Folelse

Product

Features Live Demo Pricing Roadmap

NHS & Compliance

DSPT Guidance NHS Data Guide ICO Resources Free DPA Template

Resources

Blog Resource Hub FAQ

Company

About System Status
Support
Log in Get started free

Help Centre

Subject Access Requests 6 min read

Handling an Article 15 Subject Access Request (SAR)

An Article 15 Subject Access Request (SAR) is the most common DSR. The individual is requesting a copy of all personal data you hold about them, plus supplementary information about how it is processed.

What you must provide in response

  • Confirmation that you process data about them (or that you do not).
  • A copy of all personal data you hold about them.
  • The purposes of processing.
  • The categories of data held.
  • Recipients or categories of recipients.
  • Retention period or criteria used to determine it.
  • Information about their rights (rectification, erasure, restriction, complaint).
  • Where data was not collected from the individual directly, information about the source.
  • Information about any automated decision-making, including profiling.

Redacting third-party data

When providing a copy of records, you must redact any personal data relating to third parties (e.g. names of colleagues mentioned in an HR record, other patients mentioned in clinical notes). Use the redaction tool in Folelse or redact manually before attaching files.

Using Folelse's auto-generated response template

  1. 1 Open the SAR record.
  2. 2 Click "Generate Response Template".
  3. 3 The template is pre-filled with your organisation details, the requestor's name, and the statutory information.
  4. 4 Add the specific data you are providing as an attachment.
  5. 5 Review and customise the covering letter.
  6. 6 Copy or download the response for sending.

Common exemptions that apply to SARs

  • Legal professional privilege — communications with your solicitors about legal proceedings.
  • Management information — information about planned redundancies, promotions, or performance management (temporary exemption).
  • Confidential references — references you give about a person (not references you receive).
  • Crime and taxation — data processed for crime prevention or tax collection purposes.
  • NHS clinical information — in rare cases, clinical data may be withheld if disclosure would cause serious harm to the patient or a third party (requires clinical input to decide).

You cannot charge a fee for a SAR unless it is "manifestly unfounded or excessive". The first request must be free of charge.

Need more help with this?

Contact support

Related articles

Logging a new data subject request (DSR) 4m Understanding the 30-day statutory deadline 4m Articles 17, 18, 20 & 21 — Erasure, Restriction, Portability, and Objection 6m
Back to Subject Access Requests