What is a Subject Access Request and what are my rights under UK GDPR?

A Subject Access Request (SAR) is a formal request by an individual (the data subject) to an organisation (the data controller) to provide a copy of all personal data held about them, together with supplementary information about how that data is being processed. The right is contained in Article 15 of the UK General Data Protection Regulation (UK GDPR) as retained in domestic law by the European Union (Withdrawal) Act 2018, and is supplemented by Sections 45 to 49 of the Data Protection Act 2018. When you submit a SAR, you are entitled to: a copy of your personal data in a commonly used and machine-readable format; the purposes for which your data is being processed and the legal bases relied upon; the categories of data held; the recipients or categories of recipients to whom the data has been disclosed (including in third countries); the planned retention period; your rights to rectification, erasure, restriction, and objection; the right to lodge a complaint with the ICO; the source of the data where it was not collected directly from you; and information about any automated decision-making or profiling. The organisation must respond within one calendar month of receipt, extendable to three months for complex requests. The response must be provided free of charge unless the request is manifestly unfounded, excessive, or repetitive.

Can an organisation refuse a Subject Access Request?

Yes, but only in limited circumstances defined by the Data Protection Act 2018. An organisation may refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive, having regard to the nature, context, and purposes of the request. In such cases, the organisation must inform you of the reasons for refusal and of your right to lodge a complaint with the Information Commissioner's Office (ICO) and to seek a judicial remedy under Section 167 of the DPA 2018. The organisation may also refuse to provide certain information that is covered by an exemption — for example, information that would identify a third party, information subject to legal professional privilege, or information held for the purposes of crime prevention or detection. Confidential employment references are partially exempt from the right of subject access under Schedule 2, Part 4, paragraph 24 of the DPA 2018. However, the exemptions are narrow and the ICO will scrutinise any refusal. If you believe your request has been wrongly refused, you should first ask the organisation to review their decision, then lodge a complaint with the ICO at ico.org.uk.

What can I do if the organisation does not respond within one month?

If an organisation fails to respond to your Subject Access Request within one calendar month (or three months where they have lawfully extended the deadline for a complex request), you have two principal remedies. First, you may lodge a complaint with the Information Commissioner's Office (ICO) under Section 165 of the Data Protection Act 2018. The ICO has extensive investigatory and enforcement powers, including the power to issue enforcement notices and monetary penalty notices. Second, you may apply to the court for an order requiring the organisation to comply with your request under Section 167 of the DPA 2018. Before escalating, you should send a follow-up letter to the organisation's Data Protection Officer reminding them of the statutory deadline and requesting an update. Keep records of all correspondence, including the date your original request was received (evidenced by a read receipt, recorded delivery, or acknowledgement email), as these records will be essential if you need to escalate the matter.

Can my employer refuse to provide HR records in response to a Subject Access Request?

Your employer cannot refuse your SAR merely because the records relate to employment. Personal data held by an employer about an employee — including performance appraisals, disciplinary records, sickness records, emails, and correspondence — is subject to the same UK GDPR subject access rights as any other personal data. However, several exemptions may apply. The employer may redact information that would identify other employees (a third-party exemption). Information covered by legal professional privilege is exempt. Where information is held for the purposes of crime prevention or tax compliance, it may be withheld. Confidential references given by the employer about the employee for employment purposes are partially exempt under Schedule 2, Part 4, paragraph 24, DPA 2018 — but references received by the employer about the employee from a third party may be disclosable subject to the third party's identity being redacted if necessary. The ICO's Employment Practices Code provides further guidance on data subject access in the employment context.

What is the role of the Information Commissioner's Office (ICO) in Subject Access Request disputes?

The Information Commissioner's Office (ICO) is the UK's independent supervisory authority for data protection, established under Section 114 of the Data Protection Act 2018. In the context of Subject Access Request disputes, the ICO has three main functions. First, it handles complaints from individuals who believe an organisation has failed to comply with its obligations under the UK GDPR and DPA 2018 — including failure to respond to a SAR within the statutory deadline. Second, it can investigate the organisation and, where appropriate, issue an enforcement notice requiring compliance or a reprimand. Third, for serious breaches, it can issue a monetary penalty notice imposing a fine of up to £17.5 million or 4% of annual worldwide turnover (for public authorities, the standard maximum fine is £8.7 million). The ICO's contact details are: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. You can submit a complaint online at ico.org.uk. The ICO will generally not investigate a complaint unless you have first raised your concerns directly with the organisation concerned.

What is the difference between a Subject Access Request and a Right of Erasure request?

A Subject Access Request (Article 15 UK GDPR) allows you to obtain a copy of your personal data and supplementary information about its processing. A Right of Erasure request — also known as the 'right to be forgotten' — is a separate right under Article 17 of the UK GDPR that allows you to request the deletion of your personal data in certain circumstances. These include: where the data is no longer necessary for the purpose for which it was collected; where you have withdrawn consent and there is no other legal basis for processing; where you have successfully objected to processing under Article 21; where processing is unlawful; or where erasure is required for compliance with a legal obligation. Unlike a SAR, the right of erasure is not absolute — it can be overridden where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for reasons of substantial public interest. Many individuals begin with a SAR to understand what data is held before deciding whether to pursue erasure.

Subject Access Request (UK) — United Kingdom

Exercise your right to access your personal data under UK GDPR Article 15 and the Data Protection Act 2018 with a formal Subject Access Request (SAR). Whether you need to review data held by an employer, bank, insurer, government body, or any organisation in England and Wales, this template ensures your request is properly structured, references the correct statutory provisions, sets the one-month response deadline, and preserves your right to complain to the ICO if the organisation fails to respond. Download as PDF or Word.

What Is a Subject Access Request (UK)?

