Getting information – SAR

You may want to obtain information about your account, for example, historical data, old statements and copies of internal and external communications. Under the Data Protection act, you have the right to access all data held about yourself, by an organisation.
Subject access
The right of subject access means that you can make a request under the Data Protection Act to any organisation processing your personal data. The Act calls these organisations ‘data controllers’.

Electronic recordsThe Information Commissioner (ICO) is an independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

You can ask an organisation to supply you with copies of both paper and computer records and related information. Organisations may charge a fee of up to £10 to process your request.

To obtain the historical data held about you by an organisation, you need to send a Subject Access Request (SAR).

You can send a SAR to anyone who holds information about you, such as an ex-employer, an academic institution, the DWP, etc. On this page, we will concentrate mainly on banks and creditors.

A SAR should not be confused with a request for a copy of your credit agreement (CCA request) or a Freedom of Information request (FOI).

A SAR should be sent by recorded delivery so it can be tracked on the Royal Mail website. Enclose a cheque or PO for £10 to cover the statutory maximum fee.

The organisation should respond to a SAR within 40 calendar days from the day they receive the request and fee.

Companies may ask for further information to be able to identify you and/or locate your details, it is generally OK to provide this information to avoid delay.

Financial information

You may wish to send a Subject Access Request if:

  • You want to find out about charges applied to your account
  • You want to reclaim PPI
  • You need to get hold of old statements you haven’t got on file
  • You need information about payments made in and out of your account

Most banks will only send data and statements for the last six years.

You can send a SAR for a closed account, but they may not be able to locate any data if the account was closed over six years ago.

If you have more than one account with the same bank (i.e. a current account, credit card and personal loan), you need only send ONE SAR. Provide details of all your accounts if you have them.

If your account has been assigned or passed on to a debt collector, they will not have obtained any of the data regarding your account. You need to send the SAR to the original lender (bank or credit card company). There are times when you may wish to send a SAR to a debt purchaser, for example, if you have been making payments directly to them and want to obtain their records.

If you have received a claim, you may not have time to wait for a SAR to submit your defence. You should request information using the CPR instead.
You cannot use delays or non-compliance with a SAR to request an extension to file your defence if a claim has been issued in the County Court.
Banks will often tell you they do not keep copies of letters such as Default Notices (DNs) and termination notices. These documents are mail-merged from database records and not retained individually as files.
SAR letter to obtain financial information

Dear Sirs

Ref: xxxxxxxx

Subject Access Request – S.7 Data Protection Act 1998

Under the Data Protection Act 1998, and including the right of subject access under this Act, I hereby request that you supply me with all historical data in your possession which, in any way relates to me, including (but not exhaustively) a copy of the original signed executed agreement; statements of account; duplicate statements or printouts of all account transactions; all internal and external correspondence sent or received by you including memos, logs, notes, screen prints and transcripts; notes of manual interventions such as telephone attendants’ notes, copies of stored telephone conversations, internal and external emails and any other information held on all types of media in any relevant filing system.

If you have disclosed any information to a third party (with or without my express permission), will you please include details of this in your reply, along with notes of any legal action passed or pending (to include a true copy of default notices, court orders and the like).

If you store any of the older records on microfiche, please be aware that the Information Commissioner deems this to be a relevant filing system under the Act. As such, any microfiche data must be sent to me in fully legible and comprehensible form.

Where any information that you provide includes any charges, for example returned payments, late payment fees, and so forth, would you please advise your breakdown of actual costs (liquidated damages) incurred for each charge, and the Term or Condition on which you rely upon to claim such a charge. I also require that you forward, a true copy of the Terms and Conditions that were in force at the time my account was opened, and any subsequent amendments to those Terms and Conditions.

I enclose the statutory maximum fee of £10.00 to access ALL data held by you about myself. You have 40 days in which to comply with this request.

Yours faithfully,

Non compliance

If the company does not reply within 40 days, you can write to them. Wait a few more days before writing. Attach a printout of the receipt from the Royal Mail website to your letter if possible.

Dear Sirs

Non response to a subject access request

I am writing further to my letter of [xx/xx/xxxx] in which I made a subject access request, because I have not received any response from your organisation.

As the statutory time limit for responding to my subject access request (40 days) has now expired, I would be grateful if you could provide a response as soon as possible.

If I do not receive a response from your organisation within 14 days, I will submit a ‘request for assessment’ to the Information Commissioner’s Office (ICO).

You can find advice on the ICO’s website on how to deal with a subject access request ico.org.uk/sar and information on their powers and the action they can take ico.org.uk/action or call them on 0303 123 1113.

Yours faithfully

Missing data

If the company has not supplied all the statements and data held about you, you should send the following letter, providing as much detail as possible.

Subject access request

Further to my letter of [xx/xx/xxxx] in which I made a subject access request, I would now like you to revisit the way you handled my request.

I requested the following information:

[List information]

I received a response from you on [xx/xx/xxxx] from [name of person who responded]. I have attached a copy of both letters for your information. From the information you have provided and from my reading of the Information Commissioner’s Office website at www.ico.org.uk, I suspect you have failed to disclose all the relevant information I requested.

I believe that I have not received all the data I am entitled to. I expected to receive any personal data relating to me that may be contained within the following:

[List the records that you want the organisation to search and where they might be found, including any relevant dates, for example:

  • copies of statements (between xxxx and xxxx) held in account number xxxxx).]

If you have withheld any information relating to me I would be grateful if you would confirm this and tell me why you consider it appropriate to do so.

If there is anything further you can do to resolve this matter, or further information you can provide, please do so.

As the statutory time limit for responding to my subject access request (40 days) has now expired, I would be grateful if you could provide this information within 14 days.

I must advise you that if I do not receive a satisfactory response from you, I will submit a ‘request for assessment’ to the Information Commissioner’s Office (ICO).

You can find advice on the ICO’s website on how to deal with a subject access request [ico.org.uk/sar] and information on their powers and the action they can take [ico.org.uk/action] or call them on 0303 123 1113.

Yours faithfully

Complain

Complain to the ICO

If the bank or other company has not responded or their response is unsatisfactory, you can complain to the ICO. The ICO will expect you to have followed certain steps before you complain to them:

  • Wait for at least 40 days;
  • Have supplied them with any details they may have asked for (such as ID) and paid the fee;
  • Have written to them explaining what went wrong (i.e. you did not receive a response or it was incomplete)

If, after following those steps, the company:

  • Does not reply within 14 days; or
  • Refuses to comply with your request

You can complain to the ICO:

1. Fill in the complaint form

Please enter the required information into the Getting information complaint form. The form will tell you the information and supporting documents we will need:

2. Send the form to us

By email: If all your supporting evidence is available electronically, you can send your form by email.

  1. Save this form to your computer.
  2. Fill the form in and save it again.
  3. Open a new email, with ‘Complaint to the ICO’ in the subject line.
  4. Attach this form and any other documents you wish to send us.
  5. Send to casework@ico.org.uk
    Please note: Email may not be secure and could be intercepted before reaching the ICO.

By post: If your supporting evidence is in hard copy, you can print out the form and post it (with your supporting evidence) to:

Customer Contact Department
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF