Digitally Thinking

Subject Access Requests – What employers need to know!

Data subject access requests (SARs) are quick and easy for an individual to make.  On the other hand, responding to a SAR can be time-consuming and expensive. 

In the employment setting, SARs are often made in the context of an ongoing dispute, tribunal or court claim.  Whilst the employee may genuinely want to find out what data is being processed by their employer and to make sure that it’s accurate, the reality in our experience is that the disgruntled employee (or ex-employee) will make the SAR to try and secure a favourable exit package or financial settlement from the employer.

In general, regardless of any suspicions about the employee’s motivation, the employer should comply and deal with a SAR in a positive and helpful way.

Here’s our guide to what you and your business need to know:

What is a SAR?

A SAR is any request by an individual (known as the “data subject”) for their own personal data.

They entitle individuals to the right to find out what personal data is held about them by an organisation, why the organisation is holding it and who their information is disclosed to by that organisation.

“Personal data” means (in simple terms) any information relating to the data subject. 

When it comes to the workplace, this means that SARs can cover not just typical HR data such as that stored in the employee’s personnel file, HR or payroll systems, but unstructured data contained in things like emails, meeting minutes and appraisal forms.   

How do you recognise a SAR?

An individual can make a SAR verbally or in writing, including on social media.

A request is valid if it’s clear that the individual is asking for their own personal data. They do not need to use a specific form of words, refer to legislation (such as UK GDPR or the Data Protection Act 2018) or direct the request to a specific contact in your business.

An individual may also ask a third party (e.g., a relative, friend or solicitor) to make a SAR on their behalf.

Therefore, it’s important to have the appropriate systems and processes in place to help you recognise and manage requests.  For example, having a clear SAR policy will not only help your staff recognise SARs and act quickly, but will also help the rest of the process run more smoothly. 

How long do you have to deal with a SAR?

The clock is ticking! You have one month to respond from the receipt of the SAR.

It’s possible to extend this period by a further two months in complex cases, although the individual should be informed as soon as this becomes apparent.

Can you ask for ID?

Yes. You need to be satisfied that you know the identity of the person making the request (or the person the SAR is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity.

However, if the request is from an employee or someone you know then the requirement to ask for ID is not considered reasonable, nor needed.

The timescale for responding to a SAR does not begin until you have received the requested ID information.

Can you charge a fee?

In most cases you can’t charge a fee to comply with a SAR.

However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is “manifestly unfounded” or “excessive”, or if an individual requests further copies of their data.

How do you respond to a SAR?

Where the SAR is broad or unclear, you should contact the individual to clarify the personal data which they wish to receive.

Although the individual is under no obligation to explain why they want the personal data or what they intend to do with it, they may be able to narrow the parameters of their request. This could include refining the data range or categories of information sought.

If a SAR has been made electronically, the default expectation is that an organisation will provide the response electronically. However, it’s good practice to check with the individual first. Especially where sensitive or special category data is being disclosed, ensure that this is disclosed in the most secure means possible. 

Opening up a line of communication with the individual provides immediate reassurance that you are taking your responsibilities seriously and limiting the risks of non-compliance (see below).

Can you refuse to comply with a SAR?

Where an exemption applies, you may refuse to provide all or some of the requested information, depending on the circumstances. Exemptions include where the data is covered by legal privilege, or part of settlement negotiations or a confidential reference.

You can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive.

What are the risks if you don't comply with a SAR?

A failure to meet the deadline for responding (above) or providing the employee with access to all the data they request could expose your business to significant penalties.

An employee who is aggrieved and believes that you have failed to comply with data protection obligations and properly deal with their SAR can:

  • Make a complaint to the Information Commissioner, who will investigate and take enforcement action against you where appropriate; and/or 
  • Apply for a court order requiring you to comply or to seek compensation. What can we do to help?

We have the expertise to support you and your business in the handling of SARs, and other data protection issues, so for further advice and guidance contact Head of Employment, Mike Patterson, on 07860 505426 or email Alternatively, you can get in touch with Commercial and Digital Solicitor, Sam Crich, on 07595 650226 or email

speech bubbles

We'd love to tell you more...

We're passionate about supporting digital businesses to thrive - find out how we can help you get where you need to be

Get in touch   right arrow