What Is a Subject Access Request (SAR)? A Guide for Charities
A plain-English guide to Subject Access Requests (SARs) under UK GDPR — covering the one-month deadline, what to include in a response, exemptions, and practical steps for small charities.
TL;DR: A Subject Access Request (SAR) is the mechanism by which any living individual can ask an organisation for a copy of the personal data it holds about them. The right is enshrined in Article 15 of UK GDPR and reinforced by the Data Protection Act 2018. Charities must respond free of charge, within one calendar month of receiving the request. Failure to comply is the single most common reason people complain to the Information Commissioner's Office (ICO).
What Is a Subject Access Request?
A Subject Access Request is a formal request made by an individual — known in data protection law as a data subject — to obtain a copy of the personal data an organisation holds about them, along with related information about how that data is being used. The right is set out in Article 15 of UK GDPR and applies to any organisation that processes personal data, including charities of every size.
When a charity receives a SAR, it must provide:
- A copy of the personal data the individual's request covers — for example, case notes, correspondence, referral records, or contact details held in a database.
- Supplementary information about the processing: the purposes for which the data is held, the categories of data concerned, any recipients the data has been shared with, the intended retention period, and the source of the data where it was not collected directly from the individual.
- Information about the individual's other data protection rights, including the right to rectification, erasure, and the right to lodge a complaint with the ICO.
The first copy of all this information must be provided free of charge. A reasonable, cost-reflective fee may be charged for further copies, and a charge or refusal may be justified where a request is manifestly unfounded or excessive — though the threshold is high and must be documented carefully.
A SAR does not need to be made in any particular form. An individual can make a request verbally, in writing, by email, through social media, or via a third party acting on their behalf. An organisation cannot require a specific form to be completed before the clock starts — the one-month deadline runs from the moment the request is received, regardless of how it arrives.
Complaints about compliance with SARs are consistently the most common reason people complain to the ICO. Between April 2022 and March 2023, the ICO received 15,848 complaints related to SARs — a 13.5% increase on the previous year (Personnel Today, 2024).
The One-Month Deadline and How to Meet It
The one-calendar-month deadline is one of the most operationally significant features of the SAR regime. It runs from the day the request is received — including weekends and bank holidays — to the corresponding calendar date in the following month. A request received on 15 February must be responded to by 15 March. If the corresponding date does not exist in the following month (for example, a request received on 31 January), the deadline falls on the last day of that month. If the deadline lands on a weekend or bank holiday, the organisation has until the next working day to respond.
The ICO guidance for small organisations is clear: one calendar month is the maximum, not a target. Responses should be provided without undue delay.
In genuinely complex cases, or where multiple requests are received from the same individual at the same time, an organisation can extend the deadline by a further two months. However, the individual must be informed within the first month that an extension is being taken and why. Silence beyond one month without notification is a breach.
For charities using case management software to hold beneficiary records, digital tools can make it significantly easier to gather and collate personal data held across different record types. Without a centralised system, a small charity may find itself trawling through emails, spreadsheets, and paper files — a task that can easily consume the available time if preparation has not been done in advance.
Practical steps to meet the deadline consistently include:
- Designate a named individual — typically the Data Protection Officer or a senior staff member — as responsible for handling SARs.
- Log every request immediately upon receipt, noting the date received and the deadline date.
- Verify the requester's identity where there is reasonable doubt — but only request the minimum information needed to confirm identity, and do not use identity verification as a way of delaying the response.
- Search all relevant systems and records — including emails, case management systems, databases, paper files, and any third-party platforms where personal data about the individual may be stored.
- Review third-party data — where the records contain information about other individuals, redact that information before disclosure unless the third party consents or it is reasonable to share without consent.
- Respond in writing (email is acceptable) with all required information before the deadline.
Exemptions and When Charities Can Refuse or Restrict a SAR
The right of access under UK GDPR is not absolute. There are specific exemptions set out in the DPA 2018 that allow organisations to withhold certain information, and circumstances in which a SAR can be refused entirely.
Withholding Information — Partial Exemptions
The most common reason to withhold some — but not all — of the requested data is the protection of third-party data. Where records contain personal information about other individuals, charities should redact those details before disclosure. If it is not reasonably possible to separate third-party information from the requested data, and the third party has not consented to disclosure, the charity may decline to disclose that part of the response — but must still provide everything that can be released without identifying the third party.
Other partial exemptions relevant to charities include:
- Legal professional privilege — legal advice and communications prepared in the context of litigation may be withheld.
- Confidential references — references given in confidence by the organisation (for example, for a former employee or volunteer) are exempt from disclosure.
- Crime and taxation — data held for the purposes of crime prevention, detection, or prosecution can be withheld where disclosure would be likely to prejudice those purposes.
Refusing a SAR — Manifestly Unfounded or Excessive Requests
A SAR can be refused, or a fee charged, where the request is manifestly unfounded or excessive. The ICO is clear that this threshold is high. A request is not manifestly unfounded simply because the individual is in dispute with the organisation or has used strong language. A request may be manifestly unfounded if the individual has made clear they have no genuine interest in their data but are using the SAR as a mechanism for harassment or to extract a settlement. If a request is refused on these grounds, the refusal must be communicated within one month and must include information about the individual's right to complain to the ICO or seek a court remedy.
Where an organisation receives repeated requests from the same individual over a short period, it may treat subsequent requests as excessive — but must still document and justify that decision.
Any decision to refuse or restrict a SAR should be made carefully and recorded in writing. The ICO can and does investigate complaints about refusals, and organisations bear the burden of demonstrating that an exemption genuinely applied.
Frequently Asked Questions
Does a charity have to respond to a SAR if the information is sensitive?
Yes. The sensitivity of the data does not reduce the obligation to respond. Where a charity holds special category data — such as health information, ethnicity, or mental health records — that data must still be included in a SAR response, subject only to the same exemptions that apply to any other data. Charities working with vulnerable beneficiaries should ensure that their case management systems support appropriate access controls and audit trails, so that data can be located and reviewed without compromising the security of other records.
Can a charity ask why someone is making a SAR?
No. The ICO is explicit that organisations cannot make it a condition of responding that the individual provides a reason for their request. An individual's motivation for making a SAR is irrelevant to the obligation to respond. A charity may ask for clarification about which records the individual wants — particularly where the request is very broad — but only where this is genuinely necessary to locate the data, and only where asking will not delay the response beyond the one-month deadline.
What happens if a charity misses the SAR deadline?
Failing to respond within one month is a breach of UK GDPR. The individual can complain to the ICO, which has the power to investigate, issue enforcement notices, and impose fines. Complaints about SARs are the most common category of complaint the ICO receives. In practice, the ICO's approach for charities tends to be proportionate — it will typically first require the organisation to comply — but enforcement action can follow where there is a pattern of non-compliance or a deliberate refusal. Missing the deadline also damages trust with the individual concerned, which carries its own reputational risk for the organisation.
Recommended Next Pages
What Is UK GDPR for Charities? — The full data protection framework charities operate within.
GDPR Software for Charities — How digital tools support UK GDPR compliance in practice.
What Is Safeguarding? — The legal framework for protecting vulnerable people in charity settings.
Published by the Plinth Team. Last updated 21 February 2026.