Skip to main content
Book a call — £89
Menu

Subject Access Request UK: How SARs Work (2026)

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofUK Employment Law Guide for Employers (2025)

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
A Subject Access Request, usually shortened to SAR, is one of the most practical rights you have under UK data protection law. It lets you ask any organisation that holds personal information about you to show you that data and explain what they are doing with it. You might use a SAR to check what your employer has on file, to find out why a lender refused your application, or to gather information before raising a complaint or dispute. On the other side of the coin, if you run a business or manage a team, you will need to know how to recognise a SAR when one lands in your inbox and how to respond within the timeframe the law sets. This page walks through both sides of that process in plain English.

Overview

A Subject Access Request is a formal request made by an individual, known in the legislation as the data subject, to see the personal data an organisation holds about them. The right sits within the UK GDPR and the Data Protection Act 2018, and it applies to almost every organisation that processes personal information, from large employers and public bodies to small businesses and charities.

When someone makes a SAR, they are entitled to a copy of their personal data along with supporting information such as why it is being processed, who it has been shared with, how long it will be kept, and where it came from if it was not collected directly from them. A SAR can be made in writing, by email, verbally, or even through social media.

There is no obligation to use a specific form or to mention the words 'subject access request' for the request to be valid.

Key steps

  1. Identify who holds the data. Work out which organisation you want to approach. This is often an employer, former employer, bank, insurer, landlord, or public authority. If a group of companies is involved, try to pin down the specific legal entity that controls your personal data, because that is the body with the legal duty to respond to you.
  2. Put your request in writing. You can make a SAR verbally, but a written request creates a clear paper trail and start date. Send your request by email or post, explain that you are making a Subject Access Request under the UK GDPR, and describe the information you are looking for. Being specific about dates, departments, or topics can help speed things up.
  3. Prove who you are. The organisation is allowed to ask for reasonable proof of identity before releasing any data, and the clock on their response time only starts once they have what they need to confirm it is really you. Provide identification promptly, but do not send more than is genuinely required to verify your identity.
  4. Wait for the response within the statutory window. The organisation must normally respond within one calendar month of receiving a valid request. This period can be extended by up to two further months where a request is particularly complex or where you have made multiple requests, but the organisation must tell you about any extension and explain why it is needed.
  5. Check what you receive and challenge if needed. Review the information carefully against what you expected to see. If data is missing, redacted without a clear reason, or the organisation refuses the request, you can push back directly, raise a complaint with the organisation's data protection officer, and ultimately complain to the Information Commissioner's Office.

Common questions

If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Common questions

Q Who can make a Subject Access Request?
Any living individual can make a SAR about their own personal data. That includes employees, former employees, job applicants, contractors, volunteers, customers, tenants, patients, and members of the public. You can only request your own data, not someone else's, unless you have proper authority such as a written authorisation, parental responsibility for a child, or a power of attorney covering the person whose data you are asking about.
Q Do I have to pay a fee to make a SAR?
In most cases a SAR is free. An organisation can only charge a reasonable administrative fee, or refuse to comply, where the request is manifestly unfounded or excessive, for example where someone repeatedly asks for the same information. If a fee is requested, the organisation should explain clearly why it applies and how it has been calculated. Check gov.uk or the ICO website for current guidance on when fees are permitted.
Q How long does an organisation have to reply?
The general rule is one calendar month from the date a valid request is received, or from the date identification is confirmed if that is later. The deadline can be extended by up to two additional months for complex or multiple requests, but the organisation must notify you of the extension within the original month and give reasons. Missing the deadline can be reported to the Information Commissioner's Office.
Q Can an employer refuse to give me certain information?
Yes, there are limited exemptions. Information that would identify another person without their consent, legally privileged material, confidential references, and certain management planning documents may be withheld or redacted. National security, crime prevention, and regulatory functions also attract exemptions. Any refusal should be explained to you, and you can challenge it with the organisation or escalate to the ICO if you think it has been applied too widely.
Q What should I do if I get no response or an unsatisfactory one?
Start by writing to the organisation to remind them of their duty and give them a short deadline to put things right. If that fails, or the response is incomplete, you can complain to the Information Commissioner's Office, which regulates data protection in the UK. In some situations you may also have a right to claim compensation through the courts if you have suffered damage or distress as a result of the breach.
Q Is there a time limit on how far back I can request data?
There is no fixed time limit in the legislation. You can ask for any personal data the organisation still holds about you, whether it is recent or historic. In practice, many organisations only keep data for a set retention period and will have deleted older records in line with their own retention policy, so very old information may simply no longer exist.
Q Can a SAR be used during a workplace dispute?
Yes, and this is a common use. Employees often make SARs when they are considering a grievance, disciplinary challenge, or tribunal claim, to understand what their employer has recorded about them. The law does not allow an organisation to refuse a SAR simply because it is linked to a dispute, though the usual exemptions for legal privilege and third-party information still apply to the material released.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.