What should we consider when responding to a request?
-
This guidance has been updated to reflect changes to the right of access brought about by the Data (Use and Access) Act. Some of these changes are not yet in force. However, we think it is useful for it to be published now so that you are ready for these changes. In particular, they set out that you only have to carry out a reasonable and proportionate search in response to a SAR; and that you can ‘stop the clock’ when asking for clarification on a request.
Latest updates - 08 December 2025
08 December 2025 - the right of access guidance was updated.
In more detail
- How long do we have to comply?
- How do we calculate a month?
- Can we extend the time for a response?
- When is a request complex?
- Can we clarify the request?
- What do we need to think about if we ask for clarification?
- Can we charge a fee?
- Do we need to make reasonable adjustments for disabled people
- Can we ask for ID?
- What if the person mentions other rights?
- How should we deal with bulk requests?
- Do we still need to comply if the person dies before we respond?
How long do we have to comply?
You must comply with a SAR without undue delay and at the latest within one month of receipt of the request or within one month of receipt of:
- any information you request to confirm the identity of the person the information is about (see Can we ask for ID?);
- any information you request to confirm that the third party is authorised to act on behalf of the person; or
- a fee (only in certain circumstances – see Can we charge a fee?)
How do we calculate a month?
To calculate a month, you must start from the actual date you receive the request, fee or other requested information and count forward to the end of the same date in the following month. Even if you receive the request on a non-working day, you must start from this date.
Example
A request is received on 1 January (a bank holiday), so the one-month period ends at the end of 1 February.
If the date for responding falls on a weekend or is a public holiday, the deadline moves to the end of the next working day.
Example
A request is received on Monday 25 November. The time to respond will run until the end of Friday 27 December. This is because 25 and 26 December are both bank holidays.
If the same date doesn’t exist in the following month (because it’s shorter), use the last day of that month instead.
Example
A request received on 31 January will run until the end of 28 February (or 29 February in a leap year). If that date falls on a weekend, the deadline is the end of the next Monday.
This means that the exact number of days you have to comply with a request varies, depending on the month in which you receive the request.
If you need to specify a consistent number of days (eg for operational or system purposes), you could adopt a 28-day period to ensure that you always comply within a calendar month.
Can we extend the time for a response?
Yes. You can extend the time to respond by a further two months if:
- the request is complex; or
- you have received a number of requests from the same person. This can include other types of requests about their rights – for example, if a person has made a SAR, a request for erasure and a request for data portability at the same time.
You must calculate the extension as three months from the original start date.
Example
An organisation receives a request on 7 August. The request is complex, so the organisation extends the period by two months.
The organisation has until the end of 7 November to comply with the request. If 7 November falls on a weekend or is a public holiday, the organisation has until the end of the next working day to comply.
You must let the person know that you are extending the time limit within one month of receipt of the request or within one month of receipt of:
- any information you request to confirm the identity of the person the information is about (see Can we ask for ID?);
- any information you request to confirm that the third party is authorised to act on behalf of the person; or
- a fee (only in certain circumstances — see Can we charge a fee?).
When is a request complex?
You should consider your specific circumstances and the particular request when determining whether a request is complex. What may be complex for one organisation may not be for another. For example, the size and resources of your organisation are likely to be relevant factors.
You must be able to show why a request is complex in the particular circumstances. The following are examples of factors that may, in some situations, add to the complexity of a request:
- Experiencing technical difficulties with retrieving the information (eg if information is electronically archived).
- Applying an exemption that involves large volumes of particularly sensitive information.
- Clarifying potential issues around disclosing information about a child to a legal guardian.
- Requiring specialist work to obtain the information or communicate it in an intelligible form.
- Clarifying potential confidentiality issues around disclosing sensitive medical information to an authorised third party.
- Needing to obtain specialist legal advice (however, if you routinely obtain legal advice, it’s unlikely to be complex).
- Searching large volumes of unstructured manual records — only applicable to public authorities.
If a person requests a large volume of information, this may add to the complexity of the request. However, a request is not automatically complex because it involves a large amount of information.
A request is not complex just because you have to rely on a processor to provide the information you need to respond.
Can we clarify the request?
Yes. You can ask for further information to help you identify the personal information or the processing activity that the SAR relates to.
