SARs and FOI requests are frequently confused — particularly in public sector organisations that can receive both. But they are completely different in their legal basis, scope, who can receive them, what must be disclosed and what can be withheld. Getting them mixed up is a compliance risk.
Here is a clear comparison of the two frameworks, followed by guidance on how to handle each.
Side-by-Side Comparison
| Factor | Subject Access Request (SAR) | Freedom of Information (FOI) |
|---|---|---|
| Legal basis | UK GDPR Article 15 · Data Protection Act 2018 | Freedom of Information Act 2000 · Environmental Information Regulations 2004 |
| Who can receive it | Any organisation — public or private — that holds personal data | Public authorities only (government, councils, NHS, schools, universities) |
| What is requested | The requester's own personal data | Any recorded information held by the authority (not limited to personal data) |
| Who can submit it | Any individual whose data is held | Anyone — individuals, businesses, journalists, organisations |
| Deadline | One calendar month (extendable by 2 months for complex requests) | 20 working days |
| Fee | Free in almost all cases | Free up to 18 hours of staff time (central government) / 24 hours (other public bodies) |
| Key exemptions | Third-party data, legal privilege, DPA 2018 Schedule 2 exemptions | Personal information, commercial interests, national security, legal privilege, policy formulation, public interest test |
| Enforcement body | Information Commissioner's Office (ICO) | Information Commissioner's Office (ICO) |
The Key Practical Differences
1. Private organisations only deal with SARs
If you are a private company, employer, charity or healthcare provider outside the public sector, you cannot receive an FOI request. Only public authorities are subject to the Freedom of Information Act 2000. All data access requests you receive from individuals will be SARs under UK GDPR.
2. Public sector organisations must handle both
Schools, NHS bodies, councils, universities and government departments can receive both SARs and FOI requests — sometimes from the same person, at the same time, about the same underlying situation. Each must be handled under its own legal framework, with its own deadline and its own exemption regime.
A common mistake in public sector organisations is handling a SAR under FOI procedures or vice versa. The deadlines are different (one calendar month vs 20 working days), and the exemptions are different. Applying the wrong framework can result in a breach.
3. FOI covers a much broader scope of information
A SAR only entitles the requester to their own personal data. An FOI request can ask for any recorded information held by the public authority — internal reports, meeting minutes, policy documents, contracts, communications and more. The scope of an FOI request is therefore potentially much wider than a SAR.
4. The exemption frameworks are different
SAR exemptions under UK GDPR and the DPA 2018 are relatively limited — primarily third-party personal data, legal privilege, and the Schedule 2 exemptions. FOI exemptions are broader and more varied, including absolute exemptions (which apply regardless of public interest) and qualified exemptions (which require a public interest balancing test).
Key FOI exemptions that have no direct SAR equivalent include:
- Section 35 — formulation of government policy
- Section 36 — prejudice to effective conduct of public affairs
- Section 43 — commercial interests
- Section 24 — national security
5. Personal data in FOI responses is handled under UK GDPR
This is where the two frameworks intersect. If an FOI response would involve disclosing someone's personal data, Section 40 of FOIA 2000 applies — and the disclosure of that personal data is governed by UK GDPR. In practice, this means that personal data about identifiable living individuals should generally not be disclosed in an FOI response unless there is a lawful basis to do so under UK GDPR.
What This Means If You Receive Both Simultaneously
It is perfectly possible for an individual to submit a SAR and an FOI request at the same time — particularly in public sector employment disputes. For example, a former employee of a council might submit a SAR requesting their personal data and an FOI request asking for the council's HR policies and disciplinary procedures.
Each request must be handled separately:
- The SAR is handled under UK GDPR with a one calendar month deadline
- The FOI is handled under FOIA 2000 with a 20 working day deadline
- Each has its own exemption framework
- Each requires its own response
Conflating them into a single response is a compliance risk and rarely produces a satisfactory outcome for either purpose.
Need help with a SAR or FOI response?
E2E Integration provides specialist support for SAR responses — from document collection and review to redaction and disclosure pack preparation. Fixed fee from £495, on your case within 24 hours.
Get a Free Quote →Frequently Asked Questions
Can a private company receive an FOI request?
No. The Freedom of Information Act 2000 only applies to public authorities as defined in Schedule 1 of the Act. Private companies — including those providing outsourced public services — are generally not subject to FOIA unless they are specifically designated. Private organisations can receive SARs under UK GDPR.
Can someone submit both a SAR and an FOI about the same situation?
Yes — and it happens frequently in employment disputes, regulatory investigations and media inquiries directed at public sector bodies. Each request must be handled under its own legal framework, with its own deadline and response.
What if we're not sure whether a request is a SAR or an FOI?
Read the request carefully. If the person is asking for information about themselves — their own employment records, their own personal data — it is almost certainly a SAR. If they are asking for general information, policies, statistics or communications not specific to them personally, it is likely an FOI (if you are a public authority). If still unclear, contact the requester to clarify — but note that the relevant deadline may already be running.