Skip to content

How Long Does My Business Have to Respond to a Subject Access Request in England?

Table of Contents

Making a Subject Access Request (SAR) to a company is one of the better-known data protection rights. This involves an individual coming to your business and asking for a copy of all personal information. These are sometimes called Data Subject Access Requests or DSARs. One tricky question is figuring out the time your business has to respond to a SAR. This article will explain the timeframe for your organisation to respond to SARs, so your company can safely comply with data protection rules.

What is a Subject Access Request?

A SAR is a request from an individual for a copy of their personal data. Your company may receive one from employees, customers and any other party you hold information about. It is important to understand the time your business has to respond to a SAR.

When responding to a SAR, your company should ensure to: 

  1. inform the individual of all specific data held about them; 
  2. provide them with a copy of this information; and 
  3. notify them who else has received that information. 

Previously, organisations could charge a small fee for searching for materials, but this is no longer the case. An exception is if the SAR is ‘excessive’ or where the individual requests multiple copies.

One Month Rule

The starting principle is that your business should respond to a SAR without delay and provide the requested information no later than one month after receipt.

For example, if you receive a SAR from an individual on 6th July, your initial time limit for the provision of the relevant materials would be 6th August.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Events That ‘Pause’ the One-Month Timeframe

There are three main circumstances in which your company can safely ‘pause’ the one-month deadline for businesses to respond to a SAR, which includes times when your business is awaiting:

  1. confirmation of the individual’s identity;
  2. additional information to enable your business to carry out the SAR; or
  3. receipt of a relevant fee to carry out the search.

Confirmation of Identity

Let us say that you receive a SAR from an email address with an individual’s name as the signature, and you do not recognise the email address and have not received an email from that address before.

In this case, you may request a copy of personal ID from the requester to confirm their identity to avoid unwittingly providing the personal information to someone else.

If you request a copy of personal ID from the requester on 10th July and they provide it to you on 17th July, you can add one week to the timeframe to respond. This would make your timeframe one month and one week from receipt of the SAR.

Front page of publication
Trade Mark Essentials

LegalVision’s Trade Mark Essentials Guide provides valuable information for any business looking to register or enforce a trade mark.

Download Now

Request for Additional Information

It is often helpful to ensure you understand the information the individual seeks. In this way, your company can go back to them and ask for further details on the materials sought and the purpose of their request.

Suppose you return to the requester (otherwise known as a ‘data subject’) and ask for additional information. Four days later, they return and state that they are looking for payslips because of needing to argue a personal tax issue with HMRC.  

If they are happy, your company can limit its disclosure to the documentation linked to pay and tax rather than all personal data. Likewise, since it took the requester four days to return to your query, the clock for a response was ‘paused’ for four days, making the deadline for a response one month and four days from the corresponding date of the SAR.

Awaiting Payment of a Fee

UK data protection rules follow the principle that you should not charge a fee for SARs.  However, your company may be able to charge a fee for a SAR in the following circumstances:

  1. where the request is ‘manifestly unfounded or excessive’ (for example, being used to harass your company, bully a particular employee or with malicious intentions); or
  2. where an individual asks for further copies of a SAR (an organisation only has to provide one copy absent a charge).

While tempting, labelling a request as ‘manifestly unfounded or excessive’ can be complex and legal advice is usually recommended. In such circumstances, your business can only charge a ‘reasonable fee’ to cover reasonable time and financial costs.

In any event, if a fee is formally requested, the clock is ‘paused’ whilst awaiting payment of the reasonable fee. If it takes the individual two weeks to pay, there will be an extension of your initial deadline for response by those two weeks. Ultimately, your organisation does not have to start searching for materials until receipt of payment.

Exemptions Allowing More Than One Month to Respond

There are specific scenarios in which a longer initial deadline of three months can apply.

A three-month deadline for your business to respond to a SAR is possible where the SAR is particularly ‘complex’ in nature, or the individual makes multiple SARs over a short period.

The Information Commissioner’s Office (ICO) is responsible for enforcing data protection law and ensuring SAR good practice. It is important to note that the ICO will likely require strong reasoning to justify a three-month deadline. Without such reasoning, the ICO may label it a breach of the one-month requirement. Adequate reasons could include:

  1. difficulty accessing some of the information (for example, because you store it at another location);
  2. the SAR requires an extensive search of thousands of documents;
  3. the materials involve excessive mention of other individuals and need large-scale redaction (blanking out the names of others to protect their confidentiality); or
  4. the need to obtain specialist legal advice and assistance due to the nature of some of the documents requested.

The vast majority of SARs have a one-month time limit, so it is worth obtaining legal advice should your organisation wish to treat the deadline as three calendar months. If your company wishes to take up to three months, it should notify the author of the SAR in writing. 

Key Takeaways

Safe handling of SARs is crucial as your business will breach data protection law. If you do not handle SARs correctly, your business is at risk of a fine by the Information Commissioner’s Office (ICO). Notably, you have one calendar month to respond to SARs, though there are limited exceptions. It is advisable to engage a lawyer as the exemption is not straightforward and may require legal expertise.

If you need help handling Subject Access Requests, LegalVision’s data, privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What information can my business refuse to provide when it faces a SAR?

When responding to a SAR, your business can refuse to provide information related to individuals other than the author and documents that record protected legal advice (known as the ‘legal professional privilege’ exception).

Can my business refuse to carry out a SAR?

Only very occasionally can your business refuse to provide a SAR, and it can be risky to do so. The primary example would be when an individual makes two SAR requests and asks for the same information in both. Your company could state they will concentrate on the first request but ignore the second SAR because it is an unnecessary repetition of the first.

Register for our free webinars

Preventing Employee Competitors: How to Protect Your Business

Online
Learn how to protect your business from employee competitors. Register for our free webinar today.
Register Now

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards