Skip to main content

Subject Access Requests vs FOI: A Journalist's Guide

Know when to use a Subject Access Request under UK GDPR and when to use a Freedom of Information request — two distinct rights with different targets, time limits, and exemptions.

Last reviewed: Next review due:

What is a Subject Access Request?

A Subject Access Request (SAR) is a right under Article 15 of UK GDPR — retained in domestic law by the Data Protection Act 2018 — for any individual to obtain a copy of the personal data an organisation holds about them, along with supplementary information about how that data is processed. The right applies to any organisation processing personal data about you, whether public or private.

This is fundamentally different from a Freedom of Information (FOIA) request. FOIA applies only to public authorities and covers any recorded information they hold — not necessarily about you. A SAR is about your personal data held by any organisation. The two rights are complementary but serve entirely different purposes and are governed by different legislation.

For journalists, SARs are most useful when you want to understand what an organisation knows about you personally — for instance, whether you are being monitored, what records are held about your inquiries, or what information has been shared about you with third parties.

Key differences: SAR vs FOI at a glance

CriteriaSubject Access Request (SAR)FOI Request (FOIA 2000)
Who can requestAny individual (data subject)Any person (individual, company, journalist)
Who must respondAny organisation processing your personal dataPublic authorities only
What data is coveredYour own personal data held by the organisationAny recorded information held by a public authority
Time limitOne calendar month (extendable by two months for complexity)20 working days
CostFree (with limited exceptions for manifestly unfounded or excessive requests)Free (subject to cost limit)
Identity verificationOrganisation may ask for reasonable proof of identityNo identity requirement — anyone may request
Key exemptionsCrime prevention, legal privilege, journalism exemption (DPA 2018 Sch 2 Pt 5)Multiple absolute and qualified exemptions under FOIA ss.21–44
RegulatorInformation Commissioner's Office (ICO)Information Commissioner's Office (ICO)

When a journalist should use a SAR

A SAR is the right tool when the investigation centres on your own personal data — specifically, what an organisation has recorded, shared, or acted upon in relation to you. Common scenarios include:

  • 1Discovering what personal data an organisation holds about you — emails, call logs, internal notes, or surveillance records.
  • 2Finding out whether you have been subjected to monitoring, profiling, or background checks by a public body or private company.
  • 3Revealing the sources of information an organisation used when making a decision that affected you — for example, a rejection of accreditation or a police interaction.
  • 4Understanding whether your data has been shared with third parties, including other government departments, contractors, or foreign agencies.
  • 5Obtaining copies of correspondence in which you are named or discussed, which the organisation may not have disclosed via FOI.
  • 6Investigating how long an organisation has retained your data and whether that retention is lawful.

When a journalist should use an FOI request

An FOI request is the right tool when you are seeking information held by a public authority about a matter of public interest — regardless of whether that information relates to you personally. FOI covers a far broader range of material than a SAR, but it only applies to public bodies. Use FOI to obtain:

  • 1Policies, internal guidance, and decision-making processes within government departments, councils, NHS trusts, or police forces.
  • 2Spending data, contracts, procurement decisions, and supplier payments.
  • 3Correspondence between officials and external parties on matters of public concern.
  • 4Statistical data, research, risk assessments, and internal audits.
  • 5Information about third parties — for instance, how many complaints a body has received or how it has handled a particular category of case.
  • 6Records relating to a public authority's own conduct — disciplinary proceedings, legal costs, settlement agreements.

For a step-by-step guide to making an FOI request, see our guide on how to file an FOI request in the UK.

The DPA 2018 journalism exemption and SARs

Schedule 2, Part 5 of the Data Protection Act 2018 creates a special exemption from certain UK GDPR obligations — including the right of access — where personal data is processed for journalistic, academic, artistic, or literary purposes. This exemption can be relied upon where complying with the data subject's rights would be incompatible with those purposes.

In practice, this means a media organisation or journalist may be able to refuse a SAR from a subject of their investigation where disclosing the data held would, for example, reveal a confidential source, prejudice the publication of an investigation, or undermine the journalistic purpose. However, the exemption is not absolute: the organisation must still consider each request individually and cannot use the exemption as a blanket refusal policy.

The exemption cuts both ways. Just as a journalist may use it to withhold data from a subject, an organisation being investigated may attempt to invoke it to refuse a SAR made by a journalist about data the organisation holds about them. In that scenario, the organisation would need to demonstrate that it is genuinely processing the data for a journalistic purpose — not simply using the exemption to avoid transparency.

For a fuller treatment, see our guide to the data protection journalism exemption.

