Getting a response to your subject access request
What should the organisation send back to me?
If the organisation has the information you asked for, they should provide you with copies of it (unless there is a good reason for them not to).
In their response, the organisation should also include:
- what they are using your information for;
- who they are sharing your information with;
- how long they will store your information for and why;
- details on how you can ask if the information is correct, ask to have it amended or deleted, object to or restrict their use of it;
- details on your right to complain to the ICO;
- details about where they got your information from;
- whether they use your information for profiling or automated decision-making and how they are doing this; and
- what security measures they use if they have or will transfer your information to a country outside the UK or an international organisation.
Can the organisation send me partial or incomplete documents?
Yes. Organisations don't have to give you full copies of the original documents you have requested. You can only get your personal information that’s contained in the documents. This might mean you get new documents that only contain your information, or original documents with certain information removed or edited out. This is commonly known as ‘redaction’.
Example of when it’s okay for an organisation not to send a full copy of an original document
You make a subject access request to your bank for full copies of your bank statements.
Your bank is not required to provide copies of the actual bank statements, but they must provide you with your personal information contained within them. For example, they could provide you with a list of transactions.
By doing so, they have now complied with your SAR without having to give you a full copy of the original bank statements.
Example of when it’s okay for an organisation to redact information
You request information from your work about a disciplinary matter.
They send you copies of all documents they have about the matter. This includes witness statements from other employees. The organisation has edited out the names of the witnesses and any other information that could identify them.
They have complied with your SAR whilst also protecting other people’s personal information.
How should the organisation send the information to me?
If you have said how you would like to receive the information (eg electronically or by post), the organisation should send it in that format where possible.
However, where you have requested large amounts of information, you may want to discuss the best way for the organisation to send you the information.
The organisation should not ask you to take action to receive this information (eg by downloading particular software or collecting it from their premises) unless you have agreed to do so.
The organisation must take steps to help you with your SAR if you have a physical or cognitive impairment or have difficulty accessing or understanding information.
What if the organisation says they no longer have the information I’ve requested?
If the organisation says they no longer have the information you’re requesting, they may have deleted or destroyed it. This is because data protection law says organisations shouldn't keep information for longer than they need it.
If you are concerned, you can check the organisation’s retention schedule. This should tell you how long they keep information for and how they safely delete or destroy it. You can usually find this in their privacy notice or on their website.