Respond to a subject access request (SAR)

Anyone can ask for a copy of any personal data your practice holds on them. This is known as a subject access request (SAR). You must respond to a request as soon as possible and within one month.

Recognising a SAR

There’s no set way of making an access request. The person does not have to use a request form if you provide one, or call it an access request.

They can make a request in writing or verbally, to any person or part of your practice. It can be made through social media.

It’s your responsibility to recognise a SAR, however the request is made.

If you’re not sure, you can check with the person that you’ve understood their request. This can avoid disputes later on.

All your staff should know:

  • how to identify a SAR
  • what to do when one is made

Recording SARs

You’ll need to keep a record of the details of access requests.

It’s good practice to keep a log of any verbal requests made over the phone or in person.

How to respond

Before responding you need to:

  • check the identity of the person making the request
  • remove any information about someone else (third-party information) from the material

When responding you need to:

  • confirm that you’re processing their personal data
  • provide them with a copy of it
  • give details of how the data is collected, used and disposed of

Providing a copy of their data

You can send them a hard copy – a print out or photocopy.

If someone asks electronically (for example, by email), you must respond electronically, unless they ask otherwise.

You should provide the information for free in an easily accessible format. It should be in a way that’s easy for them to understand, for example:

  • explain any codes they would not know
  • write clearly in plain language
  • be transparent

You only have to provide the personal data, not the documents themselves. You can redact any information that belongs to a third person.

Download an Information Commissioner's Office (ICO) guide on how to disclose information safely

Telling them how you use their data

You must let them know:

  • what category of data you hold, for example sensitive (special)
  • what it’s being used for
  • where you got it from
  • who it’s been disclosed to – particularly if international or ‘third countries’ (outside the EEA)
  • how long you’ll keep it for, or what criteria you use to decide how long you keep it
  • how it’s being kept safe – if transferred internationally or to third countries
  • details of any automated decision making – including profiling – for example to predict their behaviour

You must also tell them they have the right to:

  • complain to the regulator
  • object to you processing their personal data
  • ask you to erase, restrict, change or remove their personal data

Access requests and legal privilege

As a legal professional, you do not have to release information if it breaches:

Access to personal data and solicitor’s lien

If your client requests access to their personal data, this will override any right you have to exercise a lien over their papers.

Read about SARs in more detail and what to do when you get one on the ICO website.

Maximise your Law Society membership with My LS