How to Handle Freedom of Information Requests vs Subject Access Requests
When individuals or organisations request information, it’s easy to assume that all such requests fall under the same process. However, FOI requests and subject access requests (SARs) are fundamentally different, both in purpose and in the way they must be handled.
For public authorities and organisations that manage both types of requests, understanding these distinctions helps organisations stay compliant with data protection obligations. Handling an FOI like a SAR, or vice versa, can lead to data breaches, missed deadlines, or reputational harm.
This blog explores the key differences between FOIs and SARs, and how to manage each appropriately when considering GDPR vs FOI requirements.
What Is a Freedom of Information (FOI) Request?
A Freedom of Information request is made under the Freedom of Information Act 2000 (FOIA), which gives members of the public the right to access recorded information held by public authorities. This could include government departments, local councils, the NHS, schools, police forces, or other publicly funded bodies.
The purpose of FOI legislation is to promote transparency and accountability in the public sector. It allows anyone to find out how public bodies operate, how they make decisions, and how public money is spent.
An FOI request could ask for things like policy documents, reports, meeting minutes, or spending data. What’s important to remember is that an FOI request is not for personal data; it relates to information about the organisation and its functions, not individuals.
What Is a Subject Access Request (SAR)?
A Subject Access Request (SAR), on the other hand, falls under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It gives individuals the right to access the personal data an organisation holds about them.
This could include information in emails, databases, personnel records, CCTV footage, or anything else that identifies or relates to that individual.
The SAR right is part of the broader set of individual rights under data protection law, designed to give people control over their personal data.
WHo can make a request?
This is one of the most obvious differences.
FOI requests can be made by anyone. The requester doesn’t need to explain why they want the information or provide identification. They simply need to make the request in writing (by email, letter, or online form) and provide enough detail for the organisation to locate the information.
Subject access requests, by contrast, can only be made by the individual whose data is being requested (or by someone acting on their behalf). Because personal data is involved, organisations must confirm the requester’s identity before disclosing any information. This verification step helps prevent personal data from being released to the wrong person, which would be a serious data breach.
What type of information is released?
Under FOI, the information released is considered to be in the public domain, meaning it can be shared or published by anyone.
Many public bodies now proactively publish their FOI responses online to promote openness and reduce duplicate requests.
In contrast, SAR responses are private and personal. The information should only be provided to the individual who made the request, as it relates to their personal data. You should not publish it or share it with anyone else, and you must take care to remove or redact any information that identifies third parties.
Handling and timelines
The handling procedures and timescales for each request type also differ:
FOI requests must be responded to within 20 working days of receipt. Extensions may be granted in limited cases where more time is needed to consider exemptions or public-interest tests.
Subject access requests must be completed without undue delay, and no later than within one calendar month. This can be extended by up to two additional months in limited circumstances.
In both cases, it’s important to keep clear records of when a request was received, acknowledged, and responded to, as timeliness is a key compliance requirement.
Exemptions and redactions
Both FOI and SAR legislation recognise that not all information can be disclosed.
Under FOI, exemptions exist for reasons such as national security, commercial sensitivity, or personal data protection. For example, an FOI cannot be used to obtain someone else’s personal data; this would be exempt under Section 40 of the Act.
Under a SAR, exemptions apply in situations where disclosure would prejudice ongoing investigations, reveal another person’s personal data without consent, or breach legal privilege. When this occurs, you must explain why certain data cannot be disclosed.
When considering redaction, the careful removal of data is often required for both types of requests, but for very different reasons.
Legal framework and accountability
Another major difference lies in who the laws apply to.
FOI law applies primarily to public authorities and certain publicly funded bodies.
SAR rights apply to any organisation that processes personal data, including private companies, charities, and public bodies.
Failing to comply with either law can result in complaints to the Information Commissioner’s Office (ICO), which oversees compliance and can take enforcement action where necessary.
Overall
Although FOI requests and subject access requests both involve releasing information, their purposes and obligations are entirely different. Understanding and correctly distinguishing between them helps organisations remain compliant and maintain an appropriate balance between openness and the protection of personal data.
Being clear about which process applies and why supports confident, accurate handling of requests, especially when GDPR vs FOI considerations arise.
