SAR Guidance

A Subject Access Request, often called a SAR, is a request asking an organisation for access to the personal data it holds about you.

Under UK GDPR and the Data Protection Act 2018, you generally have the right to ask an organisation:

• whether it is using your personal data;
• what personal data it holds about you;
• why it is using that data;
• who it has shared your data with; and
• for a copy of your personal data.

Depending on the organisation and your relationship with it, this can include things like emails, account notes, complaint records, HR records, health-related records, grievance materials, call recordings, CCTV footage and other information that identifies you.

GetMySAR is designed to help people make SARs to UK-based data controllers.

You can use GetMySAR to make a request:

• for yourself;
• for a child;
• for a vulnerable adult;
• for a client; or
• for someone else where you have written authority.

If you are submitting a request on behalf of another person, you are responsible for ensuring you have the right authority to do so.

GetMySAR is a tool that helps you prepare, send and track a Subject Access Request.

1. You complete our online form and tell us who the request is for, which organisation you want to contact, and what information you are asking for.
2. You provide a signed consent or authority form. This is required for requests made through GetMySAR.
3. You can also upload copy ID if you want to provide it, although ID is usually only needed if the organisation asks for it.
4. In most cases, the SAR is sent when you submit the form, although some requests may be held briefly for review depending on the target organisation.
5. We contact the organisation using the details available, which may include email, SMS and/or post.
6. The organisation’s substantive SAR response is sent directly to you or the data subject. GetMySAR does not receive or store that substantive response within the platform.

We also send follow-up reminders where appropriate, including until we receive an acknowledgement, before the deadline, and after the deadline if there has still been no proper response.

You can ask for personal data held about you or the person you are authorised to act for.

Examples include:

• account information and internal notes;
• emails and correspondence;
• complaint files and investigation material;
• HR and employment records;
• health-related records;
• grievance records;
• call recordings and chat logs; and
• CCTV footage where the person can be identified.

It usually helps to be as specific as possible. For example, you may want to include:

• a date range;
• reference or account numbers;
• the department involved;
• the type of record you want; or
• a short explanation of the issue or background.

Before starting your SAR, it helps to have:

• the correct name of the organisation;
• your contact details, or the data subject’s details;
• previous names or addresses where relevant;
• reference, claim, customer, account or employee numbers;
• a date range for the records you want;
• details of the types of data you want to receive; and
• a signed consent or authority form.

The clearer your request is, the easier it is for the organisation to locate the right information.

GetMySAR requires a signed consent or authority form for requests made through the service.

Copy ID is not always required. In many cases, the organisation will only ask for ID if it reasonably needs it to verify identity before disclosing personal data.

If ID is needed, the most common forms we accept are:

• passport; and
• driving licence.

If you upload ID for the purpose of supporting your request, it may be sent to the organisation you have asked us to contact.

In most cases, an organisation should respond to a valid SAR within one calendar month.

In some cases, the organisation may extend the time to respond by up to two further months, for example if the request is complex or involves a large amount of information.

An organisation may also ask for clarification or proof of identity if reasonably needed before it can disclose data safely.

GetMySAR helps by sending reminders, including:

• follow-ups until an acknowledgement is received;
• reminders before the deadline; and
• further follow-ups after the deadline if needed.

GetMySAR charges a £20 service fee for using the platform to prepare, send and manage your request.

This is separate from the legal position on SARs themselves. A Subject Access Request is usually free of charge when made to the organisation.

In limited cases, the organisation may be entitled to charge a reasonable fee, for example where a request is manifestly unfounded or excessive.

Once your SAR has been sent, the target organisation is responsible for handling the request and deciding what information it must provide under the law.

The organisation’s response should be sent directly to you or the data subject, not to GetMySAR.

Possible outcomes include:

• the organisation acknowledges the request and then responds;
• the organisation asks for ID or clarification;
• the organisation provides a partial response;
• the organisation redacts some information;
• the organisation refuses all or part of the request; or
• the organisation does not respond within time.

If an organisation refuses your request, ignores it, delays it, or provides a response that appears incomplete, you may still have options.

Common next steps can include:

• checking whether the organisation asked for ID or clarification;
• sending a further follow-up;
• asking the organisation to explain any exemptions it relied on;
• raising a complaint with the organisation directly; and
• making a complaint to the Information Commissioner’s Office (ICO).

GetMySAR may provide general information about possible next steps, but you should get independent legal advice if you need advice on your specific legal position.

When you use GetMySAR, you may provide personal data such as identity details, contact details, organisation details, request details, signed consent forms and copy ID documents.

We use this information to prepare, send and manage your Subject Access Request, communicate with the organisation you identify, and keep administrative records such as whether the organisation acknowledged or responded.

Our core SAR-related storage is intended to remain in UK-based infrastructure, including:

• Supabase in eu-west-2 (London); and
• AWS S3 in eu-west-2 (London).

Stored files in AWS S3 are protected using server-side encryption with AES-256. We also use HTTPS and restrict access to systems and stored data.

For more information, please read our Privacy Policy, Security page, Data Protection page and Terms of Use.

A SAR does not always mean you will receive every document in full. Organisations may redact or withhold information where an exemption applies or where disclosure would affect the rights of others.

Examples may include:

• information about other people;
• legally privileged material;
• certain regulatory or crime-related material; and
• other exemptions allowed by data protection law.

Important: GetMySAR is not a law firm. We may provide general information about SARs and possible next steps, but nothing on this page or through our service is legal advice.

If you need advice on your specific legal rights or a dispute with an organisation, you should speak to a qualified solicitor or adviser.