What is a subject access request (SAR)?

Understanding Subject Access Requests (SARs)

08/12/2007

Rating: 4.17 (7647 votes)

In today's digital age, understanding how organisations handle your personal information is more important than ever. You have a fundamental right to know what data is being collected about you and how it's being used. This is where a Subject Access Request, commonly known as a SAR, comes into play. This article will guide you through the process of making a SAR in the UK, detailing your rights, the steps involved, and what to expect from companies.

What is a subject access request (SAR)?
A subject access request (SAR) is a written or verbal request to a company or organisation asking for access to the personal information it holds on you. Following EU-wide changes to data protection rules introduced in the UK as the Data Protection Act 2018 (GDPR), everyone has the right to make a subject access request for free.
Table

What Exactly is a Subject Access Request (SAR)?

A Subject Access Request (SAR) is a formal request, which can be made in writing or verbally, to a company or organisation. It asks for access to the personal information that the organisation holds on you. Since the introduction of the Data Protection Act 2018, which incorporated the EU's General Data Protection Regulation (GDPR) into UK law, every individual has the right to make a SAR free of charge. This empowers you to take control of your personal data.

Why Might You Make a SAR?

There are numerous reasons why you might choose to make a SAR. Some common motivations include:

  • Reviewing Data Lawfulness: You might want to check if a company is processing your data legally and in line with regulations. If you have doubts about how your information is being handled, a SAR can provide clarity.
  • Understanding Data Holdings: Simply wanting to know what an organisation knows about you is a valid reason. This could include contact details, purchase history, browsing habits, or any other personal information they have collected.
  • Challenging Automated Decisions: GDPR grants you the right not to be subject to a decision based solely on automated processing (including profiling) if it produces legal or similarly significant effects on you. A SAR can help you understand the logic behind such decisions. For example, if you were denied a loan based on an algorithm, a SAR could reveal the factors that led to that decision.
  • Ensuring Data Accuracy: You can use a SAR to check if the information a company holds about you is accurate and up-to-date.

How to Make a Subject Access Request

Making a SAR is a straightforward process, but following these steps will ensure it's handled efficiently:

  1. Identify the Right Contact: Most companies will have a designated data protection officer or a specific department responsible for handling SARs. This information is usually found on their website, often in the privacy policy.
  2. Prepare Your Request: Clearly state that you are making a Subject Access Request under the Data Protection Act 2018. It's helpful to list the specific information you are looking for, although you can also request all personal data held about you.
  3. Contact the Organisation: You can initiate contact via letter, email, or even phone. However, it is highly recommended to follow up any verbal requests with written confirmation (email or letter). This creates a paper trail.
  4. Provide Necessary Details: Include your full name, current address, and contact telephone number. If you have an account number or customer reference with the company, include this as it helps them locate your records more easily.
  5. Mention Key Information: Remind the organisation of the one-month deadline for responding to your request. You can also explicitly state that you are making the request free of charge under the Data Protection Act 2018.

What Documents Might Be Required for a SAR?

While the request itself is usually free, the organisation may ask for proof of identity to ensure they are not disclosing your information to someone else. This is a crucial step in protecting your data. You may be asked to provide copies of official documents that confirm your name, date of birth, and current address. Examples include:

  • Driving Licence
  • Passport
  • Birth Certificate/Adoption Certificate
  • Utility Bills (showing your current address)
  • Bank Statements

It's important to only provide copies of these documents and to ensure they are sent securely. Always check the organisation's specific requirements.

Top Tip for Making a SAR

To ensure you have evidence of your request and the organisation's response (or lack thereof), it is best practice to send your SAR by recorded delivery if by post, or by email. Keep a copy of your SAR and all subsequent correspondence. This documentation is invaluable if you need to escalate a complaint to the Information Commissioner's Office (ICO) because the organisation has failed to comply with your request.

The ICO: Your Data Protection Authority

The Information Commissioner's Office (ICO) is the UK's independent authority responsible for upholding information rights and data privacy. They work with organisations to ensure compliance with data protection laws. The ICO can investigate breaches, issue fines, and take enforcement action against organisations that do not comply with data protection rules. While they can impose penalties on companies, they cannot award compensation directly to individuals.

Time Limits for Responding to a SAR

Organisations are legally obliged to respond to your SAR within a specific timeframe. This is a critical aspect of your data rights:

  • Standard Timeframe: Companies must respond to your SAR without delay and, at the latest, within one month of receiving your request. The clock starts ticking from the day they receive your SAR.
  • Extensions for Complexity: In cases where the requests are particularly complex or numerous, an organisation may be permitted to extend this period by a further two months. However, they must inform you of this extension within the initial one-month period and provide a clear explanation for why the extension is necessary.

If your SAR is ignored, or the organisation fails to meet these deadlines, you have the right to complain to the ICO.

How Organisations Must Respond to a SAR

When an organisation receives a valid SAR, they must adhere to specific requirements outlined in the Data Protection Act 2018 (GDPR):

  • Provide a Copy of Data: They must provide you with a copy of the personal data you requested, free of charge.
  • Reasonable Fees: While SARs are generally free, an organisation can charge a 'reasonable fee' if a request is manifestly unfounded or excessive, particularly if it's repetitive. They can also charge a reasonable fee for subsequent copies of the same information, but this does not mean they can charge for every access request.
  • Commonly Used Format: The information should be provided in a commonly used and understandable format. This might include documents, spreadsheets, or digital files, depending on how the data is stored.

Can Companies Withhold Information?

Organisations are permitted to withhold certain information in specific circumstances. These exemptions are outlined in data protection law. For example, they may be able to withhold information if:

  • Providing the information would adversely affect the rights and freedoms of others.
  • The information is subject to legal professional privilege.
  • The information is required for the prevention or detection of crime.
  • The information is held for the purposes of safeguarding.

If an organisation decides to withhold information, they must inform you of this and explain the legal basis for their decision. You then have the right to challenge this decision, potentially by complaining to the ICO.

What documents do I need to apply for a SAR?
a request in writing, andfurther information in order to satisfy ourselves as to the identity o the person making a request.Your application (SAR) must be accompanied by copies of at least two official documents, which show your name, date of birth and current address, e.g. driving licence, birth/adoption certificate, quare Boar Lane Leeds

Frequently Asked Questions about SARs

Q1: Do I need to provide a reason for my SAR?

No, you do not need to provide a reason for making a Subject Access Request. You have a right to access your data without explanation.

Q2: How long does a company have to respond?

Typically, one month from the date they receive your request. This can be extended by two months for complex or numerous requests, but they must inform you of this within the first month.

Q3: Can I make a SAR on behalf of someone else?

Yes, but you will generally need to provide proof that you have their permission to act on their behalf, such as a letter of authority or a Power of Attorney. You may also need to provide your own proof of identity.

Q4: What if the company charges me?

If a company charges you, they must be able to justify it under the 'manifestly unfounded or excessive' criteria. If you believe the fee is unreasonable, you can complain to the ICO.

Q5: What should I do if the company doesn't respond?

If the company fails to respond within the given timeframe or refuses your request without a valid reason, you should complain to the Information Commissioner's Office (ICO).

Understanding and utilising your right to make a Subject Access Request is a vital step in managing your personal data and ensuring organisations are accountable for how they handle your information. Be informed, be proactive, and protect your privacy.

If you want to read more articles similar to Understanding Subject Access Requests (SARs), you can visit the Automotive category.

Go up