LIFE SCIENCES + PHARMA+Adobestock 1229712096
Articles

Subject access requests: key issues for the pharmaceuticals and life sciences sector

05 Jan 2026

Subject access requests (SARs) continue to pose significant challenges for organisations in the pharmaceuticals and life sciences sector. They are often time-consuming, resource-intensive and frequently linked to wider complaints or disputes. This article shares some practical tips to help organisations manage SARs effectively.

Pharmaceuticals & Life Sciences
Data Protection
Andrew Gallie
Andrew Gallie
Partner
+44 (0)7467 220 831

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent in July, although most of its provisions are not yet in force. It introduces several changes to UK data protection law, including putting some of the ICO’s existing SAR guidance on a statutory footing. This is a welcome development; many of the new SAR provisions are controller-friendly and will help organisations resist unreasonable or disproportionate requests.

Some key examples are discussed below.

  1. Searches
    The obligation is to complete a reasonable and proportionate search for personal data (and this is now on a statutory footing following the introduction of the DUAA). In practice, we often see searches extending far beyond what is legally required leading to unnecessary work. For example, if keyword searches reveal vast amounts of information, it may indicate that the search terms have been set too widely. Requesters sometimes attempt to dictate how the SAR should be handled, for example, by specifying search terms or search locations. There is no legal obligation to use the criteria provided by the requester (or even, in some cases, to do key word searches at all), provided that the organisation has done enough to satisfy the "reasonable and proportionate" search threshold.
  2. Personal data rather than documents
    A SAR gives the requester a right to their personal data, not to specific documents. It is lawful to extract the relevant data and present it in a schedule or table, rather than disclosing the documents themselves. Whilst providing originals may sometimes be appropriate if there are minimal redactions, it is often clearer to provide the data in an alternative format to avoid further queries if a lot of redactions will be required.
  3. Extending the response timeframe
    Organisations must normally respond to a SAR within one month, but the period can be extended by a further two months if the request is complex. In our experience, the right to extend is often underutilised. The threshold for complexity is relatively low and we are not aware of the ICO criticising an organisation for relying on the extension where it was justifiable to do so.
  4. Managing complaints
    The DUAA will require organisations to have a formal process for handling data protection complaints for the first time. We often find that organisations can get caught up in prolonged correspondence with a requester and having a clear complaints pathway provides requesters with clarity while giving organisations a defined point at which escalation to the ICO is appropriate. This should help reduce the protracted correspondence we often see in relation to SAR complaints. 

For further information, or if you would like to discuss a SAR, please contact Andrew Gallie or Bronwen Jones in our Data Protection team.

 

Get in touch today

Are you looking for legal services?

Fill out our form to find out how our specialist lawyers can help you.

See our privacy page to find out how we use and protect your data.

Contact Us