Identity verification pitfalls for SARs

Unlike FOI requests — where anyone may submit a request anonymously — SARs require the organisation to be confident it is responding to the correct data subject. Organisations may legitimately ask for proof of identity before responding. However, the ICO makes clear that what is “reasonable” depends on context: if you are already known to the organisation and your identity is not genuinely in doubt, demanding extensive documentation is unlikely to be justified.

Common pitfalls to be aware of:

  • Organisations using identity verification as a delay tactic — they must respond within one month of receiving sufficient information to identify you, not from the date of a later identity check.
  • Requests for disproportionate documentation — a name and account reference is typically sufficient where the organisation already holds records about you; demanding a passport copy may not be reasonable.
  • Organisations conflating identity verification with asking for a reason — you are never required to explain why you are making a SAR.
  • The one-month clock pausing while the organisation seeks clarification — this pause is permissible but only where the request is genuinely unclear, not to buy extra time.
  • If you believe identity verification is being used in bad faith, note this in your correspondence and raise it in any subsequent ICO complaint.

Checklist: SAR or FOI for your investigation?

Work through these questions to decide which route — or combination of routes — is right for your investigation:

Is the information you want about your own personal data?SARFOI
Is the information held by a public authority?SARFOI
Is the information held by a private company?SARFOI
Do you want policies, contracts, or spending data?SARFOI
Do you want to know if you are being monitored or surveilled?SARFOI
Do you want correspondence between officials about a public matter?SARFOI
Are you comfortable providing proof of identity?SARFOI
Do you need to remain anonymous as the requester?SARFOI

The two routes are not mutually exclusive. A journalist investigating a public body's conduct may file an FOI request for policy documents and a SAR to discover what data the body holds about them personally. Both can be submitted simultaneously.

Not legal advice

This guide is provided for information and educational purposes only. It is not legal advice and does not create a solicitor-client relationship. Data protection and freedom of information law are complex and fact-specific. If you are involved in a dispute with an organisation over a SAR or FOI request, or if you are considering whether the journalism exemption applies to your situation, you should seek independent legal advice from a solicitor with relevant expertise. The ICO also provides free guidance at ico.org.uk.

See also: FOI exemptions overview · challenging FOI refusals · ICO complaint template

Frequently asked questions

Can I send a Subject Access Request to a private company?
Yes. Unlike FOI, which only applies to public authorities, the right to make a Subject Access Request under UK GDPR Article 15 applies to any organisation — public or private — that processes your personal data. This includes private companies, charities, employers, insurance firms, and any other entity holding data about you. The organisation must respond within one calendar month.
What is the main difference between a SAR and an FOI request?
A Subject Access Request (SAR) is a right under UK GDPR to obtain copies of your own personal data held by any organisation. A Freedom of Information (FOI) request is a right under the Freedom of Information Act 2000 to obtain information held by a public authority — which can be about any subject, not just yourself. SARs are about you and your data; FOI requests are about information held by government and other public bodies on any topic of public interest.
Can I use a SAR on a police force?
Yes, but with important caveats. Police forces are subject to both UK GDPR and the Law Enforcement Processing regime under Part 3 of the Data Protection Act 2018, which applies to personal data processed for law enforcement purposes. A SAR to a police force about data they hold on you will be handled under these rules. Exemptions apply where disclosure would prejudice an investigation, risk identifying a confidential source, or compromise national security. You can still submit the request — the force must at least confirm whether it holds data on you, unless even that confirmation would cause harm.
What can I do if my SAR is refused?
If an organisation refuses your SAR or fails to respond within one month, you can complain to the Information Commissioner's Office (ICO). Before doing so, raise the matter directly with the organisation in writing and request an explanation. If the refusal relies on an exemption, the organisation must tell you which exemption it is relying on. The ICO can require the organisation to comply and, in serious cases, issue enforcement notices. You also have the right to seek a court order under section 167 of the Data Protection Act 2018.
Can a journalist use a SAR to find out what data an organisation holds about them?
Yes, and this is often a valuable tool. If you suspect an organisation has been monitoring your activity, compiling files on your sources, or sharing information about you with third parties, a SAR will require them to disclose that data. However, note that the DPA 2018 Schedule 2 Part 5 journalism exemption allows organisations to refuse parts of a SAR where complying would prejudice journalistic, academic, artistic, or literary purposes — so the exemption can cut both ways.
Is there a cost to making a SAR or an FOI request?
Both are free in the standard case. A SAR under UK GDPR must be responded to at no charge. FOI requests under the Freedom of Information Act 2000 are also free, though a public authority can refuse to respond if the estimated cost of compliance exceeds the appropriate limit (currently £600 for central government, £450 for other public bodies). Neither route requires you to give a reason for your request.