SARs update

There is an increasing concern about the level of Data Subject Access Requests that many healthcare organisations are receiving, driven by AI. How AI Is Driving the Rise in DSARs Under UK GDPR (2025 Guide)

The ICO’s official 2023–2024 annual report stated that Article 15 complaints (“right of access”) accounted for 38.74% of all data protection complaints it received; this makes DSAR-related issues the single largest category in ICO workload.

The recently approved Data Use & Access Act contains a provision that may be useful when organisations are faced with what appear to be large and complex requests. There is a section that states controllers are only required to perform a “reasonable and proportionate” search for information and personal data in response to a subject access request. DUAA 2025 Explained

The law does not define “reasonable and proportionate” but where GP Practices receive large complex access requests, they are advised to contact the N3i IG Team for advice. Considering reasonable and proportionate searches