Press "Enter" to skip to content

Polite, Legal, Relentless: The Art Of SAR

By The Reasonable Adjustment on July 27, 2025 1:14 am

Last updated on August 22, 2025

By The Reasonable Adjustment

Posted on 26 July 2025, updated 27 July 2025

Part of The Reasonable Adjustment’s Subject Access Guide

If you have ever made a Subject Access Request and found yourself buried under redactions, delays, or passive aggressive claims of deletion, welcome. You are not alone. Many organisations will try to avoid fully complying with a SAR. That does not mean we let them off the hook.

This is not just about data. It is about power, process, and accountability. Used properly, a SAR shines light where polite emails failed, and it prompts compliance through firm, rights based persistence.

Step One: Build a strategy, not just a request

Before you fire off a SAR, take a breath. Ask yourself what you actually want to find out. Internal communications about you. Safeguarding logs. Risk assessments. Meeting notes. Payment or account records. Clarity upfront equals fewer excuses later.

Ask for:

  • All personal data held about you, across all formats including emails, internal notes, messaging platforms, and case management systems
  • Any mentions or references to your name, email, or known aliases
  • Internal emails or correspondence where you are discussed
  • Meeting minutes, safeguarding logs, risk assessments, and decisions that affected you
  • Dates of deletion and copies of any deletion logs or data retention actions

Be specific, but not narrow. If you only ask for emails you sent, do not be surprised when they withhold emails they sent about you.

Step Two: Consider a limited Right to Erasure first

This is a lawful pressure test that also respects data minimisation. If you suspect poor governance or sloppy practices, send a scoped Right to Erasure request first. If they confirm deletion, then days later they suddenly find data in response to your SAR, you have evidence of inconsistency.

Example wording:

I am exercising my Right to Erasure under Article 17 UK GDPR for non essential personal data, particularly any data held for marketing, fundraising, or unnecessary profiling purposes. This request does not extend to data that must be retained to comply with legal obligations.

Step Three: Apply firm, rights based pressure

Most delays happen because the organisation is disorganised or hoping you will give up. Do not. If they delay or dodge:

  • Restate your request in writing and keep a clean paper trail
  • Reference Article 15 UK GDPR and the one month statutory period
  • Ask what was withheld and why, including the specific exemption relied upon
  • Request evidence of deletion where deletion is claimed
  • Give reasonable deadlines and track them

Stay polite. No shouting, no spam, just receipts.

Step Four: State your purpose so no one can spin it

Judges and regulators care about motive and proportionality. Make your purpose explicit so it is clear you are exercising a right, not trying to punish anyone.

Template purpose statement:

I am submitting this Subject Access Request to verify the accuracy of my personal data, to understand decisions that affected me, and to obtain copies of internal correspondence that references me between [start date] and [end date]. This request is necessary to exercise my rights under Article 15 UK GDPR and to correct any inaccuracies.

When to use: Examples include misdirected information such as receiving another patient’s link, insecure or shoddy payment handling, unexplained redactions, blocked communications about service access, or contradictory statements about deletion or retention.

Step Five: Avoid the vexatious trap

  • Consolidate issues into one clear SAR rather than multiple overlapping requests
  • Use sensible date ranges and specific systems where possible
  • Limit contact channels and frequency, and acknowledge replies promptly
  • Be responsive to scope clarification if it reduces burden without harming your access

Step Six: Escalate with purpose

If the games continue, escalate calmly and in sequence:

  • Write to the Data Protection Officer or senior leadership
  • Complain to the Information Commissioner’s Office
  • If a charity or public body is involved, notify trustees, public funders, or the relevant regulator
  • Loop in your MP where rights are being obstructed

If they are publicly funded, they are publicly accountable.

Evidence checklist

  • Timeline of requests, deadlines, and responses
  • Copies of all correspondence, including delivery confirmations
  • Retention policies, deletion logs, and any stated legal bases
  • Notes of any verbal interactions, recorded immediately after the call

Final thought

You are not being awkward. You are exercising a right. If their systems are chaotic, that is on them. SARs are slow burn tools, but they produce evidence, surface contradictions, and prompt compliance. Most importantly, they remind those in power that someone is watching, even if it is just you.

Published in Accountability, Articles, Data and Tools

More from AccountabilityMore posts in Accountability »
More from ArticlesMore posts in Articles »
More from DataMore posts in Data »
More from ToolsMore posts in Tools »

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *