Skip to main content

A guide to subject access

Latest updates - last updated 16 July 2026

16 July 2026 - The updated guidance reflects changes under the Data (Use and Access) Act 2025, and brings this in brief guidance in line with our recently updated detailed Right of access guidance.

About this brief guidance

This guidance introduces organisations to the right of access and the key points you need to know. For more information see our detailed Right of access guidance, which you can find a link to in our further reading section below.

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative or legal requirements

Must refers to:

  • legislative requirements within our remit; or
  • established case law (for the laws that we regulate) that's binding.

Good practice

Should doesn't refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there's a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.

Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.

At a glance

  • People have the right to access and obtain a copy of their personal information and other supplementary information.
  • This is commonly referred to as a subject access request (SAR).
  • People can make SARs verbally or in writing, including via social media.
  • A third party with the appropriate authority can also make a SAR on behalf of another person.
  • In most circumstances, you cannot charge a fee to deal with a request.
  • You must respond without undue delay, and within one month of receipt of the request.
  • You may extend the time limit by up to a further two months where necessary, if the request is complex or you receive a number of requests from the person.
  • You must make a reasonable and proportionate search for the requested information.
  • You must ensure that the information you provide is clear and accessible to the person.
  • You must take all reasonable steps to make sure you provide the information securely.
  • You can only refuse to provide the information if an exemption or restriction applies (eg if the request is manifestly unfounded or excessive).

What is the right of access?

The right of access, commonly referred to as subject access, gives people the right to obtain a copy of their personal information from you, as well as other supplementary information. It helps people understand how and why you are using their information and check you are doing so lawfully. 

How do we recognise a subject access request?

A person can make a SAR verbally or in writing, including via social media. A request is valid if it’s clear that the person is asking for their own personal information. A person does not need to use a specific form of words, refer to legislation or direct the request to a specific contact. 

A person may ask a third party (eg a relative, friend or solicitor) to make a SAR on their behalf. You may also receive a SAR made on behalf of a person through an online portal.

Before responding, you need to be satisfied that the third party making the request is entitled to act on behalf of the person. It is the third party’s responsibility to provide evidence of their authority.

What about requests for information about children?

Before responding to a SAR for information held about a child, you need to consider whether the child is competent to make a SAR. This means you need to decide if the child is mature enough to understand their rights. Different rules apply in different parts of the UK and so you need to consider this carefully. 

If the request is from a child, it’s important to consider their level of maturity and the nature of the information. If you are confident they can understand their rights, you should respond directly to the child. 

If a child is competent, they may authorise a parent, guardian or other representative to make a SAR on their behalf. You will need to obtain evidence that the child has authorised another person to make the SAR. If it’s evident that a child is acting against their own best interests, you may be able to withhold the information.

If you’re satisfied that the child is not competent, and the request is from a person with parental responsibility, it’s usually appropriate to let them exercise the child’s rights on their behalf, unless you have evidence that this is not in the child’s best interests. Other important points that you should take into consideration when deciding to withhold or disclose a child’s information are set out in our detailed guidance.

You need to put the child’s best interests first and protect their rights, welfare and privacy when you take any decision about whether to disclose a child’s personal information.

What should we consider when responding to a request?

You must comply with a SAR without undue delay and at the latest within one month of receiving the request, or within a month of receiving:

  • information confirming the identity of the person the information is about;
  • information that shows a third party is authorised to act on behalf of the person; or 
  • a fee. 

You can extend the time to respond by up to a further two months, where necessary, if:

  • the request is complex; or 
  • you have received a number of requests from the same person.  

If you do extend the time limit, you must let the person know and explain why within one month of receiving the request.

Can we clarify the request?

You may ask the requester to clarify what personal information they want. This may be because you hold a lot of information about them or their request is vague. You should only ask for clarification if it’s reasonably required. For example, this might be because you are unable to provide an effective response without the clarification. 

If you ask for clarification, the one-month time limit pauses on the day you request it and resumes the day after you receive it. This is known as ‘stopping the clock’. This means you don’t need to provide the person with the information until they clarify their request. 

You cannot force someone to narrow the scope of their request. If they repeat their request, you will need to make a reasonable search for their information.

Do we need to make reasonable adjustments for disabled people?

You may need to make reasonable adjustments to ensure a disabled person can make a request. 

Can we charge a fee?

In most cases, you cannot charge a fee to comply with a SAR. However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if:

  • it is manifestly unfounded or excessive; or 
  • a person requests further copies of their information. 

When requesting a fee, you should explain the costs to the person.

You should request the fee as soon as possible. You should allow the person a reasonable time period to respond to your request. It’s generally reasonable to close the request if you don’t receive a response within one month.

Can we ask for ID?

Yes. To avoid sending personal information about one person to someone else, you need to be satisfied that:

  • you know the requester’s identity (or the person the request is made on behalf of); and
  • the information you hold relates to the person in question.

You should be reasonable and proportionate about what you ask for – for example, you should only request formal identification if necessary. 

The timescale for responding to a SAR does not start until you receive the information you requested. It’s important to avoid delays and you should therefore request ID documents as soon as possible. 

How do we find and retrieve the relevant information?

You must make a reasonable and proportionate search to respond to a SAR. However, you do not need to conduct searches that are unreasonable or disproportionate to the importance of the information. 

How can we supply information to the requester?

A person has the right to a copy of their personal information and to other supplementary information (which largely corresponds with the information that you should provide in a privacy notice).  

