Data protection · 1 July 2026
Handling Subject Access Requests: a step-by-step SAR guide
A Subject Access Request (SAR) is one of the most important rights individuals have under UK GDPR — and one of the requests organisations most often get wrong. This guide explains how to handle a SAR properly, step by step.
What a SAR is
A SAR is a request from an individual to see the personal data you hold about them. It gives people the right to a copy of their data, along with information about how and why you use it. Anyone can make one — a service user, a member of staff, a former employee, or an authorised representative acting on someone’s behalf.
Recognising a request
There’s a common misconception that a SAR must be made on a special form or use particular words. It doesn’t. A SAR can be verbal or written, made to anyone in your organisation, and doesn’t have to mention “UK GDPR” or “subject access”. A comment such as “I’d like to see what information you hold about me” is a valid SAR.
Because of this, it’s essential that all staff can recognise a SAR and know who to pass it to. Our staff training guide covers exactly this kind of awareness.
The one-month deadline
You must respond without undue delay and within one calendar month of receiving the request. The clock starts the day you receive it (or the day you receive enough information to identify the requester and locate their data).
- A SAR is usually free of charge.
- Where a request is complex, or the person makes several requests, you may extend the deadline by up to two further months — but you must tell them within the first month and explain why.
- You may charge a reasonable fee, or refuse, only where a request is manifestly unfounded or excessive — a high bar that should not be used lightly.
A step-by-step process
1. Log the request
Record the date received and the deadline immediately. This is the single most effective way to avoid missing the one-month window.
2. Verify identity
Confirm you’re dealing with the right person before releasing any data. Ask for proportionate proof of identity — don’t demand excessive documentation, which can itself be unfair. If someone is acting on another’s behalf, confirm they’re authorised.
3. Clarify if genuinely needed
If you process a large amount of data, you may ask the person to specify what they’re looking for — but you cannot use this to delay or obstruct a straightforward request.
4. Search for the data
Look everywhere the person’s data might be: care records, emails, HR files, messaging systems, CCTV and paper files. Your RoPA is invaluable here, because it maps where data lives.
5. Review and apply exemptions
Some information can be withheld. Common considerations include:
- Third-party data: where records reveal information about other people, you must consider their rights — often by redacting their details.
- Specific exemptions: UK GDPR and the Data Protection Act 2018 provide exemptions, for example where disclosure would be likely to cause serious harm to someone’s physical or mental health.
Apply exemptions carefully and only where genuinely justified.
6. Provide the response
Give the person a copy of their data in an accessible format, together with an explanation of how and why you use it, who you share it with, and how long you keep it. If a request is made electronically, provide the response electronically unless they ask otherwise.
Special considerations in care settings
In health and care, SARs often involve sensitive records and third-party information, so redaction and health-related exemptions come up frequently. Handling these thoughtfully — and involving a clinician where a health exemption might apply — is part of getting SARs right. See our UK GDPR in healthcare guide for the wider context.
What people are entitled to — and what they’re not
A SAR gives someone a right to their own personal data, not to documents in the abstract. That’s an important distinction. A person can ask what information you hold about them and receive a copy of it, but they cannot use a SAR to obtain another individual’s data, to demand answers to general questions, or to force you to create information you don’t already hold. Understanding this boundary helps you respond confidently: you provide the personal data, you explain your processing, and you protect the rights of others whose information happens to appear in the same records.
Building a repeatable process
The organisations that handle SARs smoothly are those that treat them as a routine, repeatable process rather than a crisis each time. A simple internal workflow — recognise, log, verify, search, review, respond — means any member of the team can start the process correctly and hand it to the right person. Keeping a short record of each SAR, including when it arrived and when you responded, also demonstrates the accountability UK GDPR expects and helps you spot patterns, such as a recurring source of requests that a change elsewhere might resolve.
Common mistakes
- Missing the one-month deadline because the request wasn’t logged
- Failing to recognise a verbal or informally worded request
- Over-redacting, or conversely disclosing third-party data without thought
- Demanding excessive ID or an unnecessary reason for the request
- Assuming a SAR must arrive on a particular form or in particular words
How we can help
SARs can be time-consuming and occasionally sensitive, particularly in a care setting. We offer a clear, fixed-fee engagement that puts a reliable SAR procedure in place, trains your team to recognise and route requests, and supports you through complex cases. To find out more, explore our data protection service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our Data Protection & UK GDPR service.