Data Subject Access Request Policy (Sept25)

Introduction

This policy is governed by the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA) and the Data (Use and Access) Act 2025 (DUAA), which together form the legal framework for data protection in the United Kingdom.

Under this framework, individuals have the right to request access to, or a copy of, any personal data that a business processes about them, including any opinion expressed about the individual, and additional information regarding that personal data.

If an individual contacts us requesting this information, this is known as a Data Subject Access Request (DSAR) or Subject Access Request (SAR).

All individuals whose personal data is held by us (including employees, clients and other third parties) are, subject to certain exemptions, entitled to receive a copy of their personal data along with the following information:

  • The purposes for which we process their personal data;
  • The categories of personal data concerned;
  • The source of the data, if not obtained directly from the individual;
  • The recipients or categories of recipients to whom the data has been disclosed;
  • The retention period for the data or, where this is not known, the criteria used to determine how long it will be retained;
  • The right to request rectification, erasure or restriction or to object to processing;
  • The right to lodge a complaint if they believe their personal data has been mishandled. In line with the DUAA, complaints must first be submitted to us as the data controller. If the individual is dissatisfied with our response, they must then escalate the matter to the Information Commissioner’s Office (ICO);
  • Whether the data is used for automatic decision-making; and
  • The safeguards in place if the data is transferred to a third country or international organisation.

 Responsibility

Timothy Halliday (Compliance Officer for Legal Practice (COLP) & Data Protection Manager) is responsible for this policy and for monitoring our compliance with it.

All staff (and any third party to whom this policy applies) are responsible for ensuring that they comply with this policy. Failure to do so may result in disciplinary action.

Making a request

A DSAR can be made verbally or in writing to any firm employee. There is no prescribed form or specific wording that must be used to make a valid DSAR – requests do not need to include the phrase “subject access request”) and may be submitted informally, including via social media. For example:

  • if someone says to a receptionist on a phone call “I want your firm to give me my personal data/information,” this would constitute a valid DSAR.
  • A message to the firm’s LinkedIn account asking for the sender’s personal data would also likely also qualify as a valid DSAR.

The only requirement is that it must be clear that the individual is asking for their own personal information.

A DSAR may also be made on behalf of another person, provided that the requester has provided appropriate consent for them to act on their behalf.

If you suspect that someone you are communicating with has made a DSAR, ask them to confirm this. If confirmed, you may invite them to complete the Data Subject Access Request Form  (though they are not required to do so for the request to be valid).

 Cost to the individual and grounds for refusal

Under the UK GDPR, we are generally not permitted to charge a fee for responding to a DSAR. We may however:

  • Charge a reasonable fee to cover administrative costs, or
  • Refuse to respond if it is deemed “manifestly unfounded” or “excessive.”

In such cases, we must:

  • Provide clear evidence supporting our decision (the burden of proof lies with us as the data controller);
  • Notify the requester of any fee and explain why it is being charged; and
  • Inform them of their rights to complain and seek judicial remedy.

These grounds for refusal are high thresholds and should be applied rarely and with caution.

Additionally, under the DUAA, we are only required to conduct “reasonable and proportionate” searches when responding to DSARs.

ICO guidance and case-by-case assessment

According to the ICO, each request should be considered individually. A request should not be presumed to be manifestly unfounded or excessive simply because the individual has previously submitted similar requests.

Manifestly unfounded requests

A request may be considered to be “manifestly unfounded” if:

  • The individual has no genuine intention of accessing the data;
  • The request is malicious and intended to harass or disrupt the organisation.

Use of aggressive or abusive language alone does not automatically make a request manifestly unfounded.

Indicators of malicious intent may include:

  1. Explicit statements of intent to cause disruption;    
  2. Unsubstantiated accusations against the firm or its employees;
  3. Targeting of specific staff due to personal grievances; or
  4. Systematic or frequent requests as part of a disruptive campaign.

Excessive requests

A request may be considered excessive if it is clearly disproportionate when balanced against the burden or cost of compliance.

However, requesting a large volume of data does not automatically make a request excessive.

Factors to consider:

  • Whether the request overlaps with others still being processed;
  • Whether it repeats previous requests without a reasonable interval;
  • The sensitivity of the data;
  • Whether circumstances have changed since the last request;
  • How frequently the data is updated.

We may ask the requester for clarification to help locate the relevant data.

