Subject Access Requests (SARs)
A subject access request is when someone asks for a copy of the personal data you hold about them. Anyone can make one, in any format, and you must respond — usually free of charge.
Handling SARs calmly and methodically is far easier when you prepare in advance. This is general guidance to that end.
What You Must Provide
- A copy of their personal data.
- The purposes you use it for.
- Who you have shared it with.
- How long you intend to keep it.
- The source of the data if not from them.
Your Timeline
You normally have one month to respond. The clock starts when you receive the request, not when it reaches the right person, so make sure staff know how to recognise and escalate one.
Redaction and Third Parties
Before sending data you may need to redact information that identifies other people, unless they have consented or it is reasonable to disclose. Take care with email threads and documents that mention others.
Frequently Asked Questions
Can I charge for a SAR?
Usually no. You may charge a reasonable fee only if the request is manifestly unfounded, excessive or repetitive.
What if I cannot identify the requester?
You can ask for reasonable proof of identity before releasing data, which pauses the response clock until you receive it.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.