| Reference | FOI 2025/1387 |
|---|---|
| Description | Subject Access Request (SAR) Processing and Resources |
| Date Requested | 23/09/2025 |
| Date Replied | 01/10/2025 |
| Category | Corporate Services & Governance |
I am writing under the Freedom of Information Act to request information relating to the handling of Subject Access Requests (SARs) within your organisation. Please provide the following:
1. In the last three financial years, how many Subject Access Requests (SARs) were received and how many were responded to within one month? How many were completed late, and were any completed beyond three months (if extended)?
2. What budget (and actual spend) was allocated specifically for SAR processing in each of the last three financial years? Please include staff, IT and any consultancy costs as separate categories.
3. List any software or services used to manage SARs (including FOI management systems if used for SARs). For each, give the name, vendor, purchase or implementation date, and (if held) annual cost.
4. Does the organisation’s risk register or information-governance risk log include SAR compliance or GDPR breach risk entries? If so, what mitigation actions or investments are recorded?
5. Describe any formal projects or procurement (completed or planned) to improve SAR handling (e.g. new software purchases, staff training programmes). Provide any project summaries or minutes where these are recorded.
NHS Greater Manchester (NHS GM) Information Governance reporting year is July-June, the following responses relate to this period per year.
2023-24
43 received, 40 responded to within 1 month, Extension applied on 3 all of which responded to within extension deadline.
2024-25
60 received, 58 responded to within 1 month, Extension applied on 2 all of which responded to within extension deadline.
2025-26 (partial year)
15 received, 14 responded to within 1 month, Extension applied on 1 which responded to within extension deadline
2. NHS GM does not allocate budget in this way. Budgets for SAR processing are included within the budget for the wider Information Governance Team and cannot be separately identified.
3. SARs are managed internally by the Information Governance Team; no software or systems are used.
4. NHS GM does not have any risks in relation to SARS.
5. NHS GM does not have any formal projects or procurement (planned) to improve SAR handling and does not hold any recorded project summaries or minutes relating to this. However, members of the Information Governance Team who handle SARs are qualified GDPR Practitioners.