The burden of proof rests with us to demonstrate that the request is “manifestly unfounded” or “excessive” and that it is appropriate to refuse to respond or charge a reasonable fee. We must be able to justify the cost in case the requester makes a complaint to the ICO.

Third-party confidentiality

We may refuse to comply with a DSAR if doing so would disclose information that identifies another individual. Under the DUAA, we must consider new statutory guidance on balancing data subject rights with third-party confidentiality.

Exceptions:

  • The other individual consents to the disclosure; or
  • It is reasonable to comply without their consent.

Factors to assess reasonableness:

  • Type of information involved;
  • Any duty of confidentiality owed;
  • Efforts made to gain consent;
  • Whether the other person is capable of giving consent; and
  • Any explicit refusal of consent.

Legal Professional Privilege (LPP)

The DUAA introduces a statutory exemption for information protected by LPP. If this exemption is applied:

  • We must inform the requester (unless doing so would breach LPP);
  • We must maintain a record of the decision for potential ICO review

Responding to a refusal

If we decide to refuse a DSAR, we must inform the requester of:

  • The specific exemption being applied, with reference to the relevant section of the UK GDPR, DPA 2018, or DUAA;
  • Their right to complain to us first, and then to the ICO if unsatisfied; and

Their right to seek a judicial remedy.

 Timescale to respond

A DSAR must be dealt with promptly due to the strict time limits in place. The firm generally has one calendar month to respond:

 From the day the request is received – even if that day falls on a weekend or public holiday. If the corresponding date in the following month does not exist (e.g. 31st March to April), the deadline is the last day of the month. If that day is a weekend or public holiday, the deadline is the next working day; or

  • From the day we receive any information requested to confirm the requester’s identity; or
  • From the day we receive the applicable fee, if one has been deemed appropriate; or
  • From the day we receive clarification of the request, if applicable.

Under the DUAA, a “stop the clock” mechanism applies: the one-month deadline is paused while we await necessary information (e.g. ID verification or clarification) and resumes once received.

If we receive a request where it is genuinely unclear whether the individual is making a DSAR, the time limit does not begin until we have clarified this and understand what personal data they are requesting. In such cases, we should contact the individual as quickly as possible (e.g. by phone or email where appropriate) and keep a record of the conversation and the date clarification was sought and received.

Extension of the deadline

The one-month deadline may be extended by up to two additional months (i.e. a total of three calendar months from the original start date), but only if:

  • The request is “complex”; or
  • The requester has submitted multiple requests, including other rights-based requests (e.g. erasure, portability).

The extension must be calculated from the original start date (i.e. the day we received the request, fee or other required information). If we decide to extend the deadline, we must notify the requester before the initial one-month period expires, explaining the reason for the extension.

Defining “complex” requests

The UK GDPR and DPA do not define “complex,” as it depends on the specific circumstances. According to the ICO, factors that may contribute to complexity include:

  • Technical difficulties in retrieving archived or unstructured data;
  • Applying exemptions to large volumes of sensitive information;
  • Clarifying confidentiality issues (e.g. disclosing medical data to third parties);
  • Needing specialist legal advice (though routine legal review is not sufficient);
  • Processing a large volume of information, especially if it requires extensive manual review.

A request is not complex solely because it involves a large amount of data.

Procedure for responding to a DSAR

  1. Ask the requester to confirm their request using the Data Subject Access Request Form (or a suitable written alternative) and notify the DPM who will take responsibility for ensuring that the request is actioned.
  1. The DPM will confirm the identity of the requester using appropriate ID, such as a passport or driving licence. If ID is not provided, the time limit does not begin until it is received. If the identification evidence was not provided at the time of the request, the DPM will request it, and the one-month (or possibly three-month) timescale to respond will commence from the day the firm receives the identification evidence.
  1. The DPM will establish if the DSAR is reasonable and should be responded to within the standard timescale or whether it is complex (e.g. due to volume of data, need to consult third parties, or involvement of archived or unstructured data), and an extended response time will be required. If appropriate, to help to locate the requested information, the requester may be asked to provide additional details (e.g. the context in which information may have been processed and likely dates when processing occurred). Note – if clarification is requested, the time limit for responding to the request is paused until the clarification is received (‘stop the clock’).
  1. Once the DPM has the necessary information, they will send an acknowledgment response to the requester confirming the timescale for response will be provided in. An example response letter is set out below:

 

Dear

Re: Data Subject Access Request

I refer to your email dated (insert date), in which you confirmed your request to make a Data Subject Access Request (DSAR).

