SAR compliance for housing associations: a practical defensibility checklist

What "defensible" means in practice

The UK GDPR and the Data Protection Act 2018 don't ask for perfection. They ask for decisions that were reasonable, attributable, and documented contemporaneously. For housing associations under SAR pressure, that's the bar — not zero errors, but defensible reasoning on file.

This post walks through the checklist we use with pilot teams: identity-of-requester verification, scope statement, ruleset application, override reasoning, and the signed evidence pack.

1. Identity-of-requester

The clock anchors when identity is verified — not when the letter arrives. Document the verification method and the verifier.

2. Scope statement

Agree in writing what the SAR covers before triage starts. Out-of-scope material is logged, not concealed.

3. Ruleset application

Each passage gets a recommendation against a versioned ruleset (TP-PII, NOT-REL, LPP, MGMT-NEG in the SART MVP). Cite the rule ID; state the reason in plain English.

4. Override reasoning

When the reviewer overrides a recommendation, the override carries its own reason. Overrides are a feature, not a bug — but they must be reasoned.

5. Signed evidence pack

Hash-chained ledger, named-officer sign-off, integrity verification on export. If the ICO asks, the defensible answer is already written.