Recognising a Subject Access Request
A Subject Access Request is any request from an individual asking for their personal data. The individual does not need to use any special wording.
If it is clear that the person is asking for their own personal data, the request must be treated as a Subject Access Request.
Responding to a request
- You must confirm whether you hold personal data about the individual
- You must provide a copy of their personal data in a clear and understandable form
- You must respond within 14 working days
- No fee may be charged.
When a request may be restricted or refused
You may restrict or refuse a request only where allowed by law. You must be able to explain and justify any restriction or refusal.
Accountability
You must keep records of how Subject Access Requests are handled.
You must be able to show compliance with the Freedom of Information and Data Protection Act 2026.