Why Mass DSAR Campaigns Could Disrupt Digital ID and Facial Recognition in the UK
It is time for each person to take action now!
Under the UK GDPR, any individual can submit a Data Subject Access Request (DSAR) to an organisation that holds their personal data — including biometric data through digitial ID and facial recognition scans. Companies must respond within one month, free of charge, unless the request is “manifestly unfounded or excessive.”
This legal right, when exercised at scale, can overwhelm systems and force transparency — or even shutdowns.
If thousands of people submit DSARs regularly at different periods over a sustained time, it creates a legal and logistical bottleneck:
Every request must be answered
No fee can be charged
Delays can lead to fines
For companies using facial recognition or digital ID systems, this means processing:
CCTV footage
Biometric logs
Legal justifications
Secure data deliveries
Real-World Precedents
British Airways (2018): After a major data breach, BA faced over 10,000 DSARs. The ICO fined them £20 million for security failings.
Clearview AI (2022–2025): Mass DSARs and complaints led to a UK enforcement notice and £7.5 million fine. In October 2025, the UK Upper Tribunal ruled that Clearview AI falls within UK GDPR jurisdiction, confirming that foreign companies scraping UK citizens’ data are subject to ICO enforcement.
Privacy Groups: Organisations like Big Brother Watch and Liberty have encouraged DSAR campaigns to challenge facial recognition trials.
💸 The Cost of Compliance
10,000 DSARs = 10,000+ staff hours
Estimated cost: £2,000–£5,000 per 1,000 requests
Post Office Horizon: Legal and data disclosure costs reportedly exceeded £7 million (though not all DSAR-related)
🔍 What DSARs Can Reveal
Algorithms and error rates
Data sharing with police or third parties
Retention policies
Consent mechanisms (or lack thereof)
🧨 PR and Legal Fallout
Headlines like “Tesco spies on shoppers” or “Govt spying on citizens” damage trust
ICO fines can reach 4% of global turnover (up to £3bn for Tesco)
In 2021, Marriott was fined £18 million for GDPR failings, including DSAR issues
🛑 Why It Works
Sometimes, it becomes cheaper to shut down a surveillance system than to comply with thousands of DSARs that are sent by people over a sustained period of time.
Alleged Past Impacts (Unverified but Widely Cited)
NHS COVID App (2020): 8,000 DSARs reportedly led to location tracking being removed
Home Office VIS (2021): 12,000 DSARs allegedly triggered deletion of visa logs
Police National Database (2022): 10,000 DSARs said to have restricted access
These examples are cited in activist circles but lack official confirmation. However, they illustrate the perceived power of coordinated DSAR action.
🚨 Call to Action
A mass staggered DSAR campaign targeting government departments and private companies using facial recognition or digital ID could:
Expose hidden surveillance
Force transparency
Trigger regulatory scrutiny
Make invasive systems economically unsustainable
With all the above in mind please read the below if you would like to make a DSAR for one Login and/or a supermarket that is using facial recognition. I have used Tesco as the example, but it applies to any store. You will just need to source the address to write to for the data controller.
How to Submit a Data Subject Access Request (DSAR) for GOV.UK One Login
GOV.UK One Login is the UK government’s single sign-on service, managed by the Government Digital Service (GDS), which now operates under the Department for Science, Innovation and Technology (DSIT). As most are now aware, this is the centralised interoperable digital ID platform that everyone is being nudged to. The idea is that eventually all identity put through one Login will be joined up for both public and private services access and everyone will need to get a “token” or “key” each time they need to verifiy themselves for services. The government have explicity stated that proof of identity by tokenisation will be needed for work, banks and even to buy a pint in the pub. It will therefore eventually extend to all aspects of life and must be stopped for the obvious reason that it allows people to be locked out of basic services and life by both government and corporations, trampling all over fundamental basic rights. If someone cannot work because they have not used a token or key, they cannot eat nor have shelter. There are also the issues of losing all privacy and being exposed to widespread fraud from hacks of, or leaks from, the centralised system. Company directors are the first to be attacked under this system and in my opinion it is not possible for anyone to be able to give informed consent to this system, because no one has adequately explained to them how it works or what the risks are. Sounds familiar.
If you’ve used One Login, and are only now realising how nefarious it is, you can request access to personal data about your login activity — even for just one session. Once you have this information you can then delete your account (if you wish and who knows how long the delete option will remain), and invoke your right to be forgotten as best you can. This might not remove all your data but it is better than doing nothing.
Under Article 15 of the UK GDPR, you have the right to request specific personal data held about you, including:
Login timestamps
IP addresses
Device/browser details
Location data
Session IDs
There’s no minimum scope — you can ask for data from a single login event or multiple.
Response Time and Cost
GOV.UK One Login must respond within one calendar month of receiving your request.
They can extend this to three months if the request is complex.
No fee is charged unless your request is deemed “manifestly unfounded or excessive.”
Who to Contact
The data controller for GOV.UK One Login is DSIT, but the GDS Privacy Team handles DSARs.
Email (preferred): gds-privacy-office@digital.cabinet-office.gov.uk
Post:
Government Digital Service
Admiralty Arch
The Mall
London
SW1A 2WH
(Mark your envelope “DSAR – Private and Confidential”)
There’s currently no dedicated online form, but email is straightforward. Ironically, they may ask for proof of ID (e.g., passport or driving licence scan) to verify your identity.
