writing, including via social media.
- A third party can also make a SAR on behalf of another person.
- In most circumstances, you cannot charge a fee to deal with a request.
- You should respond without delay and within one month of receipt of the request.
- You may extend the time limit by a further two months if the request is complex or if you receive a number of requests from the individual.
- You should perform a reasonable search for the requested information.
- You should provide the information in an accessible, concise and intelligible format.
- The information should be disclosed securely.
- You can only refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.
Preparing for subject access requests
☐ We know how to recognise a subject access request and we understand when the right of access applies.
☐ We have a policy for how to record requests we receive verbally.
☐ We understand what steps we need to take to verify the identity of the requester, if necessary.
☐ We understand when we can pause the time limit for responding if we need to ask for clarification.
☐ We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
☐ We understand the nature of the supplementary information we need to provide in response to a subject access request.
☐ We have suitable information management systems in place to allow us to locate and retrieve information efficiently.