Why Mass DSAR Campaigns Could Disrupt Digital ID and Facial Recognition in the UK

It is time for each person to take action now!

CONSCIENTIOUS CURRENCY

Under the UK GDPR, any individual can submit a Data Subject Access Request (DSAR) to an organisation that holds their personal data — including biometric data through digitial ID and facial recognition scans. Companies must respond within one month, free of charge, unless the request is “manifestly unfounded or excessive.”

This legal right, when exercised at scale, can overwhelm systems and force transparency — or even shutdowns.

If thousands of people submit DSARs regularly at different periods over a sustained time, it creates a legal and logistical bottleneck:

• Every request must be answered
• No fee can be charged
• Delays can lead to fines

For companies using facial recognition or digital ID systems, this means processing:

• CCTV footage
• Biometric logs
• Legal justifications
• Secure data deliveries

Real-World Precedents

• British Airways (2018): After a major data breach, BA faced over 10,000 DSARs. The ICO fined them £20 million for security failings.
• Clearview AI (2022–2025): Mass DSARs and complaints led to a UK enforcement notice and £7.5 million fine. In October 2025, the UK Upper Tribunal ruled that Clearview AI falls within UK GDPR jurisdiction, confirming that foreign companies scraping UK citizens’ data are subject to ICO enforcement.
• Privacy Groups: Organisations like Big Brother Watch and Liberty have encouraged DSAR campaigns to challenge facial recognition trials.

💸 The Cost of Compliance

• 10,000 DSARs = 10,000+ staff hours
• Estimated cost: £2,000–£5,000 per 1,000 requests
• Post Office Horizon: Legal and data disclosure costs reportedly exceeded £7 million (though not all DSAR-related)

🔍 What DSARs Can Reveal

• Algorithms and error rates
• Data sharing with police or third parties
• Retention policies
• Consent mechanisms (or lack thereof)

🧨 PR and Legal Fallout

• Headlines like “Tesco spies on shoppers” or “Govt spying on citizens” damage trust
• ICO fines can reach 4% of global turnover (up to £3bn for Tesco)
• In 2021, Marriott was fined £18 million for GDPR failings, including DSAR issues

🛑 Why It Works

Sometimes, it becomes cheaper to shut down a surveillance system than to comply with thousands of DSARs that are sent by people over a sustained period of time.

Alleged Past Impacts (Unverified but Widely Cited)

• NHS COVID App (2020): 8,000 DSARs reportedly led to location tracking being removed
• Home Office VIS (2021): 12,000 DSARs allegedly triggered deletion of visa logs
• Police National Database (2022): 10,000 DSARs said to have restricted access

These examples are cited in activist circles but lack official confirmation. However, they illustrate the perceived power of coordinated DSAR action.

🚨 Call to Action

A mass staggered DSAR campaign targeting government departments and private companies using facial recognition or digital ID could:

• Expose hidden surveillance
• Force transparency
• Trigger regulatory scrutiny
• Make invasive systems economically unsustainable

With all the above in mind please read the below if you would like to make a DSAR for one Login and/or a supermarket that is using facial recognition. I have used Tesco as the example, but it applies to any store. You will just need to source the address to write to for the data controller.

How to Submit a Data Subject Access Request (DSAR) for GOV.UK One Login

GOV.UK One Login is the UK government’s single sign-on service, managed by the Government Digital Service (GDS), which now operates under the Department for Science, Innovation and Technology (DSIT). As most are now aware, this is the centralised interoperable digital ID platform that everyone is being nudged to. The idea is that eventually all identity put through one Login will be joined up for both public and private services access and everyone will need to get a “token” or “key” each time they need to verifiy themselves for services. The government have explicity stated that proof of identity by tokenisation will be needed for work, banks and even to buy a pint in the pub. It will therefore eventually extend to all aspects of life and must be stopped for the obvious reason that it allows people to be locked out of basic services and life by both government and corporations, trampling all over fundamental basic rights. If someone cannot work because they have not used a token or key, they cannot eat nor have shelter. There are also the issues of losing all privacy and being exposed to widespread fraud from hacks of, or leaks from, the centralised system. Company directors are the first to be attacked under this system and in my opinion it is not possible for anyone to be able to give informed consent to this system, because no one has adequately explained to them how it works or what the risks are. Sounds familiar.

