Can the right of access be enforced?
-
This guidance has been updated to reflect changes to the right of access brought about by the Data (Use and Access) Act. Some of these changes are not yet in force. However, we think it is useful for it to be published now so that you are ready for these changes. In particular, they set out that you only have to carry out a reasonable and proportionate search in response to a SAR; and that you can ‘stop the clock’ when asking for clarification on a request.
Latest updates - 08 December 2025
08 December 2025 - the right of access guidance was updated.
In more detail
- What enforcement powers does the ICO have?
- Can a court order be used to enforce a SAR?
- Can a person be awarded compensation?
- Is it a criminal offence to force a person to make a SAR?
- Is it a criminal offence to destroy and conceal information?
What enforcement powers does the ICO have?
Anyone has the right to make a complaint to the ICO about an infringement of the data protection legislation involving their personal information – for example, if a controller fails to comply with a SAR.
In appropriate cases, we may take action against a controller or processor if they fail to comply with data protection law. For example, we can issue a controller or processor with a:
- warning;
- reprimand;
- information notice;
- assessment notice;
- interview order;
- enforcement notice; or
- Monetary penalty notice (fine).
We will exercise these enforcement powers in accordance with our Regulatory Action Framework.
A processor is not responsible for complying with a SAR, but the controller and processor must have a contract in place to cover SARs. For more information, read our guidance on contracts and liabilities between controllers and processors.
Can a court order be used to enforce a SAR?
If you fail to comply with a SAR, the requester may apply for a court order requiring you to comply. The court will decide whether to make such an order on a case-by-case basis.
Can a person be awarded compensation?
If a person suffers damage or distress because you have breached their data protection rights — including by failing to comply with a SAR — they are entitled to claim compensation from you. Only the courts can enforce their right to compensation. However, they may seek to settle their claim with you directly before starting court proceedings.
You will not be liable to pay compensation if you can prove that you are not responsible in any way for the event that causes the damage.
Is it a criminal offence to force a person to make a SAR?
In certain circumstances, it is a criminal offence to require a person to make a SAR for certain information. For more information, see Can we force a person to make a SAR?
Is it a criminal offence to destroy and conceal information?
Yes. It is a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information a person making a SAR is entitled to receive.
It is a defence to prove that:
- the alteration, defacing, blocking, erasure, destruction or concealment of the information would have happened regardless of whether the person made a SAR; or
- you acted in the reasonable belief that the person making the SAR was not entitled to receive the information requested.
Further reading
Regulatory Action Framework
Contracts and liabilities between controllers and processors