Subject access request procedure

How to prepare and share records, accessibility and recording requests.

Is this for you?

It’s for all employees.​​​​​​

Key points 

  • This procedure provides instructions on dealing with Subject Access Requests (SARs), how to prepare and share records, accessibility and recording requests. It also covers the risks of litigation and guidance on redaction.
  • SARs can be made by individuals, parents and carers and third parties.
  • The UK General Data Protection Regulation (UK-GDPR) states that all requests must be responded to within 30 calendar days. Under certain circumstances an extension of up to two months may be granted.
  • We have a legal duty to make reasonable adjustments for disabled people making a request.
  • If the person making the request is dissatisfied by our response, they may make a complaint to the Information Commissioner’s Office (ICO).

Your responsibilities

  • If you receive a verbal request, you can ask the data subject to put the request in writing. Our Data Subject SAR form (attached below) is a helpful tool for capturing this information and you can send this to the individual to complete, however, there is no legal requirement for an individual to formalise their request in this way if they don’t wish to complete the form. 
  • The 30 days begins when you have verified the identity.
  • If you have received a request from a parent, you should verify their identity in the same way you would for an individual. Before responding, you should consider whether it is more appropriate to respond to the child instead.
  • If you have received a request from a third party, you should ensure that the party is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of this.
  • When responding to a request, you should compile all information held about the individual, unless the request is for specific information.
  • You should make any necessary redactions before responding to a request, such as information about a third party.
  • You should agree how the data requested will be shared and you must do this securely.
  • All requests should be recorded on OneTrust using this webform.

Download resources

Share this page on Workplace