DUAA Compliance Deadline: 19 June 2026
0days
:
00hrs
:
00min
:
00sec
Credit Boost Pro
30 DAY STATUTORY DEADLINE

Subject Access Request
Procedure

When someone requests their data, you have 30 days to respond. Our SAR procedure ensures you never miss a deadline.

What is a Subject Access Request?

A Subject Access Request (SAR) is a request from an individual to see a copy of all the personal data you hold about them. It is a fundamental right under Article 15 of UK GDPR.

In a care setting, SARs often come from:

  • Service users — requesting their care records
  • Family members — acting on behalf of a relative (with authority)
  • Solicitors — in clinical negligence or safeguarding investigations
  • Former staff — requesting their employment records

You must respond within 30 calendar days. Failure to do so is a breach of UK GDPR and can result in ICO enforcement action.

The SAR response process

Our procedure guides you through every step:

1. Receive the request

A SAR can come by email, letter, phone, or even verbally. Our procedure explains how to recognise a SAR and log it immediately.

Clock starts: The 30-day deadline begins on the day you receive the request.

2. Verify identity

Before releasing personal data, you must confirm the requester is who they say they are. Our procedure specifies acceptable ID and how to handle requests from third parties.

Included: Email template for requesting ID verification without pausing the clock.

3. Locate the data

Search all systems where personal data might be held — care management system, emails, paper records, staff WhatsApp groups, CCTV footage.

Included: Search checklist specific to care agencies.

4. Review and redact

Before releasing data, you must redact any information about third parties (other service users, staff members) unless they have consented.

Included: Redaction guidance and third-party exemption checklist.

5. Send the response

Compile the data into a secure format and send to the requester. Our procedure includes a response letter template and secure delivery guidance.

Must be completed within 30 calendar days of receipt.

What we deliver

For £400, you receive a complete SAR handling system:

SAR Procedure Document
  • Step-by-step process from receipt to response
  • Roles and responsibilities clearly defined
  • ID verification requirements
  • Redaction and exemption guidance
SAR Tracking Spreadsheet
  • Log every SAR received
  • Automatic deadline calculation
  • Status tracking (received, ID verified, in progress, complete)
  • Audit trail for CQC inspection
Email Templates

Acknowledgement

Confirms receipt and outlines next steps

ID Verification

Requests ID without pausing the clock

Response

Delivers the data with required information

Delivered within 5 working days

From receipt of your completed intake questionnaire.

What happens if you miss the 30-day deadline?

ICO Complaint

The individual can complain directly to the ICO. The ICO will investigate and can issue enforcement notices, reprimands, or fines.

Criminal Liability

Under Section 173 DPA 2018, deliberately obstructing a SAR can result in criminal prosecution. A care home director was convicted in September 2025.