Does a DSAR have to be in writing to be valid?

No. A DSAR can be made verbally, by email, by text message, or in any other format. The one-month time limit starts from the date you receive the request.

Can I charge a fee for responding to a DSAR?

Generally no. Responses must be provided free of charge. You can only charge where a request is manifestly unfounded or excessive.

What if I no longer have the data the tenant is asking for?

If you no longer hold data that the tenant is requesting, you must tell them that clearly. You cannot provide data you do not have.

Can a former tenant make a DSAR after the tenancy has ended?

Yes. The right of access applies regardless of whether the tenancy is current or historic. A former tenant can make a DSAR at any time in relation to data you still hold.

Compliance guide · Data protection · England

How to Handle a Tenant Data Subject Access Request

Updated April 2026 7 min read England

A Data Subject Access Request (DSAR) is a formal request from a tenant for a copy of all personal data you hold about them, together with information about how you use it. The right to make a DSAR is guaranteed by the UK GDPR. You must usually respond within one month, subject to limited extensions. This guide explains what a DSAR is, what data you must provide, what you can withhold, and how to respond correctly. It is derived from the UK GDPR and ICO guidance.

Data protection process

GDPR obligations → DSAR response → DSAR response → ICO enforcement

What a DSAR is

A Data Subject Access Request (DSAR) is a request by an individual — in the landlord context, typically a current or former tenant — to receive a copy of all personal data you hold about them, together with supplementary information about how you process that data. The right is conferred by Article 15 of the UK GDPR.

A DSAR does not have to use any particular form of words. If a tenant asks "what information do you have about me?", "can I see my file?", or "please send me all the data you hold on me", that is a valid DSAR and the one-month clock starts from the date you receive it.

UK GDPR, Art. 15 · ICO: Right of access

When you have received a valid DSAR

A DSAR is valid regardless of the format in which it is made — email, letter, text message, or verbal. You should acknowledge receipt as soon as possible and note the date you received it, as this starts the one-month deadline.

You may ask the requester to clarify what they are looking for, but only if you genuinely need clarification to process the request — not to delay. You may also ask for proof of identity if you have reasonable doubt about the requester's identity, but this is rarely necessary in a landlord-tenant context where you already hold identity documents.

Identity verification before responding

You are entitled to request reasonable proof of identity before responding where you have genuine doubt about who is making the request. The one-month deadline does not begin until you have received sufficient identification. However, in most landlord-tenant relationships you already hold identity documents — do not use identity verification as a delaying tactic where you clearly know who the requester is.

Where you do need to verify identity, ask for the minimum information necessary — typically one piece of photo ID. Do not request excessive documentation. The ICO is clear that identity checks should not be used to obstruct access rights. The one-month deadline begins once sufficient identity verification has been received, not from the date of the original request where verification was reasonably required.

UK GDPR, Art. 12 · ICO: Verifying identity for subject access requests

The one-month deadline

You must respond within one month of receiving the DSAR. The clock runs from the day you receive the request, regardless of weekends or bank holidays.

In complex cases, or where you receive multiple requests from the same person, you may extend the time limit by up to two further months. However, you must notify the tenant within the original one-month period that you are extending and explain why — failure to do so is itself a breach. The extension is not automatic; it must be genuine and proportionate to the complexity of the request.

You must not charge a fee for responding to a DSAR. The only exception is where a request is manifestly unfounded or excessive — this is a high threshold that a standard tenant request will rarely meet. Charging a fee for a routine DSAR is itself a breach of UK GDPR.

What you must provide

The obligation extends to all personal data you hold about the requester across every system — email accounts, property management software, referencing reports, maintenance logs, rent payment records, internal notes, call logs, and communications with your letting agent about that tenant. It is not limited to formal documents.

In response to a DSAR you must provide:

A copy of all personal data you hold about the requester in a commonly used electronic format
The purposes for which you process that data
The categories of data you hold
Who you share it with (recipients or categories of recipient)
How long you intend to keep it (or the criteria used to determine retention)
Information about their other rights: rectification, erasure, restriction, complaint to the ICO

In a landlord context, the personal data you hold about a tenant typically includes: their tenancy agreement (including their name, address, and contact details), rent payment records, deposit protection records, correspondence, right-to-rent documents, maintenance logs, and any credit or reference check information you retain.

