How do we recognise a subject access request (SAR)?

In more detail

• What is a SAR?
• Are there any formal requirements?
• Can we provide a standard form or online system for people to make a request?
• Can people make a request via social media?
• Can a request be made on behalf of someone else?
• Do we have to respond to requests made via a third-party online portal?
• What about requests for information about children?
• What should we do if a request mentions freedom of information?
• Can we deal with a request in our normal course of business?

What is a SAR?

A SAR is a request made by or on behalf of a person for the information they are entitled to ask for under article 15 of the UK GDPR. This includes:

• confirmation of whether or not you are holding or using their information;
• a copy of their personal information; and
• other supplementary information.

Are there any formal requirements?

There are no formal requirements for a valid request. A person can make a SAR verbally or in writing, including by social media. They can make it to any part of your organisation, and they do not have to direct it to a specific person or contact point.

The person does not have to include the phrases “subject access request”, “right of access” or “article 15 of the UK GDPR” in their request. It just needs to be clear that they are asking for their personal information. A request can be a valid SAR even if it refers to other legislation, such as the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002.

Any of your employees may receive a valid request. You must identify and handle each request correctly. You should consider training your staff so that they can identify a request.

You should have a policy for recording details of the requests you receive, including those made by phone or in person. This allows you to contact the person to confirm their identity or make sure you have understood their request, if you need to. For more information, see can we ask for ID?

People do not have to tell you their reason for making a request or what they intend to do with the information. However, if they do so, it may help you find the relevant information more easily.

Can we provide a standard form or online system for people to make a request?

Standard forms can make it easier for you to recognise a SAR and for people to include all the details you might need to locate their information.

You should enable people to make SARs electronically where possible, particularly if you use electronic systems for processing their information. You could:

• design a standard SAR form that people can complete and submit to you electronically; or
• enable people to make SARs to you via a secure online system, free of charge.

However, a person can make a SAR by any means. You can invite people to use your standard process, but you should make it clear that using the form or online system is not compulsory.

Can people make a request via social media?

Yes. People can make a SAR using any social media site where your organisation has a presence.

Therefore, you must take reasonable and proportionate steps to identify and disclose relevant information when people make requests on your social media channels.

In general, responding on social media is not a secure way of providing information. You should ask for alternative delivery details instead. For further guidance, see How do we provide the information securely?

Can a request be made on behalf of someone else?

Yes. A person may want a third party (eg a relative, friend or solicitor) to make a SAR on their behalf. However, it is essential that you are satisfied that the third party making the request is entitled to act on the person’s behalf. The third party is responsible for providing you with evidence of this — for example, by providing a written authority, signed by the person the information is about, stating that they give the third party permission to make a SAR on their behalf.

You could accept electronically signed letters of authority as valid evidence, provided that:

• you are confident that the person whom the information is about made the electronic signature;
• the signature was made recently (ie it is not out of date and was not previously used to obtain information about the person); and
• you are satisfied that the third party is authorised to act on the person’s behalf, and to receive the information on their behalf.

If the third party gives additional details with their request (eg the person’s address, up-to-date ID and account number), this may help to show that the request is valid.

As a controller, you must ensure that you deal with information securely and responsibly. You should clearly explain in your privacy information what authority you require from a third party acting on someone’s behalf. If you have concerns about the validity of electronically signed letters of authority, you should make it clear that you do not accept these as proof of authority.

Other mechanisms may allow a third party to make a SAR on a person’s behalf, such as powers of attorney. You need to check the type and circumstances of the particular power of attorney to determine whether the third party is authorised to make a SAR. However, it’s reasonable to assume that an attorney with authority to manage someone’s property and affairs has the appropriate authority to make a SAR on their behalf.

If you have no evidence that a third party is authorised to act on a person’s behalf, you cannot comply with the SAR until you receive the appropriate authority. However, you should respond to the third party and explain why you cannot comply.

In most cases, provided you are satisfied that the third party has the appropriate authority, you should respond directly to them. If you have reasonable grounds to believe that a person may not understand the nature of the information you are disclosing, and you are concerned about revealing excessive information to the third party, you could contact the person first to make them aware of your concerns. For example, this may be appropriate if the information is particularly sensitive or the person may not know the extent of the information that is likely to be disclosed.