However, you should not ask for clarification on a blanket basis. You should only ask if it’s reasonably required.
The legislation does not define what is reasonably required. However, it’s likely to refer to circumstances where you are unable to provide an effective response to the SAR until you have received clarification. For example, this may be the case if the request is vague or you hold a lot of information about the person.
If you do ask for clarification, the time limit pauses on the day you request clarification and resumes on the day you receive it. This is referred to as ‘stopping the clock’.
This means that you don’t need to provide the person with a copy of the information until they clarify their request. This includes any supplementary information that you can’t reasonably provide.
You are not required to seek clarification, and you may choose to perform a reasonable search instead. See What efforts should we make to find information?
What do we need to think about if we ask for clarification?
Given the importance of the right of access, you should be able to justify why it’s reasonable for you to ask for clarification before you can identify the information that has been requested.
For example, it may be reasonable for you to ask for clarification if:
- you hold a large amount of information about the person; or
- the request is unclear.
You are responsible for justifying that you will need to search through a large amount of information to deal with a SAR. It’s unlikely to be reasonable or necessary to ask for clarification if you can locate, retrieve and provide information about the person quickly and easily — even if you hold a large amount of information about them.
Whether you hold a large amount of information about a person will, to an extent, depend on your organisation’s size and available resources:
- A big organisation may not consider a request to be high volume if it has significant resources for performing searches.
- A smaller organisation with fewer and less sophisticated resources at its disposal may be more able to argue that it holds a large amount of information.
Another factor to consider is whether, because of its volume, you are unlikely to be able to locate and retrieve all the requested information by performing a reasonable search.
If you need clarification, you can ask the requester to provide additional details, such as the context in which you are likely to hold their information and the relevant dates.
However, you cannot force a person to narrow the scope of their request, as they are entitled to ask for all their information. If the person responds to you and either repeats their request or refuses to provide any additional information, you should still comply with their request by making reasonable searches.
Example
A person writes to their local GP practice and asks for “all the information you hold about me”. The practice employed the person as a receptionist for many years, and they are currently registered as a patient. As the person is now a carer for their elderly parent, the practice also holds personal information about them within their parent’s file.
The practice believes that it has a large volume of information about the person. However, it is not clear from the request what information the person wants. If the practice performs a reasonable search of its records, it will be able to provide some of the information held about the person, but it would need to perform a much more extensive search to provide all the information it holds.
In these circumstances, it is reasonable to ask the person to clarify their request. The practice should explain to the person that, while they are entitled to request all information held about them, the practice is only required to conduct a reasonable and proportionate search of its records. This means that the person may only receive some of the information the practice holds about them. The practice could also explain that, if the person clarifies their request, it will be able to focus its searches on locating the specific information that they want.
The person may clarify the request by, for example, asking for:
- details of their employment from 1993 to 2008;
- their medical records relating to an accident in 2018; and
- “everything else you hold about me”.
The practice should focus its searches on the first two enquiries and then perform a reasonable search for the rest of the information.
Even if you’re seeking clarification, you can often still provide some information, although this depends on the circumstances.
For example, in many cases, you can confirm that you hold information about the person. In addition, you will likely be able to provide some of the supplementary information, including details of:
- their right to request rectification, erasure or restriction, or to object to processing;
- their right to complain to the controller; and
- their right to make a complaint to the ICO.
If you can reasonably provide any of the supplementary information without clarification, you must provide it within one month of receipt of the request. If your privacy notice already contains this supplementary information, you could provide the person with a link to it.
Example
A supermarket receives a SAR from a long-standing employee for “all the information you hold about me, based on my concerns about recent issues”. The employee has recently had a complaint made about them by another employee.
As the supermarket holds a large amount of information about the employee, and the request is unclear, it asks them to clarify their request.
In particular, it asks if the employee:
- only wants information about the complaint; or
- also wants information about their employment between particular dates.
If they do want employment information, the supermarket asks them to clarify the date range they are interested in.
The supermarket also asks if they want information unrelated to their employment as well (eg information linked to their customer reward account).
The supermarket explains to the employee that it holds a large amount of information about them for different purposes. It also explains that, although they are entitled to ask for all their information, it is only required to perform a reasonable and proportionate search. Therefore, if the employee wants a very specific piece of information, they should clarify what it is. This will enable the supermarket to carry out effective searches and provide the information the employee needs.
