Records

Subject Access Requests, and What They Return

The Desk, 5 min read

A subject access request is a right, not a favour. Under UK data protection law you can ask almost any organisation holding your personal data for a copy of it, along with where it came from and who it has been shared with. The same right exists, in similar form, across the EU and much of the world.

What comes back is often more than expected. A bank, a former employer, an insurer or a platform may hold years of records, notes, correspondence and quiet inferences about you. Reading them together is one of the clearest pictures available of what a single party knows.

The rules tightened in 2025. The Data (Use and Access) Act now requires only a reasonable and proportionate search, and lets an organisation stop the clock while it asks you to narrow a broad request. The response time stays at a month, extendable for complex cases, and from June 2026 you can complain directly to the organisation, not only to the regulator.

For a private person the value is the map it produces. Sent to the right places, a set of requests shows where your data sits, how current it is, and which records would surface if someone went looking.

A subject access request turns a vague worry into a documented answer: this is what this organisation holds, this is where it came from, this is who has seen it. We treat it as an instrument, scoping the requests, reading what returns against the rest of your picture, and deciding what to correct, restrict or remove. The right is yours; the work is knowing where to point it.

Get in touch
Related reading
Identity
How We Hold the Line on Identity
The Long View
Digital Identity and the Single Point of Record
Identity
How a SIM Swap Works, and What It Takes from You