If you’ve used One Login, and are only now realising how nefarious it is, you can request access to personal data about your login activity — even for just one session. Once you have this information you can then delete your account (if you wish and who knows how long the delete option will remain), and invoke your right to be forgotten as best you can. This might not remove all your data but it is better than doing nothing.

Under Article 15 of the UK GDPR, you have the right to request specific personal data held about you, including:

• Login timestamps
• IP addresses
• Device/browser details
• Location data
• Session IDs

There’s no minimum scope — you can ask for data from a single login event or multiple.

Response Time and Cost

• GOV.UK One Login must respond within one calendar month of receiving your request.
• They can extend this to three months if the request is complex.
• No fee is charged unless your request is deemed “manifestly unfounded or excessive.”

Who to Contact

The data controller for GOV.UK One Login is DSIT, but the GDS Privacy Team handles DSARs.

• Email (preferred): [email protected]
• Post:
  Government Digital Service
  Admiralty Arch
  The Mall
  London
  SW1A 2WH
  (Mark your envelope “DSAR – Private and Confidential”)

There’s currently no dedicated online form, but email is straightforward. Ironically, they may ask for proof of ID (e.g., passport or driving licence scan) to verify your identity.

What to Include in Your DSAR

Be clear, specific, and reference UK GDPR to ensure your request is treated formally. Below is a ready-to-use email/letter template:

Subject: Data Subject Access Request (DSAR) under UK GDPR – GOV.UK One Login Details

Email Body:

Dear GDS Privacy Team,

I am making a formal Data Subject Access Request (DSAR) under Article 15 of the UK GDPR. As the data controller for GOV.UK One Login, please provide me with access to all personal data related to my login activity.

Specifically, I request login records for [choose one timeframe, e.g., “the last 6 months” or “since I created my account”], including:

• A copy of all personal data processed for each login event (e.g., timestamps, IP addresses, device/browser details, location data, session IDs)
• The purposes for processing this data
• Details of any recipients or categories of recipients (e.g., other government departments or private vendors) to whom this data has been disclosed
• The source of the data if it was not collected directly from me

My details for verification:

Full name: [Your full name]

Email address associated with your One Login account: [Your email]

Phone number: [Your phone]

Any other identifiers: [e.g., account reference if applicable]

Please respond within one calendar month of receipt, as required by UK GDPR.

Thank you for your assistance.

[Your full name]

[Your contact email]

[Your phone number]

[Your postal address]

Send this from the email address linked to your One Login account if possible, to help them match your identity.

❗ If You’re Not Satisfied

If you don’t receive a response or feel your request wasn’t handled properly, you can complain to the Information Commissioner’s Office (ICO) — it’s free.

• Make a complaint to the ICO

How to Submit a DSAR for Facial Recognition Data at Tesco (or Any UK Retailer)

Facial recognition is quietly becoming part of the UK retail experience. If you’ve visited a store using biometric surveillance — like Tesco — you can request access to any personal data they’ve collected about you.

What Counts as Personal Data?

Under UK GDPR Article 9, biometric data used to uniquely identify you (e.g., facial scans, camera footage, derived profiles) is considered special category personal data. This includes:

• Facial images or scans
• Biometric templates
• Timestamps and location data
• Device or camera details
• Match alerts or flags

You can submit a Data Subject Access Request (DSAR) to any store that has processed this data — even if you don’t know exactly when or how.

Tesco and Project Pegasus

Tesco is part of Project Pegasus, a police initiative where retailers share CCTV footage for facial recognition checks. Privacy groups like Big Brother Watch and Liberty have raised concerns about the lack of transparency and consent as regards this project.

If you’ve visited Tesco or other similar stores — especially in areas with high shoplifting rates — it’s worth checking whether your data was captured.

