The ICO exists to empower you through information.

  • ICO publishes new guide on responding to subject access requests
  • Employers risk fine or reprimand
  • Over 15,000 Subject Access complaints to ICO last year

The Information Commissioner’s Office (ICO) has today published new guidance for businesses and employers on responding to Subject Access Requests (SARs).

The right of access, commonly referred to as a subject access request or SAR, gives someone the right to request a copy of their personal information from organisations.
This includes where they got their information from, what they’re using it for and who they are sharing it with.

Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records.

Organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex.

Failing to comply to SARs is non-compliant with the law. If organisations fail to respond to SARs promptly, or at all, they can be subject to fines or reprimand.

“The right of individuals to access information that organisations hold on them is one that is vital for transparency, and is enshrined in law.”

“What we’re seeing now is that many employers are misunderstanding the nature of subject access requests, or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to.”

“It’s important to not get caught out, and that is why we are publishing this guidance today – to support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired.”

“For those who continue to fail to respond to subject access requests in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary.”

- Elanor McCombe, Policy Group Manager at the Information Commissioner’s Office.

Subject access requests form part of the UK General Data Protection Regulation (GDPR) and the DPA (Data Protection Act).

From April 2022 to March 2023, 15,848 complaints related to Subject Access were reported to the Information Commissioner’s Office.

Last week, the ICO reprimanded Plymouth City Council and Norfolk County Council for failing to respond to information access requests. In September 2022, the ICO took action against seven organisations who failed in their duty to respond to SARs.

The new guidance on responding to SARs can be read here.

Registrations for the ICO's free Data Protection Practitioners Conference 2023, which takes place on 3 October, are now open. As well as a range of key note speakers, ICO experts will be running a series of workshops for delegates throughout the day on a variety of data protection topics including SARs, cyber security and how to share data responsibly.

Notes for editors
  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The  ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.