A Subject Access Request (often referred to as a DSAR) is one of the most powerful rights available to individuals under UK data protection law. In the employment context, it allows employees, former employees and job applicants to request access to the personal data their employer holds about them. For HR professionals and business owners, handling a Subject Access Request correctly is not optional. It is a strict legal obligation under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and should be managed alongside broader employment law governance and HR data compliance requirements, including GDPR for HR duties.
Subject Access Requests frequently arise during grievances, disciplinary processes, redundancy consultations and workplace disputes. They are also commonly used in the lead-up to employment tribunal claims. Employers must therefore approach every request carefully, both as a compliance issue and as a potential litigation risk, particularly where the underlying dispute relates to issues such as unfair dismissal or constructive dismissal.
What this article is about
This guide explains what a Subject Access Request is in the workplace, who can make one, what information must be disclosed, when an employer can lawfully refuse, the applicable time limits, and the legal risks of non-compliance. It is written specifically for employers and HR professionals who need to manage Subject Access Requests lawfully, proportionately, and with minimal operational disruption, including where DSARs arise alongside core employment documentation such as the employment contract.
Section A: What Is a Subject Access Request in Employment Law?
A Subject Access Request is the statutory right of an individual to obtain confirmation as to whether their personal data is being processed and, if so, to receive a copy of that data together with certain supplementary information. The right is set out in Article 15 of the UK GDPR and is supplemented by the Data Protection Act 2018. In the employment context, this right applies directly to employers as data controllers.
For HR teams, a Subject Access Request is not merely an administrative task. It is a regulated legal process with defined timescales, limited exemptions, and potential enforcement consequences. Understanding the scope of the right is the first step in managing risk.
1. Who can make a Subject Access Request?
In the workplace, a Subject Access Request can be made by current employees, former employees, workers and contractors, and job applicants. The right of access applies regardless of the status of the working relationship. It also applies whether the request is made during employment, after termination, or in the context of a dispute.
A request can be submitted personally or through a third party acting on the individual’s behalf, such as a solicitor or trade union representative. Employers are entitled to verify authority and identity before disclosing information.
Importantly, a Subject Access Request does not need to mention the words “Subject Access Request” or “DSAR”. Any communication that clearly asks for personal data held about the individual may qualify. Motive is legally irrelevant. Even if the request is made in anticipation of litigation, it remains valid, including where the employee is already following a formal grievance letter route or challenging the handling of a disciplinary investigation.
2. What counts as personal data in the workplace?
Personal data is any information relating to an identified or identifiable individual. In an employment setting, this can include personnel files and HR records, performance reviews and appraisal notes, disciplinary and grievance records, emails and internal correspondence where the individual is the subject, payroll and pension information, sickness and absence records, CCTV footage, and interview notes.
The information must relate to the individual in a meaningful sense. Merely mentioning an employee’s name in passing will not always make a document their personal data, but most HR documentation will fall within scope.
Workplace monitoring materials are a common DSAR trigger. Where employers use monitoring tools, policies and decision-making should align with lawful basis requirements and transparency expectations, including areas such as employee monitoring and the collection of footage or recordings in environments where covert CCTV in the workplace issues may arise.
Employers must also disclose supplementary information, including the purposes of processing, the categories of personal data concerned, the recipients or categories of recipients, the retention period or criteria used to determine it, and the right to complain to the ICO. This means a Subject Access Request is not limited to handing over documents. It also requires transparency about data handling practices.
3. What is the purpose of the right of access?
The purpose of a Subject Access Request is to enable individuals to understand what personal data is held about them, how and why it is being used, and whether it is being processed lawfully.
It is not a mechanism for general disclosure of all documents relating to employment. The obligation is to disclose personal data, not every document in which the individual is mentioned. However, in practice, the distinction can be narrow. Employers should assume that most structured HR records relating to an employee will fall within scope unless a clear exemption applies.
Section Summary
A Subject Access Request is a statutory right under the UK GDPR that applies fully in the employment context. It can be made by current or former employees and does not require formal wording. The employer’s obligation extends to all personal data held about the individual, together with specific supplementary information. For HR professionals, understanding this scope is critical before considering time limits, exemptions or refusal grounds.
Section B: How Employers Must Handle a Subject Access Request
Once a Subject Access Request has been received, the employer moves into a regulated compliance process. The UK GDPR imposes procedural obligations as well as substantive disclosure duties. Failure to follow the correct steps can amount to a breach, even where the employer ultimately discloses the requested data.
For HR professionals, the key is structured handling: recognising the request, verifying identity where appropriate, conducting a lawful and proportionate search, and responding within the statutory timeframe.
1. Recognising a valid Subject Access Request
A Subject Access Request does not need to follow a specific format. It can be made in writing, by email, verbally, via social media, or through a solicitor or representative. The request does not need to cite the UK GDPR or use the term “Subject Access Request”. If an individual asks for “all the information you hold about me” or similar wording, this is likely to qualify.