Once the request for clarification is sent, the supermarket can stop the clock. It is not required to respond until the employee answers the request for clarification. However, it can still provide some of the supplementary information within one month, including:
- the purposes of processing;
- the categories of personal information it holds about the employee;
- the retention period;
- details of the employee’s right to make a complaint to the supermarket; and
- details of the employee’s right to make a complaint to the ICO.
The supermarket sends the employee a copy of its privacy information (which covers these supplementary points) when it asks for clarification on the other details of the request.
You should ensure the process of seeking and obtaining clarification is quick and easy for the requester. When asking for clarification, you should:
- provide advice and assistance to help them clarify their request;
- explain that the clock stops from the date that you request clarification and will resume once they respond; and
- specify if they need to reply by a certain time.
Where possible, you should contact the person in the same format they made the request. For example, if they emailed the SAR, you should email them to ask for clarification.
If you receive a request where it is genuinely unclear whether a person is making a SAR, the time limit does not begin until you have clarified:
- if the person is making a SAR; and
- what personal information they are requesting.
You should contact the person as soon as possible (eg by phone or email where this is appropriate). If you talk to the person, you should keep a record of:
- any conversation you have with them about the scope of their request; and
- the date(s) when you request and receive any further explanation.
In all circumstances, you should explain to the person why you are seeking further details and be able to justify your position to the ICO, if asked to.
When you ask for clarification, the timescale for responding will stop until the person clarifies their request and will resume on the date you receive that clarification. You should calculate the timescale as follows:
- When you receive a request, calculate when the response would normally be due. See How long do we have to comply?
- If you have requested clarification, you may extend this time limit by the number of days that you stopped the clock.
Example
If you receive a request on 14 May, the time limit starts on the same day. You will have one month to reply, which means the response is due by or on 14 June.
However, if you ask for clarification on 15 May, the clock stops from 15 May until the date the requester responds. If the requester gives you clarification on 18 May, the timing resumes on that date.
The clock was stopped from 15 May until 18 May. This means that you can extend the original one-month deadline by three days, and your response is due by or on 17 June.
You should ask for clarification as soon as possible after receiving the SAR. This will enable you to search for the information the person wants at the earliest possible stage and ensure that you have enough time to respond.
Example
An organisation receives a request on 19 June. As the equivalent date in July falls on a Sunday, the organisation has until Monday 20 July to comply.
The organisation waits until 15 July to ask for clarification. The person responds on 16 July, which means that the original deadline can only be extended by one day. The response is due by Tuesday 21 July.
However, the organisation can’t comply by the deadline as it did not leave enough time to search for the information after obtaining clarification.
If it only becomes apparent after starting a search that you need further information to respond to the SAR, you should be able to explain why it was not possible to request clarification earlier. You should record your reasons.
If you ask for clarification and receive it on the same day, the clock does not stop. You should calculate any extension to the time limit in terms of days, not hours.
Example
If you receive a SAR on 1 July, request clarification on 2 July at 9:00am and receive clarification later that day, up to 11:59pm, you cannot stop the clock and extend the time limit by one day. The original deadline of one month from 1 July still applies.
The clock only stops if you are seeking clarification about the information requested. It does not apply if you ask for clarification on any other matter — for example, the format of the response.
Example
A person requests a copy of their medical records from 5 February 2011 until 9 August 2017. They specifically ask for the medical practice to forward the records by email. However, because of security concerns, the practice cannot email the records. Instead, it can provide the person with remote access to their information. The practice asks the person whether they are happy with this.
The clock does not stop when the practice asks for clarification, and the usual time limit of one month still applies. Since the time limit is not paused while waiting for a response, the practice should begin searching for the requested information as soon as possible.
If you seek clarification but do not receive a response, you should wait for a reasonable period of time before considering the request closed. While one month is generally reasonable, you should adopt a proportionate and reasoned approach. If you believe that a person might have difficulty in providing additional details within a specified timeframe, you should try and accommodate the person as much as possible — for example, where there are complex issues or accessibility considerations.
If you need to request clarification and proof of ID, you should do both as soon as possible. It’s unreasonable to wait until the person gives clarification before asking for ID, unless there is a risk of disclosing personal information to the person before you have checked their identity.