Who to Contact

Tesco handles DSARs centrally via their Data Protection team:

• Email (preferred): [email protected]
• Online Form: Tesco Privacy Centre — log in with your Clubcard/email
• Post:
  Data Protection Team
  Tesco Stores Ltd
  Tesco House
  Shirley, Solihull
  B90 8AJ
  (Mark envelope “DSAR – Private”)

What to Say

Be specific about facial recognition to ensure a focused response. Here’s a template email/letter that you can adapt:

Subject: Data Subject Access Request (DSAR) under UK GDPR – Facial Recognition and Biometric Data

Dear Tesco Data Protection Team,

I am making a formal Data Subject Access Request (DSAR) under Article 15 of the UK GDPR. As the data controller, please provide me with access to all personal data you hold about me, specifically related to facial recognition or biometric processing (e.g., via in-store cameras, CCTV, or Project Pegasus).

This includes data from [e.g., “visits to my local Tesco store at [store address/branch name] between January 2024 and October 2025” or “all stores if no specific date”].

Please provide:

• A copy of all personal data processed, including facial images/scans, biometric templates, timestamps, locations, device/camera details, and any matches/alerts
• The purposes for processing (e.g., anti-shoplifting, advertising, sharing with police/third parties)
• Details of any recipients or categories of recipients (e.g., police via Project Pegasus, Facewatch, or other retailers)
• Retention periods and the source of the data if not collected directly from me
• Confirmation of my rights regarding this special category data, including how to withdraw consent or object

My details for verification:

Full name: [Your full name]

Email address associated with Tesco/Clubcard: [Your email]

Clubcard number (if applicable): [Your Clubcard number]

Phone number: [Your phone]

Address: [Your address]

I am prepared to provide proof of identity (e.g., a scan of my passport or driving licence) upon request. Please respond within one calendar month of receipt, as required by UK GDPR.

Thank you for your assistance.

[Your full name]

[Your contact email]

[Your phone number]

[Your postal address]

❗ If You’re Unsatisfied

If Tesco or whatever store you write to fails to respond, or you believe biometric data was processed unlawfully, you can file a complaint with the Information Commissioner’s Office (ICO):

• Make a complaint to the ICO

I hope it’s clear that DSARs are a powerful tool for resisting the rollout of mandatory, centralised, and interoperable digital ID systems. By invoking this legal process en masse, we can create bureaucratic pressure that slows implementation and forces transparency. Ironically, this mirrors the psychological tactics often used against us — where systems are made so difficult to navigate offline that we’re coerced into digital compliance. Now, it’s time to turn the tables and use their own mechanisms to push back.

---

This article (Why Mass DSAR Campaigns Could Disrupt Digital ID and Facial Recognition in the UK) was created and published by Conscientious Currency and is republished here under “Fair Use”

••••

The Liberty Beacon Project is now expanding at a near exponential rate, and for this we are grateful and excited! But we must also be practical. For 7 years we have not asked for any donations, and have built this project with our own funds as we grew. We are now experiencing ever increasing growing pains due to the large number of websites and projects we represent. So we have just installed donation buttons on our websites and ask that you consider this when you visit them. Nothing is too small. We thank you for all your support and your considerations … (TLB)

••••

Comment Policy: As a privately owned web site, we reserve the right to remove comments that contain spam, advertising, vulgarity, threats of violence, racism, or personal/abusive attacks on other users. This also applies to trolling, the use of more than one alias, or just intentional mischief. Enforcement of this policy is at the discretion of this websites administrators. Repeat offenders may be blocked or permanently banned without prior warning.

••••

Disclaimer: TLB websites contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to our readers under the provisions of “fair use” in an effort to advance a better understanding of political, health, economic and social issues. The material on this site is distributed without profit to those who have expressed a prior interest in receiving it for research and educational purposes. If you wish to use copyrighted material for purposes other than “fair use” you must request permission from the copyright owner.

••••

Disclaimer: The information and opinions shared are for informational purposes only including, but not limited to, text, graphics, images and other material are not intended as medical advice or instruction. Nothing mentioned is intended to be a substitute for professional medical advice, diagnosis or treatment.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of The Liberty Beacon Project.