A Subject Access Request (SAR) is a formal letter that enables an individual — known as the data subject — to exercise their statutory right under Article 15 of the UK General Data Protection Regulation (UK GDPR) and Section 45 of the Data Protection Act 2018 to obtain copies of personal data held about them by any organisation, together with detailed supplementary information about how that data is being processed. Following the United Kingdom's exit from the European Union, the EU's General Data Protection Regulation was retained in domestic law under the European Union (Withdrawal) Act 2018 and modified by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, creating the UK GDPR as a standalone domestic instrument that applies across England, Wales, Scotland, and Northern Ireland.

The right to access personal data is one of the most fundamental rights conferred by UK data protection law. It enables individuals to verify whether their personal data is being lawfully processed, to identify inaccuracies, to understand who it has been shared with, to check how long it will be retained, and to assess whether they have grounds to exercise other rights such as the right to rectification (Article 16), the right to erasure (Article 17), or the right to object to processing (Article 21).

A Subject Access Request can be submitted to any organisation acting as a data controller — that is, any entity that determines the purposes and means of processing personal data. This includes private sector companies, public authorities, employers, NHS trusts, financial institutions, insurers, retailers, social media platforms, and any other body holding personal data. The SAR can be submitted in writing by letter or email, and there is no prescribed format — though a well-drafted formal letter that cites the specific statutory provisions is more likely to receive a prompt and substantive response.

Organisations must respond within one calendar month of receiving the request, at no charge, unless the request is manifestly unfounded or excessive. The Information Commissioner's Office (ICO) — the UK's independent data protection regulator — enforces compliance and can receive complaints from individuals whose rights are not respected.

When Do You Need a Subject Access Request (UK)?

A Subject Access Request is appropriate in a wide range of circumstances involving personal data held by organisations in the United Kingdom. The most common situations in which individuals submit SARs include employment disputes, consumer rights matters, healthcare queries, financial services, and general privacy concerns.

In the employment context, SARs are frequently submitted by employees or former employees who wish to review data held about them by a current or former employer — including performance records, disciplinary files, sickness records, emails, correspondence, and notes from meetings. An employee who has been dismissed, placed under a performance improvement plan, or subject to a disciplinary investigation may use a SAR to obtain documentary evidence of the decisions made and the personal data held about them, which can be relevant in employment tribunal proceedings. The subject access right applies equally to job applicants who wish to understand what data was recorded during a recruitment process.

In consumer matters, SARs are commonly used to obtain data from banks, credit reference agencies, insurers, and retailers. A borrower who has been refused a mortgage may wish to review the data held about them by a lender. A customer involved in a dispute with a company may wish to obtain copies of call recordings, emails, or notes of conversations. Under the Consumer Rights Act 2015 and the Financial Services and Markets Act 2000 (as amended), consumers in the UK have various rights that can be informed and supported by the data obtained through a SAR.

SARs are also valuable in healthcare contexts. Patients are entitled to access their NHS and private medical records under the UK GDPR. A SAR to an NHS trust, GP surgery, hospital, or private healthcare provider will typically yield copies of clinical notes, test results, correspondence between healthcare professionals, and other records held on the patient's file. This can be important for medical negligence claims, second opinions, or understanding a diagnosis.

In legal proceedings, SARs can be a cost-effective pre-litigation tool for gathering evidence. The data obtained through a SAR may reveal information that supports or informs a claim, and may also assist in identifying potential witnesses or understanding the timeline of events. Solicitors in England and Wales regularly advise clients to submit SARs as part of pre-action investigation, particularly in employment disputes, data protection claims, and professional negligence matters.

What to Include in Your Subject Access Request (UK)

A well-drafted Subject Access Request letter should contain several key elements to ensure it is effective, legally compliant, and likely to receive a comprehensive response from the organisation.

The letter must clearly identify the data subject — the individual making the request — with their full legal name, contact address, and any reference or account numbers held by the organisation. Providing identification information is important because the organisation is entitled to verify the identity of the person making the request before disclosing personal data to them. Under Article 12(6) of the UK GDPR, where an organisation has reasonable doubts about the identity of the individual, they may request additional information necessary to confirm identity — but they cannot demand disproportionate proof.

The letter should explicitly identify the legal basis for the request by citing Article 15 of the UK GDPR and Section 45 of the Data Protection Act 2018. This immediately signals to the organisation and its Data Protection Officer that the requester is aware of their legal rights, and makes it harder for the organisation to treat the request as an informal query rather than a formal statutory exercise.

The scope of the request should be clearly defined. The requester may request all personal data held about them, or may narrow the scope to a particular time period, category of data, or department. Being specific can make the organisation's response more focused and easier to analyse, and can reduce the volume of irrelevant information received. However, a broad request covering all personal data is equally valid.

The supplementary information requested under Article 15(1) should be stated explicitly — including the purposes and legal bases for processing, the categories of data held, recipients of the data, retention periods, and automated decision-making. These elements are often omitted from SAR responses by organisations that respond hastily, so requesting them explicitly at the outset ensures they must be addressed.

The preferred response format should be stated. Under Article 15(3) UK GDPR, the copy of personal data must be provided in a commonly used electronic format where the request is made electronically. The letter should also state the one-month response deadline and the requester's right to complain to the ICO and to seek a court order if the organisation fails to comply. Including these references signals that the requester understands the enforcement mechanisms available and is serious about exercising their rights.

What Is a Subject Access Request (UK)?

When Do You Need a Subject Access Request (UK)?

What to Include in Your Subject Access Request (UK)

Frequently Asked Questions

Related Documents

Statutory Declaration (UK)

Letter Before Action — Cease and Desist (UK)

Letter Before Action — Demand for Payment (UK)

Employment Contract (England & Wales)