You can extend the time limit by two months if the request is complex or the person has made a number of requests (see Can we extend the time for a response?). However, a request is not complex just because you need to seek clarification. See When is a request complex?
Can we charge a fee?
In most cases, you cannot charge a fee to comply with a SAR.
However, you can charge a ‘reasonable fee’ for the administrative costs of complying with a request if:
- it is manifestly unfounded or excessive; or
- a person requests further copies of their information following a request.
Alternatively, you can refuse to comply with a manifestly unfounded or excessive request. See Exemptions: when can we consider a request to be manifestly unfounded or excessive?
When determining a reasonable fee, you can consider the administrative costs of:
- assessing whether or not you are processing the information;
- locating, retrieving and extracting the information;
- providing a copy of the information; and
- communicating the response to the person, including contacting them to tell them that you hold the requested information (even if you are not going to provide it).
As there may be substantial overlap across these activities, you should ensure that the fee is reasonable and that you do not double-charge the person. For example, you may locate, retrieve and extract the information in one action, depending on the context in which you hold the information and how you search for it.
A reasonable fee may include the costs of:
- photocopying, printing, postage and any other costs involved in transferring the information to the requester (eg the costs of making the information available remotely on an online platform);
- equipment and supplies (eg discs, envelopes or USB devices); and
- staff time.
You should base the costs of staff time on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate. Section 12(1) of the DPA allows for the Secretary of State to specify limits on the fees that organisations may charge to deal with a manifestly unfounded or excessive request by way of regulations. However, at present, there are no regulations in place.
You should ensure that you charge fees in a reasonable, proportionate and consistent manner. Therefore, you could establish an unbiased set of criteria for charging fees that explains:
- the circumstances in which you charge a fee;
- your standard charges (including a costs breakdown where possible, eg the cost per A4 photocopy); and
- how you calculate the fee — explaining the costs you take into account, including staff time.
Your criteria should be clear, concise and accessible. You should make these criteria available on request. You don’t need to publish them online.
When requesting a fee, you should explain the costs to the person. You should include a copy of the criteria in your request for a fee and explain any charge that is unclear (see Do we need to explain the information we supply?).
You should be able to justify the costs you have charged if a person complains to the ICO.
If you choose to charge a fee, you don’t need to comply with the SAR until you have received the fee. You should request the fee as soon as possible and, at the latest, within one month of receiving the SAR. The longer it takes for you to ask for a fee, the less likely it is that this is reasonable. It’s unreasonable to ask for a fee as a way of extending the period of time you have to respond to the request.
You should record the reasons for any delay in requesting a fee and be able to provide your reasons to the ICO, if asked.
You should allow the person a reasonable period of time to respond to your request for a fee. It’s generally reasonable to close the request if you do not receive a response within one month, although this also depends on the circumstances.
Do we need to make reasonable adjustments for disabled people?
You may need to make reasonable adjustments to ensure a disabled person can make a request.
What is a reasonable adjustment will depend on the person’s specific needs. If you are aware that a person may require reasonable adjustments (eg they have told you what they need, or they have explained that they are disabled), you should communicate with them (eg by speaking to them) to find out how best to meet their needs before you respond to their SAR. For example, an adjustment may include providing the response in a particular format that is accessible to the person, such as large print, audio, email or Braille.
Your use of personal information must be lawful. As well as data protection requirements, you also need to consider whether you have obligations under other legislation.
Further information about how to make effective reasonable adjustments is available from the Equality and Human Rights Commission or from the Equality Commission for Northern Ireland.
Can we ask for ID?
Yes. To avoid personal information about one person being sent to someone else, either accidentally or as a result of deception, you need to be satisfied that:
- you know the requester’s identity (or the person the request is made on behalf of); and
- the information you hold relates to the person in question (eg when a person has similar identifying details to someone else).
You can ask for enough information to judge if the requester (or the person the request is made on behalf of) is the person whom the information is about.
You should be reasonable and proportionate about what you ask for. Only request formal identification documents if necessary. You can use verification measures that you already have in place (eg an existing username and password).
If the requester’s identity is obvious to you, you are unlikely to require more information. This particularly applies when you have an ongoing relationship with the person.
