LAW-BUD
Sign inTry free →
← Back to blog
Information Rights·UK

The Subject Access Request: The Most Powerful Letter You'll Ever Send

There is one letter that can change the outcome of almost every legal dispute you will ever be in. It is free to send. The recipient has 30 days to respond. And almost nobody talks about it.

8 May 2026·10 min read·LAW-BUD Editorial

There is one letter that can change the outcome of almost every legal dispute you will ever be in. It is free to send. The recipient has 30 days to respond. And almost nobody talks about it.

It is called a Subject Access Request, or DSAR. It is your right under Article 15 of the UK GDPR (and section 45 of the Data Protection Act 2018) to demand a copy of every piece of personal data an organisation holds about you. They have to give it to you. They have to do so within a calendar month. They have to do so for free.

You will be amazed at how rarely the data they produce matches the story they have been telling you.

What a DSAR actually demands

A Subject Access Request entitles you to:

  • A copy of all personal data the controller holds about you;
  • The purposes of processing;
  • The categories of personal data;
  • Recipients or categories of recipients to whom the data has been disclosed;
  • The period for which the data will be stored;
  • Information about your rights to rectification, erasure, restriction and objection.

Who you can send it to

Anybody. Literally any organisation that holds your personal data:

  • Your council (council tax, social work, planning, complaints history)
  • Your landlord (the tenancy file, correspondence, complaints log)
  • Your employer (personnel file, performance reviews, disciplinary records)
  • Your bank (account history, decisioning notes, fraud markers)
  • The police (PNC entries, intelligence, witness statements about you)
  • Your school or your child's school (the pupil file)
  • Your doctor or hospital
  • Any company you have shopped with, any social media platform, any insurer

The right is yours. They cannot deny you on the grounds that “we do not usually do this”.

Generic DSARs get generic responses. Specific DSARs get specific responses. The more precise your request, the more useful the answer.

What it costs and how long it takes

  • Cost: free. They cannot charge a fee, except in narrow “manifestly excessive” cases.
  • Timeframe: one calendar month to respond, extendable to three months for complex requests (with reasoned notice).
  • Format: typically electronic, but they should provide whatever format you reasonably request.

How to write a DSAR that gets a thorough response

Be specific about the period

“All personal data from 1 January 2023 to date” anchors them in a defined window and stops them returning a half-hearted summary.

Be specific about the categories

“Including emails between [name] and [name], call records, internal notes about my account, complaint logs, decision records, and copies of any documents I supplied.”

Be specific about the people

Naming individual staff who held conversations about you is fair game and produces dramatic results.

Specify the format

“Provided as PDFs in chronological order, with the original metadata where possible.”

Cite the legislation

“Pursuant to Article 15 of the UK GDPR and section 45 of the Data Protection Act 2018, I hereby request...”

Identify yourself adequately, but no more

Provide enough information for them to identify you securely. Don't oversupply (e.g. don't include bank details). They can ask for ID — and that resets the 30-day clock, so do not invite that.

What to do with the response

When you get the response, your task is forensic:

  • Cross-check timestamps — do they tell the same story you have been told?
  • Look for what is missing — they often selectively withhold things. Note gaps and ask follow-up questions.
  • Look for what is wrong — wrong account holders, wrong addresses, wrong amounts. The right of rectification under Article 16 is yours.
  • Look for what is withheld for “third-party privacy” — they cannot withhold data simply because a name appears alongside; they must redact only the personal data of others.
  • Look for processor names — the third parties who handle your data. Each is potentially DSAR-able too.

When they fail to respond

If a controller has ignored your DSAR, responded incompletely, charged a fee, missed the deadline, or refused without proper grounds, you have three escalation paths.

1. ICO complaint

The Information Commissioner's Office is the regulator. You can complain free of charge. The ICO can issue a reprimand, an enforcement notice, or a fine of up to £17.5 million or 4% of annual turnover.