If they make their request electronically, you must provide the information in a commonly used electronic format, unless the person requests otherwise. 

If they make the request by another means, you can provide a copy in any commonly used format, unless they request a specific format. You could ask the person in what format they would like to receive their information before you respond. 

You could satisfy the requirement to comply with a SAR by giving the person remote access to their information on a secure system. If you do this, you must make sure that they can download a copy of the requested information in a format that is accessible to them. You should make it clear that a person has a right to ask for their information to be provided in a different format. If a requester is unable, or does not want, to use a secure online platform to access their information, you must respond to the SAR using alternative methods. 

However you choose to provide their information, you must make sure it’s clear and accessible to the person.

As the controller of the information, you must take all reasonable steps to ensure its security. 

What exemptions are relevant for SARs?

Where an exemption applies, you could refuse to provide all or some of the requested information, depending on the circumstances. You should consider whether an exemption applies on a case-by-case basis. If you do apply an exemption, you must be able to justify this and you should document your reasons for relying on it. 

Not all exemptions apply in the same way. Some exemptions apply because of the nature of the personal information. Others apply because disclosing the information is likely to prejudice your purpose.

If an exemption applies, you may sometimes be obliged to rely on it (eg if complying with the SAR would break another law). In other cases, you can choose whether to use the exemption.

If you refuse to comply with a SAR request, you must inform the person about:

  • the reasons why;
  • their right to make a complaint to you, as the controller;
  • their right to make a complaint to the ICO; and
  • their ability to ask to enforce this right through the courts.

The following exemptions are those most likely to apply to SARs:

  • Crime and taxation: general 
  • Crime and taxation: risk assessment
  • Legal professional privilege
  • Functions designed to protect the public 
  • Regulatory functions relating to legal services, the health service and children’s services
  • Other regulatory functions
  • Judicial appointments, independence and proceedings
  • Journalism, academia, art and literature
  • Research and statistics 
  • Archiving in the public interest
  • Health, education and social work information 
  • Child abuse information
  • Management information 
  • Negotiations with the requester 
  • Confidential references 
  • Exam scripts and exam marks
  • Manifestly unfounded or excessive requests
  • Information about other people 

(Other exemptions may be relevant, and you can find more information on these in our guidance on exemptions.)

When can we consider a SAR to be manifestly unfounded or excessive? 

You can refuse to comply with a SAR (wholly or partly), or charge a reasonable fee to respond, if it is:

  • manifestly unfounded;
  • excessive; or
  • both manifestly unfounded and excessive. 

You should consider each request in the context it’s made. There is a high threshold for relying on these provisions. You should consider all the circumstances of the request when making a decision to apply this exemption.

When can an exemption apply to information about other people in a SAR? 

Personal information can relate to more than one person. Therefore, responding to a SAR may involve providing information that relates to both the requester and another person.  

You do not have to provide information in response to a SAR that would reveal information about another person, unless:

  • the other person has consented to the disclosure; or
  • it is reasonable to disclose the information without their consent.

There are also other relevant factors that you should take into account.

To help you decide whether to disclose information relating to a third party (also known as the ‘rights of others’ exemption), you should follow the three-step process explained in our detailed SAR guidance.

Are there any special cases?

Yes. There are special rules and provisions about requests for some types of personal information, including:

  • unstructured manual records;
  • credit files;
  • health information;
  • educational information; and
  • social work information.

Can the ICO enforce the right of access?

Yes. In appropriate cases, we may take action against an organisation if they fail to comply with data protection legislation. We will exercise these enforcement powers in accordance with our Regulatory action framework.

(Our detailed guidance has more information on enforcing a SAR.)

Can we force a person to make a SAR?

No. An enforced SAR is when someone:

  • requires a person to make a SAR to gain access to certain information about them (eg their convictions, cautions or health records); and 
  • uses this information (eg as supporting evidence for a job application or before approving a contract for insurance). 

Forcing a person to make a SAR in such circumstances is a criminal offence.

Further Reading – ICO guidance

Relevant provisions in the UK GDPR

Checklists

Preparing for subject access requests

 We know how to recognise a subject access request and we understand when the right of access applies.

 We have a policy for how to record requests we receive verbally.

 We understand the steps we need to take to check the identity of the requester, if necessary. 

 We understand when we can stop the clock for responding if we need to ask for clarification. 

 We understand when we can refuse a request and are aware of the information we need to provide to people when we do so.

 We understand the nature of the supplementary information we need to provide in response to a subject access request.

 We have suitable information management systems in place to efficiently locate and retrieve information.

 We provide our staff with training to recognise and deal with a SAR when they receive one in writing or verbally.

Complying with subject access requests

 We have processes in place to ensure we respond to a subject access request without undue delay and within one month of receipt.

 We have our own complaints process for requesters who wish to complain about having a SAR refused or about our handling of their SAR.

 We understand how to carry out a reasonable and proportionate search for the information.

 We understand what we need to consider if a third party makes a request on behalf of a person.

 We are aware of when we can extend the time limit to respond to a request. 

 We are aware that we can ask for clarification, and stop the clock to do so, if this is reasonably required. 

 We understand how to assess if a child is mature enough to understand their rights.

 We understand that there is a particular emphasis on using clear and plain language when we are disclosing information to a child.

 We understand what we need to consider if a request includes information about others.

 We can deliver the information securely to a person, and in the correct format.