The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

In more detail

Special cases

There are special rules and provisions about SARs and some categories of personal data, including:

These are each covered in this section and the following sections.

Unstructured manual records

The GDPR does not cover non-automated information which is not, or you do not intend to be, part of a ‘filing system’. However, under the DPA 2018, unstructured manual information that public authorities process constitutes personal data. This includes paper records that public authorities do not hold as part of a filing system. Therefore, public authorities may have to search such information to comply with a SAR. However, they are not obliged to do so if:

  • the request does not contain a description of the unstructured data; or
  • they estimate that the cost of complying with the request would exceed the appropriate maximum.

The “appropriate maximum” is currently £600 for central government, Parliament and the armed forces and £450 for all other public authorities.

When estimating the cost of compliance, you can only take into account the cost of the following activities:

  • determining whether you hold the information;
  • finding the requested information, or records containing the information;
  • retrieving the information or records; and
  • extracting the requested information from records.

The biggest cost is likely to be staff time. You should rate staff time at £25 per person per hour, regardless of who does the work, including external contractors. This means a limit of 18 or 24 staff hours, depending on whether the £450 or £600 limit applies to your public authority. For further information, please see the Fees Regulations made under Section 12(5) of FOIA 2000. These regulations apply to all public authorities in England, Scotland, Wales and Northern Ireland, for the purposes of estimating the costs of responding to SARs for unstructured manual records.

Public authorities are also not obliged to comply with requests for unstructured paper records if the personal data is about appointments, removals, pay, discipline, superannuation or other personnel matters in relation to service in:

  • any of the armed forces of the Crown;
  • any office or employment under the Crown or under any public authority;
  • any office or employment, or under any contract for services, in respect of which power to take action, or to determine or approve the action taken, in such matters is vested in:
    • Her Majesty;
    • a Minister of the Crown;
    • the National Assembly for Wales;
    • the Welsh Ministers;
    • a Northern Ireland Minister (within the meaning of the Freedom of Information Act 2000); or
    • an FOI public authority (as defined in FOIA or FOISA).

Credit files

In the DPA 2018 there are special provisions about the access to personal data that credit reference agencies hold. Unless otherwise specified, a SAR to a credit reference agency only applies to information relating to the individual’s financial standing. Credit reference agencies must also inform individuals of their rights under s.159 of the Consumer Credit Act 1974.