IDG51000 - Procedure for disclosing to others (non-government): Requests from individuals for information about themselves (Subject Access Request – SARs)
The Data Protection Act (see
IDG41400) provides a right of access to
individuals (called Data Subjects in the Act) to the personal data
HMRC holds about them. A ‘Subject Access Request’ (SAR)
is a request made by a customer for access to personal data about
themselves. Any request a customer makes requiring information
about themselves is to be treated as a SAR.
(Please note: SAR refers to Subject Access Requests (SAR) in
this context, and should not be confused with Suspicious Activity
Reports made under the anti-money laundering regime.)
Procedure you should take upon receiving a SAR
The DPA requires a response to the individual within 40 days. To
ensure the department can meet this deadline, you must deal with a
SAR as quickly as possible.
Upon receipt of a SAR you should pass the request on to the
local Subject Access Officer as quickly as possible. From this
point, the SAR will be dealt with centrally, with the Subject
Access Officer passing the request on to the Data Protection SAR
Unit. If you are unsure who your Subject Access Officer is, please
see the DPA intranet site, see
IDG90150.
How to identify a SAR
Any request by a customer for access to their personal data is
invariably a SAR under the DPA. Requests may not specifically
mention ‘personal data’ but could include phrases like,
‘information about me’ or ‘my personal
information’. This should be taken to represent a SAR.
SARs must be in writing. This includes pen on paper,
electronically or by fax. But the SAR does not need to mention that
it is a request made under the DPA.
People often request information about themselves under the
Freedom of Information Act (see
IDG41200). These are actually SARs and
will be dealt with under the DPA rather than as FoI requests.
Personal data which need not be disclosed
There is a specific provision in the DPA which allows HMRC to withhold personal data requested in a SAR in certain circumstances. Further information is available from Information Strategy, see IDG90100.
Child Benefit Office
The procedure for staff in the Child Benefit Office (CBO) is slightly different. The SAR is faxed immediately to the Data Protection SAR Unit, and then passed internally to the Subject Access Officer. Please see IDG90100 for contact details for the Data Protection SAR Unit.
Further guidance
Guidance on DPA generally can be found on the DPA intranet page
(see
IDG90150).
For further guidance and assistance generally on
confidentiality, contact Information Strategy (see
IDG90100).
