Subject Access Requests (SAR) are written requests from an individual or their representative for access to the personal information that you are processing (using and storing) about them.  Under the Data Protection Act (DPA), you were allowed to charge £10 for handling a SAR.  Under the new General Data Protection Regulations (GDPR) you are no longer allowed to charge a fee for this.

Your initial task is to confirm the requester’s identity to avoid a data breach.  There is no automatic right to access personal data of a relative.  However, requests can be made on behalf of others with consent, power of attorney or where the subject is a minor and the requester has parental responsibility.  You may occasionally get a request from a legal representative with a letter of authority attached – you will still need to confirm their identity.

Once you have confirmed the identity and that is a valid request, under GDPR you have 30 days in which to process the request.  The requester has a right to know:

  • What data is being processed
  • The reason(s) it is being processed
  • The identity of all sources and recipients of their personal data

The copy information provided to them must be in an intelligible form with an explanation of terms which are not understandable without an explanation, for example abbreviations or internal codes.

To minimise the time and effort needed to request to the request, you can:

  • Refuse to provide any information if you are unable to confirm their identity
  • Seek details from the requester to help locate the information
  • Refuse to comply if you have previously complied with an identical or similar request

Only personal information is covered so that if an individual asks for all emails sent by them, received by them or sent by other members of staff, they are not entitled to receive ‘business emails’ – just those that mention a personal aspect, for example “I’m off sick today”, “X is off sick today again, I’m beginning not to believe them as it always seems to be Mondays”, “Y is a liability and their performance is way below the rest of the team”.

Another important thing to remember is that it’s not only electronic records which are covered.  This includes all personal information held, so written records, texts, notes etc.  Records of one to one’s with staff and your manager will be covered so it is important that they are completed in a professional manner at all times.

You may find that you get a request because you have dismissed an individual and they are fishing to see if their SAR reveals grounds for discrimination or similar to support an unfair dismissal claim.

All data held must be disclosed and nothing deleted even if it might prove their case or be embarrassing.  Failure to do so is a breach of GDPR / DPA and may result in significant penalties and fines.  However, where data would breach the rights of somebody else, there may be grounds for refusal to disclose this data.

What’s different now that GDPR is in place:

  • You can no longer charge a fee for SARs unless the request is manifestly unfounded or excessive (you would have to prove this)
  • Written requests can also be made electronically, e.g. by email.
  • The response time is reduced to 30 days


This information has been provided by The AAT and more information on the subject can be found at:  https://www.aatcomment.org.uk/gdpr-how-to-respond-to-subject-acccess-requests/


Helen Fielding

18 May 2018