The Information Commissioner’s Office (ICO) has published new guidance for businesses and employers on responding to Subject Access Requests (SARs).

The right of access, commonly referred to as a subject access request or SAR, gives someone the right to request a copy of their personal information from organisations.

Organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex.

Failing to comply to SARs is non-compliant with the law. If organisations fail to respond to SARs promptly, or at all, they can be subject to fines or reprimand.

“The right of individuals to access information that organisations hold on them is one that is vital for transparency and is enshrined in law.”

“What we’re seeing now is that many employers are misunderstanding the nature of subject access requests or underestimating the importance of responding to requests. For example, employers may be unaware that requests can be submitted informally, such as over social media, or do not have to contain the words ‘subject access request’ in order to qualify as a legally binding request. Similarly, employers may not realise that there is a strict time frame for responding to requests, and this must be kept to.”

“It’s important to not get caught out, and that is why we are publishing this guidance today – to support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired.”

“For those who continue to fail to respond to subject access requests in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary.”

– Elanor McCombe, Policy Group Manager at the Information Commissioner’s Office.

From April 2022 to March 2023, 15,848 complaints related to Subject Access were reported to the Information Commissioner’s Office.