If you’re in dispute with your insurance company, feeling kept in the dark, or simply want to understand what information they hold about you, a Subject Access Request (SAR) can be a powerful (and often under-used) tool.
This document explains what a SAR is, when it is useful, and how to make one properly to your insurer.
WHAT IS A SUBJECT ACCESS REQUEST?
A Subject Access Request is a formal request you can make under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
It gives you the right to:
• Ask whether an organisation is processing your personal data
• Obtain a copy of that personal data
• Understand how and why your data is being used
• See who it has been shared with
In short, it allows you to see what your insurer knows, thinks, and records about you.
WHY MAKE A SAR TO AN INSURANCE COMPANY?
SARs are particularly useful in insurance disputes, including:
• Subsidence or tree‑root damage claims
• Delays, refusals, or partial settlements
• Poor complaint handling
• Preparing a complaint to the Financial Ombudsman Service (FOS)
• Litigation or pre‑action strategy
A SAR can reveal:
• Internal claims notes
• Loss adjuster instructions and reports
• Internal emails discussing your claim
• Complaint handling records
• Call recordings and transcripts
WHAT INFORMATION CAN YOU ASK FOR?
You are entitled to all personal data relating to you, including:
• Claims handling notes
• Underwriting data
• Emails referring to you
• Expert correspondence containing your personal data
• Call recordings
• Complaint files
ARE THERE LIMITS?
Insurers may withhold information where:
• It contains third‑party personal data
• It is legally privileged
• Disclosure would prejudice crime or fraud prevention
They cannot refuse disclosure simply because information is internal or unhelpful.
HOW TO MAKE A SAR
- Put it in writing (email or letter)
2. State clearly it is a “Subject Access Request under UK GDPR”
3. Specify the scope if possible
4. Provide ID if requested
EXAMPLE WORDING
“I am making a Subject Access Request under Article 15 UK GDPR. Please provide me with a copy of all personal data you hold about me in relation to my insurance policy and claim, including claims notes, internal correspondence, reports, call recordings, and complaint records.”
TIME LIMITS
Insurers must respond within one month. This can be extended by up to two further months if the request is complex.
WHAT IF THE INSURER DOES NOT COMPLY?
You can:
• Chase formally
• Escalate to the Data Protection Officer
• Complain to the Information Commissioner’s Office
• Rely on non‑compliance in complaints or litigation
FINAL NOTE
A SAR is both a legal right and a strategic tool. Used properly, it can clarify decision‑making, expose weaknesses, and strengthen complaints or claims.
