IDG30220 - Confidentiality when dealing with the customer: customer confidentiality: Subject Access Requests

 A ‘Subject Access Request’ (SAR) is any request from an individual to an organisation asking to know what personal information is held about them and what data is being processed.

Under the UK GDPR and Data Protection Act 2018, SARs can be made verbally as well as in writing.  

SARs must be responded to within one month of receiving the request.  

People often request information about themselves under the Freedom of Information Act (see IDG40150). These are actually SARs and should be dealt with under the GDPR  rather than as FoI requests.

Further Information

For further guidance on SARS, including what to do if you receive a SAR, please consult the GDPR intranet pages.