This part of GOV.UK is being rebuilt – find out what beta means

HMRC internal manual

Information Disclosure Guide

Confidentiality when dealing with the customer: customer confidentiality: Subject Access Requests

 A ‘Subject Access Request’ (SAR) is any request from an individual to an organisation asking to know what personal information is held about them and what data is being processed.

Under the General Data Protection Regulation 2018 (GDPR), SARs can be made verbally as well as in writing.  

SARs must be responded to within one month of receiving the request.  

People often request information about themselves under the Freedom of Information Act (see IDG40150). These are actually SARs and should be dealt with under the GDPR  rather than as FoI requests.

Further Information {#IDA0MYUB}

For guidance on SARs, including what to do if you receive a SAR, please consult the GDPR Intranet pages.