Insights ICO publishes new guide on responding to Subject Access Requests (SARs)


The ICO has published new guidance for businesses and employers on responding to SARs.

As the ICO explains, the right of access gives someone the right to request a copy of their personal information from organisations that process it. This includes where they got their information from, what they are using it for and who they are sharing it with.

Individuals can request the personal information held by their employer, or former employer, such as details of their attendance and sickness records, personal development or HR records.

Organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex.

If organisations fail to respond to SARs promptly, or at all, they can be subject to fines or reprimand.

Elanor McCombe, Policy Group Manager at the Information Commissioner’s Office, explained that the right of access is “vital for transparency”. However, she said, “many employers are misunderstanding the nature of subject access requests or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words “subject access request” in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to.” This is why the ICO has published the new guide.

The ICO said that from April 2022 to March 2023, it received 15,848 complaints relating to SARs. It noted that it recently reprimanded Plymouth City Council and Norfolk County Council for failing to respond to information access requests and in September 2022, it took action against seven organisations who had failed in their duty to respond to SARs.

Ms McCombe said that “For those who continue to fail to respond to subject access requests in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary”. To read the ICO’s press release in full and for a link to the new guide, click here.