What you can withhold

You must not disclose personal data relating to other individuals — for example, another tenant's details, a neighbour's complaint, or a third party's contact information — unless it is reasonable in all the circumstances to do so or the third party has consented. In practice, this means redacting any information that would identify a third party before sending the response. Failure to redact third-party data could itself constitute a data breach.

Examples of third-party data that typically requires redaction: references written by previous landlords or employers; complaints received from neighbours; financial details of guarantors; contact details of tradespeople where those are personal rather than business details.

You can also withhold data that is legally privileged — for example, legal advice you have received about the tenant. In practice this is rare for most landlords.

You cannot withhold data simply because it is unflattering, because you are in dispute with the tenant, or because providing it might disadvantage your legal position. The right of access exists regardless of the circumstances.

UK GDPR, Art. 15 · ICO: Exemptions from the right of access

DSARs during disputes

It is common for tenants to make DSARs when a dispute arises — for example, during a possession claim, a deposit dispute, or following a complaint. This is a legitimate use of the right and does not change your obligations. A DSAR made as part of a dispute is not "manifestly unfounded" simply because it coincides with litigation.

You must still usually respond within one month, subject to limited extensions. Your solicitor can advise on any legally privileged material that might properly be withheld, but the threshold for withholding is high.

Refusing or delaying is high risk

Failing to respond to a DSAR on time, or refusing without a valid legal basis, can result in an ICO complaint and enforcement action. The ICO takes a dim view of landlords who ignore DSARs, particularly where the tenant has made clear the request is being disregarded.

How to respond

A practical process for handling a tenant DSAR:

Day 0: Receive request. Note the date. Acknowledge receipt by email or letter.
Days 1-20: Identify all personal data you hold — tenancy file, correspondence, rent records, deposit records, right-to-rent documents, maintenance logs. Collect and review.
Days 21-28: Prepare your response. Redact third-party personal data. Draft the covering letter explaining your processing.
Days 28–30: Send the response. Keep a copy of everything you sent and the date you sent it.

Send the response by email (with read receipt) or by recorded post to create a dated record. Keep evidence that you responded within the deadline.

DSAR response checklist

A documented process protects you if the ICO investigates. Work through these steps for every DSAR:

Step 1 — Log the request. Record the date and method of receipt (email, letter, verbal). This starts the one-month clock.
Step 2 — Verify identity if needed. Where you have genuine doubt, request the minimum identification required before proceeding.
Step 3 — Search all systems. Email, property management software, maintenance records, referencing reports, agent communications, internal notes, call logs.
Step 4 — Review and redact. Remove third-party personal data. Apply any lawful exemptions. Check for legally privileged material.
Step 5 — Compile the response. Prepare a covering letter explaining your processing — lawful basis, retention periods, data sharing, and the tenant's rights.
Step 6 — Deliver securely. Send by encrypted email or recorded post. Do not send sensitive documents through unprotected channels.
Step 7 — Record completion. Keep a copy of your response, the date sent, and evidence of delivery.

Consequences of getting it wrong

Failure to respond to a DSAR correctly — whether by missing the deadline, providing incomplete data, or refusing without lawful grounds — can result in a complaint to the Information Commissioner's Office. the ICO has powers to investigate to investigate, issue enforcement notices requiring compliance, and impose financial penalties. For serious or repeated failures, fines can be substantial.

In a landlord context, the most common ICO actions following a DSAR complaint are an informal resolution requiring the landlord to respond in full, or a formal reprimand. Landlords who ignore DSARs entirely, particularly during disputes, are at highest risk of formal enforcement action.

Data Protection Act 2018, s.155 · ICO: Enforcement · ICO: Penalties

ICO complaints and enforcement

If a tenant is not satisfied with your response to a DSAR, they can complain to the ICO at ico.org.uk. The ICO will investigate and may require you to provide information, comply with the request, or pay a penalty. For straightforward DSARs from tenants, the ICO's primary concern is whether you responded on time and in full.

Landlords who repeatedly fail to respond to DSARs, or who refuse without valid grounds, risk formal enforcement action including enforcement notices and financial penalties.

UK GDPR, Art. 15 · Data Protection Act 2018, s.167 · ICO: Complaints

Record this. keep a dated record of every DSAR received — the date, the requester, and the date and content of your response. This enables you to demonstrate compliance if an ICO complaint is later made.

Not legal advice. This guide is derived from the UK GDPR, the Data Protection Act 2018, and ICO guidance as at April 2026. If you are subject to a DSAR in the context of legal proceedings, consult a qualified solicitor before responding.