I am the Data Protection Manager at this firm and will be handling your request. Should you need to contact me at any stage, you can email me at (insert email address).

I am writing to acknowledge receipt of your DSAR. Under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), and the Data (Use and Access) Act 2025 (DUAA), which together form the legal framework for data protection in the United Kingdom, you are entitled to request access to the personal data we hold about you, along with specific information relating to this data.

Timescales

We will respond to your request promptly and no later than one calendar month from the date  we received your request, or from the date we received any additional information required to verify your identity or clarify your request.

We received your request on (insert date) and therefore aim to provide you with your personal data by (insert date).

OR

We have determined that your request is complex due to (insert reason), and therefore, require an extension of up to two additional months, as permitted under the UK GDPR. We may provide the information in batches during this period to help manage the volume or complexity of the data involved.

 We received your request on (insert date) and you can expect to receive a full response by (insert date).

If you have any further questions, please do not hesitate to contact us. We will be happy to assist.

Yours sincerely,

 

  1. The DPM will contact the relevant department heads and third parties to ensure all relevant data is correctly identified, in line with the DUAA’s requirement to carry out a “reasonable and proportionate” search for personal information and personal data.
  1. The DPM will check if any statutory exemptions prevent us from sharing some or all of this information with the requester.
  1. The DPM will respond to the DSAR within one calendar month of receipt of the request (or three months for complex DSARs).

Responding to a data subject access request

Individuals have the right to obtain a copy of their personal data from your firm, along with supplementary information. You must facilitate the exercise of their rights (UK GDPR Article 12.(2)). You must handle a request fairly and transparently (Art 5.1(a)).

This is a summary of how the person in charge of data protection in the firm should deal with a subject access request. For fuller guidance see ICO’s right of access guidance.

Diarise the deadline.

You must deal with the request without undue delay and at the latest within one calendar month of receipt (unless there is a reason to extend the time – see below).

Check the legitimacy and extent of the request.

Often this will not be an issue, but you may want to:

  • Verify the identity of the person making the request;
  • Consider if the request is complex or whether you have received multiple requests from the same person. If so, you may extend the time to respond to three months from the date of receipt of the request, fee or other requested information. In line with DUAA 2025, complexity may include the need to consult third parties, retrieve archived data, or redact sensitive third-party information. In such cases, notify the person of the decision to extend the response time within one month of receiving their request and explain why;
  • Consider if the request is ‘manifestly unfounded’ or ‘excessive’ in which case you may refuse or to charge a fee;
  • Request clarification as to what specific information the requester is seeking (e.g. matter file, HR records, direct marketing records, emails). They may seek all data held.

Collect the data.

This may include both electronic and paper documents. You will normally need to conduct an electronic search and ask relevant staff to check paper records.  Refer to the definition of personal data in the UK GDPR and ICO guidance if in doubt. Ensure searches are “reasonable and proportionate,” as required under DUAA 2025. This means:

The search effort should be proportional to the scope of the request and the resources required;

You are not required to conduct exhaustive searches that would be unduly burdensome – if you find that it would take an unreasonably long or difficult search through lots of files, emails, or systems, you are able to say no or ask the requester to narrow down what data they would like to access;

You should document the search methodology and rationale for the scope of searches conducted;

Where information is withheld based on legal professional privilege or client confidentiality, you must explicitly inform the individual of this; and

If the DSAR is complex or large, consider explaining that you will send information in batches and provide a timescale.

Note: You may wish to warn colleagues not to put anything provocative in writing about the requester. The ICO states that a DSAR relates to the data held at the time the request was received. However, if the individual submits multiple DSARs, later comments may be disclosable.

Edit out anything which you should not provide.

Provide an explanation for any redactions. This may include:

  • Data mistakenly collected (e.g. relating to someone else with the same name);
  • Protected data, such as confidential employment references, legally privileged documents, or data relating to criminal investigation;
  • Third-party information where consent has not been given, unless it is reasonable to disclose. You must balance the interests of the third party and the requester. If the record is primarily about the requester, with incidental third-party data, redact the third-party information.

You should generally inform the requester if information has been withheld – unless doing so would defeat the purpose (e.g. anti-money laundering reports, where disclosure could constitute tipping off). There is more guidance on this subject on the ICO website.

Explain any exemptions applied to help the requester understand your decision.

