How to Respond to a Subject Access Request Without Over- or Under-Disclosing

by

in

,

A subject access request (SAR) gives an individual the right to ask what personal data an organisation holds about them, and to receive a copy of it. Organisations must respond within one month, and the most common mistakes are either disclosing too much (missing an exemption) or too little (missing data that should have been included). Here’s how to get the scope right.

What does a SAR actually require you to provide?

Under Article 15 of UK GDPR, the individual is entitled to confirmation that their data is being processed, and a copy of that data, along with supplementary information: the purposes of processing, who it’s been shared with, how long it’s kept, and their other rights. The request doesn’t need to mention “Article 15” or use any particular wording – any clear request for personal data counts, however it’s phrased.

What is the “provide a copy” standard?

The right is to receive a copy of the personal data, not necessarily the original documents it appears in. This distinction matters in practice: an organisation is not automatically required to hand over entire files or original correspondence verbatim, but it must ensure the individual receives all their personal data in an intelligible form, including surrounding context where that context is needed to make the data meaningful.

When can data be withheld?

Common grounds for withholding or redacting include: data that would reveal another individual’s personal data (unless they consent or it’s reasonable to disclose without consent), legal professional privilege, and certain exemptions relating to crime prevention, negotiations, or management forecasting. Each exemption needs to be applied and justified individually – a blanket refusal citing “third party data” without proper analysis rarely holds up to scrutiny.

How does this interact with the right to portability?

Access (Article 15) and portability (Article 20) are separate rights with different scopes. Portability only applies to data provided by the individual themselves, processed by automated means, on the basis of consent or contract – it’s narrower than the right of access, and doesn’t extend to data the organisation has generated or inferred about the person. Confusing the two often leads to either over- or under-disclosure.

What’s the deadline, and can it be extended?

One calendar month from receipt, extendable by a further two months for complex or numerous requests – but the extension must be communicated to the requester within the first month, with reasons, not simply taken.

If you’d like support scoping or responding to a SAR, see our Data Protection advisory services.