Data Protection


Handling a Subject Access Requests (SARs) | Data protection guidance

Guidance for staff on how to identify and respond to SARs efficiently and responsibly.


  • SARs are the right for any individual to access personal data held about them by UCL.  
  • SARs must be responded to within set timeframes or else UCL risks serious penalties.
  • Requests may come through to any staff member and do not have to state that it is a 'SAR'
  • It is a legal requirement that UCL responds to requests, DO NOT delay requests for information. Forward any SAR or sign post any requester to the Data Protection Office (DPO).


A SAR is when an individual exercises their right to find out what data is being held about them and how it is being used.  Individuals may also ask for a copy of the data itself.

When such requests are made to UCL, UCL must respond within one month of receipt of the request or UCL may face legal proceedings and regutatory action.

Identifying a SAR when it is received

A SAR does not need to state that it is a SAR when it is submitted; it is, therefore, important that we can identify a SAR when it is received.

A SAR can be made to any person in any part of your organisation (including by social media) and does not have to be to a specific person or contact point.

The request may be made in writing but also verbally.

Examples of data that may be requested:
    • Emails between ‘person A’ and ‘person B’  (from 1 June 2018 to 1 Sept 2018),
    • CCTV camera data situated at ‘location E’ on 23 May 2017 from 11am to 5pm records detailing the transfer of your data to a third party,
    • Their personnel file,
    • HR records related to the individual, 
    • Database records related to the individual,
    • Interview notes related to the individual

What a request might look like:

  • “What information do you hold on me?”
  • “I want to know what personal data you have stored about me.”
  • “Can you please tell me what personal data you hold on me and why?”
  • “I’d like to know what personal data of mine you have.”
  • “Please send me all the information you hold on me.”


Responding to a SAR

Act quickly and report it.  As soon as a request is received by UCL, the response must be received within one calendar month, including closure days. If we do not meet this deadline we are likely to breach data protection legislation.

  • If you receive a request for personal data, you should refer the individual to the SAR form and request that they complete the form and submit it as per the instructions in the form.
  • If the individual does not wish to submit a form, you should forward their request to data-protection@ucl.ac.uk with the subject: ‘Subject Access Request’. 
  • Do not try to deal with it yourself without assistance from the DPO as there are statutory requirements that need to be met.

Searching for personal data

Information held in email

Many SARs will involve searches for personal data in emails. UCL’s recommended policy for material held in UCL staff email mailboxes is for the DPO to organise searches centrally using search tools provided by the Information Services Division (ISD). This allows the DPO to locate the requested correspondence objectively and efficiently, using specific searches. The process also provides us with an audit trail of the searches undertaken. If however, you would not like ISD to conduct an automated search of your mailbox and you would like to conduct the search yourself, please let the DPO know.

Information held other than in email

SARs will often involve information other than UCL emails. Depending on the exact wording and date range of the request we would expect you to undertake searches of the following:

  • Any potentially relevant files stored on your personal computers, including non-UCL devices if used for work purposes

  • Any potentially relevant files stored on shared drives (e.g. ‘S’ drives or departmental drives) to which you have access

  • Any potentially relevant files in your recycle bin that have not yet been permanently deleted

  • Any potentially relevant manual records such as filing cabinets or diaries

For electronic search terms, you should liaise with the DPO team who will inform you of what search terms will be appropriate for your search. Microsoft has produced guidance that may help when searching Outlook.

Personal data not found

If you do not hold any personal data relating to the requester, please let the DPO know as soon as possible. If you think that data may be held elsewhere or by someone else, please let the DPO know as soon as possible.

On finding relevant personal data

For electronic files of less than 5mb, send via UCL Outlook to data-protection@ucl.ac.uk. For electronic files bigger than 5mb, send via UCL Dropbox or OneDrive.

N.B. If the material is classed as Confidential or Highly Confidential (according to UCL’s Information Management policy), encrypt the information using 7zip and share the decryption key (the password) with the DPO by an alternative channel of communication (SMS, email, Instant Messenger, telephone). If in doubt, encrypt the information.

If sending via Outlook, email messages should be attached to a cover email as separate .msg files. Do not use a non-UCL email account to transfer unencrypted personal data. If you intend to send data using a memory stick or disc these should be encrypted. See ISD website for details on how to do this. Paper files can be collected in person by the DPO, or hand-delivered via the Office of the General Council, 6th Floor, Bidborough House, London, WC1H 9BF.

If the personal data also contains information about people other than the requester (including you)

Under UK data protection law, an individual has a right of access only to his or her own personal data. Very often, the personal information gathered in response to a SAR also contains the personal data of other people (known as third parties). For example email correspondence can involve several people and contain the personal data of each person, as well as the requester. The DPO will exclude information that is out of scope of the request, but invariably some third party personal data will remain, particularly if it is not sensitive, e.g. other staff member’s names or UCL email addresses. The DPO will, by default, redact (remove) third party data that is sensitive or confidential, but where redaction is not possible (for example, the context of a document means the third party is inevitably identifiable) the team may contact the third parties involved, to establish if they consent to their personal data being disclosed. If the team cannot obtain consent (either because it is refused or because they can’t contact the third party) they will make a decision on whether it is fair and reasonable to release the third party information to the requester without consent. You may receive a ‘third party notification’ email from the team in relation to a SAR. If you do, please respond promptly by the date indicated in the message. If you have concerns about the release of your personal data please discuss these with the member of the Data Protection team responsible for the request

Checklist when responding to SAR at UCL

  • Have you checked for paper documents – personal and/or departmental?
  • Have you searched for your own computer files?
  • Have you searched relevant shared drives?
  • Have you checked your computer recycle bin?
  • Sending relevant data to the DPO:
  • Are you sending data from outside the UCL network? If so, are the files encrypted?
  • If sending files by memory stick or disk, have you encrypted these?
  • Information that identifies you
  • If the files contain your personal data and it is sensitive or confidential in some way, have you told the team if you consent or object to the release of the information that relates to you?

UCL may refuse a SAR if : 

• An individual is asking for personal data about another individual or the information which they are requesting contains personal data about another individual, unless: 
        ◦ the second individual has also given permission for that user to be able to access that information.
        ◦ It is reasonable for you to provide data about a different individual without their consent.
• If the request is ‘manifestly unfounded or excessive’ in which case UCL must justify and explain for arriving at this decision.

The decision to refuse a SAR can only be made by the DPO. Please do not attempt to make this decision yourself. 


Further information on the exemptions are available from the ICO website.

The Dos and Don’ts 

    • Don’t ignore
    • Don’t delay

It is important that you do not ignore any requests. Doing so may lead to financial penalties, enforcement action, legal proceedings and reputational damage. 

  • DON'T directly send data to the individual who initiated the SAR – The DPO will co-ordinate and instruct on what data needs to be included.
  • DO respond to any instructions from data-protection@ucl.ac.uk within a quick timeframe.
  • DON'T disclose any personal data to any external persons or organisations as part of a SAR, except where this is instructed by the DPO. 

Best Practices

Help UCL meet its responsibilities.

  • If you are unsure on how to handle a SAR then contact the DPO as soon as possible.
  • It is good practice to ask the individual who submits the SAR to fill in a SAR form, but you cannot force anyone to use it (explain that it will make the process transparent and manageable). 
  • Maintain your Out of office messages to avoid poor response times to SARs.  Follow our guidance on Out of Office Messages.

For further guidance and training please visit:

If you are unsure or want advice please contact the DPO using the link below: