Looking for answers
Ask a question

What is a Subject Access Request (SAR)?

A Subject Access Request (SAR) is the right of an individual to request any 'personal data' we hold for them. This right is a principle of the Data Protection Act 1998 (DPA), designed to regulate the processing of information from which a living individual can be identified or singled out either from the information on its own or when combined with other information.

As part of a SAR, individuals have a right to:

  • a description of the information held about them
  • be informed of the purposes the information is used for
  • be informed of the disclosures that are made or might be made
  • be informed of the source of the information, and
  • a copy of their personal information.

Examples of Personal Information you can request

The following are examples of personal information (assuming that the information in question can be linked to an identifiable, living individual):

  • Business associates’ contact details
  • CCTV footage
  • Complaints or customer service notes
  • Customer bank statements or related static data (e.g. the content of application forms)
  • Customer medical history
  • Customer spending preferences
  • Customer work experience history (e.g. we may hold evidence of qualifications referenced in a CV submitted to support a business lending application)
  • Employee salary details
  • Notes of meetings from employee disciplinary/grievance hearings
  • Telephone call recordings

Please note: The request doesn't have to specify it's a SAR or refer to the DPA; it can be a general request for personal information. This is important as the bank has a tight regulatory deadline of 40 days to meet so identifying these requests within business as usual processes and is vital in assisting us in meeting this timeframe. There is a regulatory requirement to send in a £10 cheque to start the initiation and fulfillment process of processing the SAR request.

If you require more information about the Act and their rights, you can contact the Information Commissioner's Office (ICO).

Below is a timeline to highlight the process of how a SAR is dealt with till you, the customer will receive their final outcome.

SAR process timeline: Day 0 SAR Received to Day 40 Outcome Provided

A Subject Access Request does not provide the following:

Copies of documents - individuals are entitled to their personal information contained in documents, not the documents themselves.

Terms and Conditions, marketing correspondence and product literature, as these are not regarded as personal information.

Partnerships and Limited Company business information, as this is not personal information.

Generating Certificates e.g. Certificate of Good Conduct, Certificate of Debt.

Information in relation to a deceased person, as the Act only applies to living individual.

Information in relation to another individual, including spouse, business partners, suspected fraudster or a member of staff, as the right is to the individual's personal information, not another person's information.