Example
An organisation receives a written SAR from a current employee. The staff member knows this employee personally and has even had a phone conversation with them about the request. Although the organisation’s policy is to verify identity by asking for a copy of a utility bill, it is unreasonable to do so in this case since the staff member knows the person making the request.
If you have any doubts about the requester’s identity, it’s reasonable to ask them to verify their identity before sending the information.
How you receive the SAR might affect your decision about whether you need to confirm the requester’s identity.
Example
An online retailer receives a SAR by email from a customer. The customer has not used the website for some time, and although the email address matches the company’s records, the postal address given by the customer does not. Before responding to the request, it is reasonable to ask for further information, such as the customer’s other account details.
The level of checks you make may depend on the nature of the information and on the possible harm and distress that an inappropriate disclosure may cause to the person concerned.
Example
A GP practice receives a SAR from someone claiming to be a former patient. The name on the request matches a record held by the practice, but there is nothing else in the request to enable the practice to be confident that the requester is the right patient. In this situation, it is reasonable for the practice to ask for more information before responding to the request, such as a birth certificate or another document confirming the person’s identity. The potential risk to the former patient if the practice sends their health records to the wrong person is high, so the practice is right to be cautious.
You will sometimes need to request more information than usual to verify a person’s identity – for example, where you hold records about different people with the same name.
The timescale for responding to a SAR does not begin until you have received the requested information. However, it’s important to avoid delays. Therefore, you should request ID documents as soon as possible.
If the requested ID information is not sufficient and you need to take further steps to verify the person’s identity, you can do so. The timescale for responding to the SAR resumes once you have completed the verification. However, further requests for verification are only likely to be necessary in exceptional circumstances. See How long do we have to comply?.
The ID documents may not be sufficient if:
- the person supplies information which raises doubts about their identity; or
- you have reasonable concerns that the ID is fraudulent or that the person has obtained it fraudulently.
Example
After a company has received a SAR, it asks for proof of ID. However, when the person provides it, the name on the ID document is different from the name it has on record for the person. Therefore, the company cannot be certain that they are the same person.
In this situation, it is reasonable for the company to ask for further proof of the person’s identity – for example, alternative ID or evidence that explains why the names are different. The timescale does not begin until the company has received sufficient information to verify the requester’s identity.
While you do not need to keep copies of ID documents, you could keep a note of:
- what ID documents the person provided;
- the date you verified them; and
- who in your organisation verified them.
What if the person mentions other rights?
If you receive several requests from a person about other rights (eg the right to erasure and the right to data portability) at the same time as a SAR, you should deal with each request separately. However, certain steps may apply to all the requests, such as (where relevant):
- establishing proof of ID; and
- ensuring that a third party has authority to act on behalf of the person.
In these circumstances, you may be able to extend the time limit to respond by up to two months. See Can we extend the time for a response?.
How should we deal with bulk requests?
Depending on the size of your organisation and the nature of your business, you may receive multiple SARs in a short period of time. For example, in the financial services sector it is not uncommon for claims management companies to make bulk requests on behalf of multiple people. We refer to these here as bulk requests.
Although receiving bulk requests requires more resources, you must respond to each SAR made on a person’s behalf.
Remember the following principles when dealing with high volumes of SARs:
- A SAR made as part of a bulk request has the same legal status as one person making a SAR.
- The person’s reason for making a SAR is not relevant to whether their request is valid (except if you are considering applying the manifestly unfounded or excessive provisions).
- If a third party makes a request on behalf of a person, you should treat the SAR as if the person themselves had made the request. This means that you cannot take into account other requests made by the representative on behalf of other people.
- You need to satisfy yourself that the third party is authorised to make the request.
- You need to satisfy yourself as to the identity of the person concerned.
- Even if you hold no information about the person, you must respond to the request and tell them this.
Do we still need to comply if the person dies before we respond?
No. The definition of personal information only applies to a living person. If you receive a SAR but are aware that the person has died before you have provided your response, you don’t have to respond to the request. If you receive a SAR from a person who was authorised to act on behalf of the deceased person when they were alive (eg a relative, a solicitor or someone who has power of attorney), you are not required to respond after the person has died. A person cannot make a SAR to access information about a deceased person, even if they previously acted on their behalf.
For circumstances where information about a deceased person is contained within the requester’s personal information, see How do we deal with information that relates to the requester and a deceased person?