IDG30220 - Confidentiality when dealing with the customer: customer confidentiality: Subject Access Requests

A ‘Subject Access Request’ (SAR) is a request made by or on behalf of an individual for their personal information, which they are entitled to ask for under Article 15 of the UK GDPR.

An individual can make a SAR verbally or in writing, including by social media. They can make it to any part of an organisation, including HMRC, and they do not have to direct it to a specific person or contact point.

A request does not have to include the phrases 'subject access request', ‘right of access’ or ‘Article 15 of the UK GDPR’. It just needs to be clear that the individual is asking for their own personal data.

SARs must be responded to within one month of receiving the request.

People often quote the 'Freedom of Information Act' (see IDG40150) when requesting their personal information held by an organisation. This type of request is actually a SAR and should be dealt with under the GDPR rather than as Freedom of Information requests.

Further Information

For further guidance on SARS, including what to do if you receive a SAR, please consult the GDPR intranet pages.

Information Disclosure Guide

IDG30220 - Confidentiality when dealing with the customer: customer confidentiality: Subject Access Requests

Further Information

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK

Cookies on GOV.UK

IDG30220 - Confidentiality when dealing with the customer: customer confidentiality: Subject Access Requests

Further Information

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK