This policy was adopted at the meeting of Mudford Parish Council held on 26th February 2026.

Purpose

This policy sets out how Mudford Parish Council (the council) will lawfully, consistently and promptly respond to Subject Access Requests (SAR) in accordance with UK data protection legislation.[1]

Introduction

Individuals (data subjects) have the right to obtain confirmation that their personal data is being processed and have access to that data.[2]

Personal data means any information relating to an identified or identifiable living individual. The processing of personal data is governed by UK data protection legislation.

This policy explains the council’s internal process for handling SARs and ensures requests are managed in a consistent and compliant manner.

Further information about how the council processes personal data is set out in the council’s Privacy Notices and Data Protection Policy.

Scope

This policy applies to:

• All SARs made to the council.
• All councillors, employees and contractors handling personal data.
• All personal data held in electronic or manual filing systems.

Roles and responsibilities

Data Controller

Mudford Parish Council is the data controller. [3]

Data Protection Officer (DPO)

The clerk (or appointed DPO) is responsible for:

• Coordinating responses to SARs
• Maintaining the SAR log
• Advising staff and councillors
• Ensuring statutory timescales are met

Staff and councillors

All staff and councillors must:

• Recognise SARs
• Forward requests immediately to the clerk/DPO
• Assist with searches when requested

What is a Subject Access Request (SAR)?

A SAR is a request from an individual asking for:

• Confirmation their personal data is being processed
• Access to their personal data
• Supplementary information required under Article 15 of UK GDPR

Requests may be made verbally or in writing (including by email or social media).[4]

Processing a SAR

Upon receipt of a SAR, the council will:

• Log the request in the SAR register. This will include:
  • Date received
  • Requester details
  • Summary of request
  • ID verification status
  • Response deadline
  • Outcome
  • Exemptions (if any)

Records will be retained in accordance with the council’s data retention policy.

• Acknowledge receipt promptly.
• Verify identity where reasonable and proportionate – where verification is required the council may request appropriate documentation whilst acting proportionately.
• Clarify the scope if the request is unclear.
• Assess validity, including whether the request is manifestly unfounded or excessive.
• Act within the statutory timescale, namely without undue delay and within one calendar month of receiving the request and any required identification. The council may extend the response period by up to two further months where requests are complex or numerous and the requestor will be advised within the first month if an extension is required.
• Conduct (and document) thorough searches of systems they control including (where applicable)
  • Email systems
  • Electronic records
  • Paper files
  • Mobile devices used for council business
  • Social media used for council business

• Redact personal information about others or assess whether disclosure is reasonable under Data Protection Law.
• The council will normally provide information in electronic form when the request was made electronically unless otherwise requested. The information provided will include a copy of the personal data and any required supplementary information as specified in Article 15 of UK GDPR.

Fees

SARs are normally free of charge, however the council may charge a reasonable fee when permitted by article 12(5) UK GDPR, for example where requests are manifestly unfounded or excessive or for repeated copies.

Exemptions

Some information may be withheld where an exemption applies under the Data Protection Act 2018. Where data is withheld the council will explain the reason(s).

Refusing a Request

The council may refuse a request where permitted by law, for example where requests are manifestly unfounded or excessive or for repeated copies.

If refusing a request the council will (within one month) explain the reasons and inform the individual of their right to complain or seek judicial remedy. All refusals will be documented.

Complaints

If a requester is dissatisfied, they should use the council’s complaints procedure in the first instance, however individuals also have the right to complain to the Information Commissioners Office.

[1] UK General Data Protection Regulation and Data Protection Act 2018

[2] Article 15 and Article 12 UK GDPR

[3] Article 4(7) UK GPDR

[4] Article 15 and Article 12 UK GDPR