• Contact Us

Help! I've Received a Subject Access Request - What Should I Do?

on Thursday, 08 July 2021.

Accessing one's personal data, or making a subject access request (SAR), has become a popular mechanism for individuals to find out exactly what information an organisation holds about them.

Healthcare organisations in particular will hold lots of personal data about individuals, and so can find themselves subject to high volumes of requests.

Requests are often used in the context of a dispute, complaint or grievance; getting it right or wrong can have important legal and reputational consequences for your organisation. Understanding how to recognise a request and deal with it effectively could save your organisation time, money and resources.

Are You Satisfied That This Request Is Genuine?

If you have doubts that the request has genuinely been made by the individual then it is sensible to make enquiries to ensure the request has not been made fraudulently by someone else. You shouldn't ask for more information than you need to verify their identity but better safe than sorry!

What Information Have They Requested?

It is important to remember that individuals are entitled to their personal data, which is information from which they can be identified (or are identifiable) and which relates to them. For example, an email between staff discussing a patient's behaviour would likely include that patient's personal data. You should make sure you understand what the requester is entitled to, and take steps to locate the information on your systems.

Do You Require Any Further Information from the Requester to Locate the Personal Data?

You are permitted to ask requesters for information to assist you in locating the requested personal data if they request a large amount of data. This should be focussed on obtaining useful information that will assist with your searches, such as a date range, type of information they are after (eg notes relating to their appendicitis) or identifying individual mailboxes.

How long do we have to respond?

You must provide a response to the requester within one calendar month of having received the request. This time limit can be extended by an additional two months where the request is complex or where a number of requests have been made but you must inform the individual if you need an extension.

When calculating the deadline for the response you should be aware:

  • that the clock does not start to run until you have received any information requested to satisfy yourself of the requester's identity; and
  • if you have asked for clarification information to locate the personal data the clock will pause while you are waiting for a response.

Myth-Busting Subject Access Requests



Subject access requests only apply to information held electronically.

This is incorrect. Personal data may also be found in a paper filing system.

If your organisation is a public authority (ie covered by the Freedom of Information Act (FOIA)) then the scope of the paper records potentially caught is even wider. For example, GP surgeries may find themselves subject to this wider scope if the information is caught by FOIA (ie information relating to the provision of primary and general medical services under NHS contracts).

The requester must provide a reason for their request.

Requesters do not need to provide a reason for their request.

The request must be in writing.

Requests can be made over the phone or in person. There is no requirement for them to be in writing.

If we hold information received from a third party we don't need to provide it.

If the information is held by your organisation (regardless of its origin) then you may need to provide it, even if it came from a third party (for example, referral notes from a GP).

Only factual information about someone is disclosable.

Personal data includes opinions about people. It is important to note that there is no exemption for information which it would be embarrassing to disclose. Train your staff to keep written comments professional.

People have an absolute right to all of their personal data

There are exemptions which allow you to withhold personal data in certain specified circumstances. However, these exemptions should not be applied in a blanket fashion.

There are specific exemptions which apply to health information in some circumstances. You should make sure you are familiar with these before responding to a SAR. 

The requester has asked for everything we hold and it is going to take us a really long time to find it all, so we can just refuse to comply.

Your obligation is to make reasonable and proportionate searches. There is no right to refuse a request on the basis that it will take up a lot of time. You can seek clarification regarding what the requester is seeking to assist in reducing the amount of time that needs to be spent.

If a request is either 'manifestly unfounded' or 'manifestly excessive' you are allowed to refuse to respond. However, the threshold is high and you must be able to justify why this is the case.

Information which is also about someone else is not disclosable.

This depends on the circumstances of the case. Where information is about both the requester and a third party, the information may or may not be disclosable, depending on the circumstances.

Where the third party is a health professional there are specific rules around when the information must be disclosed. 

We have to provide copies of documents redacted if necessary.

The requester is entitled to a copy of their personal data but not to a copy of the document containing that personal data. You can place their personal data in a new document if you prefer.


For further information and advice about subject access requests, please contact Bronwen Jones (07818 018215) or Claire Hall (07467 148750) in our Data Protection team. Alternatively, complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input