If the person agrees with your concerns and is happy to receive the information from you directly instead, you must send the response directly to them rather than to the third party. The person may then choose to share the information with the third party after reviewing it. However, if the person responds and asks you to send the information to their third-party representative, you must do so.

If you do not receive a response from the person, you should provide the requested information to the third party. If the person has specifically asked you not to contact them directly, then you should only correspond with the authorised third party. If you are processing health information, see What about requests for health information from a third party?

In some cases, a person does not have the mental capacity to manage their own affairs. There are no specific provisions that enable a third party to make a SAR on behalf of such a person in the UK GDPR, the Mental Capacity Act 2005, the Mental Capacity Act (Northern Ireland) 2016 (please note that not all provisions in the Act have been commenced at this time) or the Adults with Incapacity (Scotland) Act 2000. However, as mentioned above, it’s reasonable to assume that an attorney with authority to manage someone’s property and affairs has the appropriate authority to make a SAR on their behalf. The same applies to a person appointed to make decisions about such matters by:

• the Court of Protection (in England and Wales);
• the Sheriff Court (in Scotland); and
• the High Court (Office of Care and Protection) (in Northern Ireland).

Do we have to respond to requests made via a third-party online portal?

You may receive a SAR made on a person’s behalf through an online portal (eg from a third party that provides services to help people exercise their rights).

To decide if you need to comply with such a request, you should consider whether you:

• have been made aware that a particular person is making a SAR;
• can verify the person's identity, if this is in doubt (see Can we ask for ID?);
• are satisfied that the third-party portal is acting with the authority of, and on behalf of, the person; and
• can view the SAR without having to take proactive steps, such as paying a fee or signing up for a service.

You don’t have to take proactive steps to check if someone has made a SAR. If you can’t view the request without paying a fee or signing up for a service, you haven’t received the SAR and don’t have to respond.

It’s the portal’s responsibility to provide evidence that it has the appropriate authority to act on the person’s behalf when it makes the request. A person’s agreement to the terms and conditions of the portal’s service is unlikely to be evidence of appropriate authority (see Can a request be made on behalf of someone else?).

If you’re concerned that the person hasn’t authorised the uploading of their information to the portal, you should contact the person before responding.

You also don’t have to pay a fee or sign up to any third-party service to respond to a SAR. But this doesn’t mean that you can ignore the request. Instead, you should provide the information directly to the person if they agree. If they don’t agree, you must explain how they can make a SAR in another way. This is different from when a person makes a reasonable request for you to provide their information in a particular format. See In what format do we need to provide the information?.

Sometimes, you might not be able to contact the person directly — for example, if you don’t have their address or aren’t satisfied with the ID provided. If this is the case, you should advise the third-party portal that you won’t respond to the request until it gives evidence that:

• it is acting with the authority of, and on behalf of, the person (which may involve ID checks); and
• the person has agreed to the uploading of the information to the portal.

Until then, you have not received a valid SAR. The time limit does not start until you receive the details you’ve asked for.

If you have concerns about supplying the information via the portal for any reason, including security concerns, you should contact the person first to make them aware. If the person agrees with your concerns and is happy to receive the information directly, you must send the response directly to them rather than to the portal. If the person has asked you not to contact them directly, you could communicate via the portal that you will provide the response in an alternative format and invite the third-party representative to contact you directly.

A person can make a SAR using the portal but ask you to send them their information by another method. You should comply with their request where possible.

What about requests for information about children?

The right to access information you hold about a child is the child’s right rather than anyone else’s, even if:

• they are too young to understand the implications of the right of access;
• the right is exercised by those who have parental responsibility for the child; or
• they have authorised another person to exercise the right on their behalf.

Before responding to a SAR for information held about a child, you need to consider whether the child is competent to make a SAR. This means that you need to decide if the child is mature enough to understand their rights.

There’s no set age for this in England, Wales and Northern Ireland. However, Scotland sets the age at 12 – so this is a good guide to help you decide.

