What is the right of access?
-
This guidance has been updated to reflect changes to the right of access brought about by the Data (Use and Access) Act. Some of these changes are not yet in force. However, we think it is useful for it to be published now so that you are ready for these changes. In particular, they set out that you only have to carry out a reasonable and proportionate search in response to a SAR; and that you can ‘stop the clock’ when asking for clarification on a request.
Latest updates - 08 December 2025
08 December 2025 - the right of access guidance was updated.
In more detail
- What is the right of access and why is it important?
- What is a person entitled to?
- What other information is a person entitled to?
- Are people only entitled to their own personal information?
- Who is responsible for responding to a request?
What is the right of access and why is it important?
The right of access, commonly referred to as subject access, gives people the right to obtain a copy of their personal information from you, as well as other supplementary information.
It is a fundamental right for people. It helps them understand how and why you are using their information and check that you are doing it lawfully.
What is a person entitled to?
People have the right to obtain the following from an organisation:
- Confirmation that you are processing their personal information.
- A copy of their personal information.
- Other supplementary information.
In most cases, you can confirm whether you are processing a person’s personal information in general terms. However, this will depend on the nature of the request. If the request is for a specific piece of information, you must confirm or deny whether you are processing this information unless an exemption applies. This may be relevant if confirming that you hold the information would prejudice or undermine the purpose of the exemption. For example, telling someone information has been withheld because it would prejudice a criminal investigation might undermine the investigation. For further details about when this can apply, see What are exemptions and how do they work?
You may also be able to apply an exemption to the duty to provide supplementary information. For an example of how this works in practice, see Does this exemption apply to supplementary information?
What other information is a person entitled to?
People have the right to receive the following supplementary information:
- Your purposes for processing their information.
- The categories of personal information you’re processing.
- The identities of specific recipients you have or will be disclosing the personal information to (including those in countries or territories outside the UK, or in international organisations), except where it would be impossible or manifestly unfounded or excessive to provide this information. In these circumstances, you must provide the categories of recipients instead.
- How long you will keep their personal information for – or, where this is not possible, the criteria for deciding how long you will store it.
- Their right to request rectification, erasure or restriction, or to object to processing.
- Their right to make a complaint to the controller.
- Their right to make a complaint to the ICO.
- Information about the source of their personal information, if you did not obtain it directly from them.
- Whether or not you use automated decision-making (including profiling), meaningful information about the logic involved in the processing, and the significance and envisaged consequences of the processing for the person.
- The appropriate safeguards you apply if you have transferred or will transfer personal information to a third country or international organisation.
This mostly matches the information you must provide in your privacy information.
When responding to a SAR, you must supply this supplementary information in addition to a copy of the requested personal information itself. You could include a link to this information in your response or when you acknowledge receipt of the SAR. See our guidance on the right to be informed for further information.
Are people only entitled to their own personal information?
The right of access allows people to access their own personal information. They are not entitled to information about other people, unless:
- their personal information also relates to other people (see What if a SAR involves information about other people?); or
- they are exercising another person’s right of access on their behalf (see Can a request be made on behalf of someone else?).
Before you can respond to a SAR, you should decide whether the information you hold is personal information and, if so, whom it relates to.
Information is personal information if it relates to a living person who is identifiable from that information (directly or indirectly). The context in which you hold information, and the ways you use it, can influence whether it relates to a person.
Some information may be the personal information of two (or more) people. You can consider applying an exemption, if responding to a SAR involves providing information that relates to both the person making the request and another person. See What if a SAR involves information about other people? for more information.
In most cases, it will be obvious if the requested information is personal information. If you’re unsure, please read our guidance on personal information to help you decide.
Who is responsible for responding to a request?
Controllers are responsible for complying with SARs. If you use a processor, you must have a contractual agreement in place to make sure that you can deal with SARs properly, whether they are sent to you or the processor. The processor must help you meet your SAR obligations. You must make this clear in your agreement. Read our guidance on contracts and liabilities between controllers and processors for more information.
The processor may hold personal information on your behalf. If so, your controller-processor agreement must allow you to obtain the necessary information from the processor to respond to a SAR. You are responsible for deciding how to deal with SARs.
If you are a joint controller, you must have a transparent arrangement in place with the other joint controller(s) which sets out how you will deal with SARs. You could choose to specify a central point of contact. However, people must still be able to exercise their rights against each controller.
If you are unsure whether you are a controller, joint controller or processor, read our guidance on controllers and processors.
Example
An employer is reviewing staffing and pay, which involves collecting information about a representative sample of staff. A third-party processor is analysing the information.
The employer receives a SAR from a member of staff. The employer needs information held by the processor to respond. The employer is the controller for this information and instructs the processor to retrieve any personal information that relates to the member of staff.