Keep a record of your decision-making regarding exemptions and redactions, including your rationale under DUAA 2025, in case of ICO review.

Draft the response.

See the draft below.

The response must be a concise, transparent, intelligible and easily accessible, using plain language (UK GDPR Art 12(1)).

You may need to explain how the request was handled (e.g. steps taken to locate data) and clarify any abbreviations used.

Include the following:

  • The purposes of processing (refer to your privacy notice).
  • The categories of personal data concerned (e.g. emails, HR records).
  • The recipients or categories of recipient (refer to your privacy notice).
  • The retention period, or criteria to determine it;
  • The right to request rectification, erasure or restriction or to object to such processing.
  • The right complain to us first, and then to the ICO if they remain unsatisfied;
  • The source of the data, if not obtained directly from the requester.
  • A statement on automated-decision making and international transfers, if applicable. If no such processing occurs, you may state:

“We do not use automated decision-making (including profiling), and we do not transfer your personal information to a third country or international organisation.”

Template letter

Dear (Name of data subject)

Data Protection: Subject Access Request

Thank you for your letter of (enter date) making a Data Subject Access request (DSAR) for (insert scope of request).

We are pleased to enclose the information you requested. (If applicable) To protect the personal data of third parties we have redacted some names and identifying details within these documents.

(OR if entire documents are withheld) We have not been able to include all personal data relating to you.  This is because some of the information is subject to exemptions under the UK GDPR, DPA 2018, or DUAA 2025. For example, this may include:

  • Confidential references provided for employment purposes;
  • Records of our intentions in respect of negotiations between us;
  • Legally privileged information;
  • Health records where disclosure may pose a risk to you or others.

Purposes of our processing

We processed your personal data for the purposes of (insert purposes, using  language from your privacy notice).

Categories of data

We hold the following category/categories of data on you: insert details e.g. personal data, e.g. contact details, correspondence, HR records, etc.

Recipients

Your data has been shared with the following recipients or categories of recipients: insert details, aligned with your privacy notice.

Retention period

We retain personal data for insert general retention period, except for insert any exceptions. For more details, please refer to our retention policy.

Source of the data

The source of the data is generally apparent from the data itself. In most cases the data was obtained from you / our client/ third parties and generated internally during our interactions with you.

To avoid any doubt, we confirm (set out information about the source of the data, where it was not obtained directly from the requester).

Where data was obtained from third parties, we have withheld identifying details unless it is reasonable to disclose them or we have their consent.

Copyright

Some or all of what we are providing may be subject to copyright. Please do not copy, distribute, or share it without the consent of the copyright owner.

Other

We do not use automated decision-making (including profiling), and we do not transfer your personal data to a third country or international organisation. (If you do transfer their personal data to a third country or international organisation, you must provide details of the safeguards in place).

Data subject rights and right to complain

If any of the personal data we hold about you is inaccurate, you may request that we rectify it. You may also request erasure, restriction of processing, or object to how your data is used, where applicable.

If you wish to exercise any of these rights, please reply to this letter with your request and the reasons for it. If you are dissatisfied with our response, you may raise a complaint with us.

If you remain unsatisfied, you may escalate your complaint to the UK Information Commission. Guidance on how to do this is available at http://ico.org.uk/complaints.

Further information about your rights is available in our Privacy Notice which you can find at: insert website address)  (, or attach a copy if preferred).

Yours sincerely

 

Your Name

Data Protection Manager

Contact Email

  1. The DPM will monitor the firm’s performance in responding to DSARs within the required timeframes.

 

Criminal sanctions

Under the UK GDPR, DPA and DUAA 2025, it is a criminal offence to alter, deface, block, erase, destroy or conceal personal data with the intention of preventing its disclosure in response to a DSAR.

Once you become aware of a DSAR, you must not alter or delete any information that may be responsive to the request, unless doing so is part of a routine, documented retention schedule that predates the DSAR.

If you wish to alter or delete information that is responsive to a pending DSAR for reasons other than preventing disclosure (e.g. the data was scheduled for destruction under the firm’s retention policy before the DSAR was received), you must first consult the DPM/COLP before proceeding. Any such action must be documented and justified under the firm’s retention policy.

Review of this document

This policy is reviewed by Timothy Halliday (COLP/DPM) on an annual basis.

September 2025

Go Back
01538 755 761
Email Us

©eric-whitehead 2026. All rights reserved