What to Include in Your DSAR
Be clear, specific, and reference UK GDPR to ensure your request is treated formally. Below is a ready-to-use email/letter template:
Subject: Data Subject Access Request (DSAR) under UK GDPR – GOV.UK One Login Details
Email Body:
Dear GDS Privacy Team,
I am making a formal Data Subject Access Request (DSAR) under Article 15 of the UK GDPR. As the data controller for GOV.UK One Login, please provide me with access to all personal data related to my login activity.
Specifically, I request login records for [choose one timeframe, e.g., “the last 6 months” or “since I created my account”], including:
A copy of all personal data processed for each login event (e.g., timestamps, IP addresses, device/browser details, location data, session IDs)
The purposes for processing this data
Details of any recipients or categories of recipients (e.g., other government departments or private vendors) to whom this data has been disclosed
The source of the data if it was not collected directly from me
My details for verification:
Full name: [Your full name]
Email address associated with your One Login account: [Your email]
Phone number: [Your phone]
Any other identifiers: [e.g., account reference if applicable]
Please respond within one calendar month of receipt, as required by UK GDPR.
Thank you for your assistance.
[Your full name]
[Your contact email]
[Your phone number]
[Your postal address]
Send this from the email address linked to your One Login account if possible, to help them match your identity.
❗ If You’re Not Satisfied
If you don’t receive a response or feel your request wasn’t handled properly, you can complain to the Information Commissioner’s Office (ICO) — it’s free.
How to Submit a DSAR for Facial Recognition Data at Tesco (or Any UK Retailer)
Facial recognition is quietly becoming part of the UK retail experience. If you’ve visited a store using biometric surveillance — like Tesco — you can request access to any personal data they’ve collected about you.
What Counts as Personal Data?
Under UK GDPR Article 9, biometric data used to uniquely identify you (e.g., facial scans, camera footage, derived profiles) is considered special category personal data. This includes:
Facial images or scans
Biometric templates
Timestamps and location data
Device or camera details
Match alerts or flags
You can submit a Data Subject Access Request (DSAR) to any store that has processed this data — even if you don’t know exactly when or how.
Tesco and Project Pegasus
Tesco is part of Project Pegasus, a police initiative where retailers share CCTV footage for facial recognition checks. Privacy groups like Big Brother Watch and Liberty have raised concerns about the lack of transparency and consent as regards this project.
If you’ve visited Tesco or other similar stores — especially in areas with high shoplifting rates — it’s worth checking whether your data was captured.
Who to Contact
Tesco handles DSARs centrally via their Data Protection team:
Email (preferred): subjectaccess.request@uk.tesco.com
Online Form: Tesco Privacy Centre — log in with your Clubcard/email
Post:
Data Protection Team
Tesco Stores Ltd
Tesco House
Shirley, Solihull
B90 8AJ
(Mark envelope “DSAR – Private”)
What to Say
Be specific about facial recognition to ensure a focused response. Here’s a template email/letter that you can adapt:
Subject: Data Subject Access Request (DSAR) under UK GDPR – Facial Recognition and Biometric Data
Dear Tesco Data Protection Team,
I am making a formal Data Subject Access Request (DSAR) under Article 15 of the UK GDPR. As the data controller, please provide me with access to all personal data you hold about me, specifically related to facial recognition or biometric processing (e.g., via in-store cameras, CCTV, or Project Pegasus).
This includes data from [e.g., “visits to my local Tesco store at [store address/branch name] between January 2024 and October 2025” or “all stores if no specific date”].
Please provide:
A copy of all personal data processed, including facial images/scans, biometric templates, timestamps, locations, device/camera details, and any matches/alerts
The purposes for processing (e.g., anti-shoplifting, advertising, sharing with police/third parties)
Details of any recipients or categories of recipients (e.g., police via Project Pegasus, Facewatch, or other retailers)
Retention periods and the source of the data if not collected directly from me
Confirmation of my rights regarding this special category data, including how to withdraw consent or object
My details for verification:
Full name: [Your full name]
Email address associated with Tesco/Clubcard: [Your email]
Clubcard number (if applicable): [Your Clubcard number]
Phone number: [Your phone]
Address: [Your address]
I am prepared to provide proof of identity (e.g., a scan of my passport or driving licence) upon request. Please respond within one calendar month of receipt, as required by UK GDPR.
Thank you for your assistance.
[Your full name]
[Your contact email]
[Your phone number]
[Your postal address]
❗ If You’re Unsatisfied
If Tesco or whatever store you write to fails to respond, or you believe biometric data was processed unlawfully, you can file a complaint with the Information Commissioner’s Office (ICO):
I hope it’s clear that DSARs are a powerful tool for resisting the rollout of mandatory, centralised, and interoperable digital ID systems. By invoking this legal process en masse, we can create bureaucratic pressure that slows implementation and forces transparency. Ironically, this mirrors the psychological tactics often used against us — where systems are made so difficult to navigate offline that we’re coerced into digital compliance. Now, it’s time to turn the tables and use their own mechanisms to push back.
Thank you so much for this brilliant info and article.
Thank you very much - I will do this tomorrow at work. As a company director, I was tricked into this and am fuming. Will spread the word - keep up the great work.