When making this decision, you should consider the nature of the personal information, as well as the child’s:

• level of maturity;
• ability to understand what they are asking for and what they will receive; and
• ability to understand the consequences of authorising someone to act on their behalf.

It’s likely to be easier to assess competence if you have regular contact with the child. If you don’t, you should take a common-sense approach based on the child’s age and the nature of the information. If the information is sensitive, you should make stronger efforts to check the child’s competence.

If a child is competent, they can make a SAR themselves or ask someone else to do so on their behalf (eg their parent or guardian, a child advocacy service, charity or solicitor. You’ll need to obtain evidence that the child has authorised another person to make the SAR. If it’s evident that a child is acting against their own best interests, you may be able to withhold the information if an exemption applies – for example, if a child asks a third party to make a SAR on their behalf, but you have reasonable concerns that the third party is pressuring the child to make the SAR, and disclosing the information is likely to cause serious harm to the physical or mental health of any person.

If the request is from a child and you’re confident that the child can understand their rights, you must respond directly to the child.

If you’re satisfied that the child is not competent, and the request is from a person with parental responsibility for the child, it’s usually appropriate to let the holder of parental responsibility exercise the child’s rights on their behalf.

If a parent or guardian, or someone authorised by the child, makes a SAR on the child’s behalf, you also need to consider:

• any court orders about parental access or responsibility that may apply;
• any duty of confidence owed to the child;
• any consequences of allowing those with parental responsibility or those authorised to act on the child’s behalf to have access to the child’s information (this is particularly important if there have been allegations of abuse or ill treatment);
• any detriment to the child if people with parental responsibility, or their authorised representatives, cannot access this information; and
• if the child has expressed any views on whether they want their parents, guardians or authorised representatives to have access to information about them.

What should we do if a request mentions freedom of information?

A SAR may mistakenly state that it’s a freedom of information (FOI) request. However, if it is about the requester’s personal information, you should treat it as a SAR.

You are more likely to receive a SAR in the form of an FOI request if your organisation is a public authority for the purposes of the:

• Freedom of Information Act 2000 (FOIA);
• Freedom of Information (Scotland) Act 2002 (FOISA);
• The Environmental Information Regulations 2004 (EIR); or
• The Environmental Information (Scotland) Regulations 2004 (EIRs).

For ease of reference, these are referred to as FOI law in this section.

How you deal with the request depends on whether it only relates to the requester’s personal information or to other information as well.

If the requester is only asking for their own personal information, but they have mentioned FOI law, you should do the following:

• Deal with the request as a SAR in the normal way. The requester does not need to make a new request. You may need to ask the person to verify their identity.
• If your organisation is a public authority, the requested personal information is exempt from disclosure under FOI law. Strictly speaking, you need to issue a formal refusal notice saying so. But in practice, we do not expect you to do this in these circumstances. However, if you are a public authority in Scotland, you need to follow guidance issued by the Scottish Information Commissioner.
• If your organisation is a public authority, clarify within 20 working days that you are dealing with the request as a SAR under the UK GDPR, and that the one-month time limit for responding applies.

If you are a public authority and the request relates to both the requester’s personal information and to other information, you must treat this as two requests:

• One for the requester’s personal information, made under the UK GDPR.
• Another for the remaining information, made under FOI law.

It’s important to consider the requested information under the correct legislation. This is because a disclosure under FOI law is made to the world at large, not just to the requester. If you mistakenly disclose personal information under FOI law, this will be a personal data breach.

Can we deal with a request in our normal course of business?

It’s important to draw a practical distinction between formal requests for information and routine verbal enquiries and correspondence that you can deal with in your normal course of business. You can respond to an enquiry in the normal course of business if you provide such information routinely and can respond quickly. However, the SAR process may be appropriate where a person requests a high volume of information, and you need to conduct a time-consuming search of your records to comply.

If a person requests copies of letters you previously sent to them, it’s unlikely that you need to deal with this as a formal SAR. You could consider these enquiries on a case-by-case basis. However, your normal business processes should not restrict or delay a person’s right to access their information.