2. Compensation under section 168 DPA 2018

You can sue the controller for damages, including for distress. You do not need to prove financial loss. The case Lloyd v Google narrowed the scope of class actions but bilateral claims remain alive and well.

3. Court order requiring compliance

Under section 167 of the DPA 2018, the court can order the controller to comply.

Five real-world DSAR uses

Council tax dispute

Force the council to disclose every assessment, reminder, payment and adjustment on your account. The result is often a different picture than the demand suggests.

Workplace dismissal

Force your former employer to disclose performance reviews, manager emails, and any “off the record” conversations. Often surprising, occasionally explosive.

Failed mortgage application

Force the bank to disclose the decisioning notes and any third-party data feed (CIFAS, Experian) that drove the rejection. CIFAS markers in particular are often inaccurate and removable.

Police involvement

Force the police to disclose any intelligence or PNC entries about you. Sometimes catastrophically wrong; the rectification right exists for exactly this reason.

Tenancy disrepair

Force your landlord to disclose maintenance records, contractor reports, and prior tenant complaints about the same defect. Devastating evidence in disrepair claims.

Where LAW-BUD fits in

A DSAR is the single most leveraged free legal instrument available to UK citizens. We built LAW-BUD around it.

  • The @dsar template — drafts a tailored, properly-cited request to any controller you name, with the right specifics for your case (council tax, employment, police, landlord, banking).
  • Knowledge Base — when the response arrives, drop the entire bundle into your Knowledge Base. Ask LAW-BUD: “What is missing?” or “Find every reference to [topic].”
  • Document Vault — keep the response, your follow-ups, and any ICO correspondence in one place.
  • ICO Complaint template — when escalation is needed, we draft the complaint to the ICO citing the specific failures.

The system that holds your data does not expect you to ask for it. The DSAR is the lever that changes that — and it is sitting there, free, waiting for you to pull it.

Your turn

Stop Googling at midnight.
Start getting answers.

Free for 15 questions. No card required. Cancel any time.

Try LAW-BUD free →See pricing
Keep reading

More from the LAW-BUD blog

Council Tax·Scotland
Council Tax Summary Warrant in Scotland: Your Rights, Your Defences, Your Plan
A Scottish summary warrant is not an English summons. Don't act on the wrong advice. Here's exactly what's happened, what comes next, and how you push back — in plain English.
Read
Tenancy·Scotland
Your Landlord Wants You Out: A Scottish Tenant's Guide to Defending a Private Residential Tenancy
Scotland has its own tenancy regime — Section 21 doesn't exist here. If your landlord has served a Notice to Leave, here's exactly what they need to prove and how you defend yourself at the Housing & Property Chamber.
Read
Tenancy·England & Wales
Your Landlord Just Served a Section 21: How to Defend Your Tenancy in England & Wales
A Section 21 notice is the most common — and most procedurally fragile — eviction tool in English housing law. Six things must be true for it to be valid. Get one wrong and the whole notice is void. Here's how to find the defects.
Read
Small Claims·Scotland
Simple Procedure in Scotland: How to Bring (or Defend) a Small Claim Under £5,000
If somebody owes you up to £5,000, you don't need a solicitor. Scotland built Simple Procedure for self-litigants. Here are the fees, the forms, the stages, and the three things that consistently separate winning self-litigants from losing ones.
Read
Parking·UK
How to Win Your Parking Charge Notice Appeal: Council and Private Charges Decoded
About half of formal parking appeals succeed — but only if you know which regime you're in (council statutory PCNs vs private contract charges) and which defence to run. Here are the procedural rules, the deadlines and the exact way in.
Read
Employment·UK
Unfairly Dismissed: How to Bring an Employment Tribunal Claim Without a Solicitor
If you were dismissed and you have two years' service, you have a real claim — but the limitation period is three months less one day. Here is the framework, the ACAS Early Conciliation step, the procedural fairness test, and what you can recover.
Read