Because requests can be made to any part of the organisation, employers should train managers and frontline staff to recognise potential DSARs and escalate them promptly. The statutory deadline begins when the request is received by the organisation, not when it reaches HR.
Employers may ask for clarification if the scope of the request is unclear. However, this should be done promptly and only where genuinely necessary to identify the personal data requested.
2. Verifying identity
Before disclosing personal data, employers must be satisfied that the requester is entitled to receive it. In the case of current employees, identity will usually be straightforward.
For former employees or third-party representatives, reasonable verification steps may include requesting proof of identity, requesting written authority from the data subject, and confirming details already held on file.
If the employer reasonably requires further information to confirm identity, the one-month response period does not begin until that information is received. However, verification requests must be proportionate. Employers cannot impose excessive identity requirements as a delaying tactic.
3. Conducting a reasonable and proportionate search
Employers are required to make reasonable efforts to locate and retrieve relevant personal data. The law does not require an exhaustive search in every conceivable location, but it does require a search that is reasonable in light of the nature of the request, the systems in which data is held, the volume of data, and the resources available.
Searches typically include HR systems, email accounts, payroll software, shared drives, case management systems, and paper files where applicable.
The scope and methodology of the search should be documented. If challenged by the Information Commissioner’s Office (ICO) or a court, the employer must be able to demonstrate that its approach was proportionate and defensible.
4. Preparing the response
Where personal data is identified, the employer must provide a copy of the personal data, the required supplementary information under Article 15, and information in a concise, transparent and intelligible form.
If the request was made electronically, the response should generally be provided in a commonly used electronic format, unless the individual requests otherwise.
Data must be disclosed securely. This may involve password-protected files, encrypted email, or secure transfer platforms. Employers must also consider redaction of third-party personal data, legally privileged material, and information covered by a statutory exemption.
Every decision to redact or withhold information should be recorded with reasons. This is particularly important where DSARs overlap with active people processes, such as preparation for a disciplinary hearing or redundancy decision-making under the broader redundancy framework.
5. Record keeping
Although not expressly mandated in prescriptive detail, maintaining records of DSAR handling is critical to demonstrating compliance. Employers should record the date the request was received, the deadline for response, any clarification or identity checks requested, the scope of searches undertaken, the information disclosed, and any exemptions relied upon.
This audit trail can be decisive if a complaint is made to the ICO.
Section Summary
Handling a Subject Access Request requires structured and timely action. Employers must recognise requests promptly, verify identity proportionately, conduct a reasonable search, disclose personal data securely, and document every step taken. A disorganised or informal approach significantly increases legal risk, particularly where the request arises during a workplace dispute.
Section C: Subject Access Request Time Limits and Extensions
Time limits are one of the most common areas where employers fall into breach of the UK GDPR. Even where disclosure is ultimately made, a failure to respond within the statutory timeframe can lead to regulatory scrutiny or formal complaints. HR teams must therefore treat the timing of a Subject Access Request as a compliance priority from the outset.
Understanding when the clock starts, when it can be extended, and when it may be paused is critical.
1. The one-month response rule
An employer must respond to a Subject Access Request without undue delay and, in any event, within one month of receipt.
The one-month period begins on the day the organisation receives the request, not when HR becomes aware of it. For example, if a line manager receives an email requesting personal data and fails to escalate it, the clock has already started running.
The response must either provide the requested personal data and supplementary information, or explain why the employer is refusing to comply, including details of the individual’s right to complain to the ICO and seek judicial remedy. Merely acknowledging receipt is not sufficient. The substantive response must be provided within the deadline unless a lawful extension applies.
2. When can the time limit be extended?
The UK GDPR allows the employer to extend the response period by up to two further months where the request is complex, or the employer has received a number of requests from the same individual.
If the employer intends to rely on an extension, they must notify the individual within the original one-month period, explaining that an extension is required and the reasons for the delay.
3. Clarification and identity verification
In some cases, an employer may require clarification of the scope of the request. For example, where an employee asks for “all information held”, the employer may ask whether the request relates to a particular time period or category of data. The ICO’s guidance allows the response period to be paused while awaiting clarification only where the employer genuinely requires that clarification in order to respond. Employers should still provide any data that can reasonably be disclosed without clarification.
Similarly, if the employer has reasonable doubts about the identity of the requester, the response period does not begin until sufficient identification has been provided.
Both clarification and identity checks must be requested promptly. They cannot be used tactically to delay compliance, particularly where the request arises against the backdrop of an active dispute or anticipated tribunal proceedings governed by the employment tribunal rules.
4. Fees
As a general rule, employers must comply with a Subject Access Request free of charge.
A reasonable administrative fee may be charged only where the request is manifestly unfounded, manifestly excessive, or for further copies of data already provided. The threshold for charging a fee is high. Cost or inconvenience alone will not justify imposing one.
Section Summary
Employers must respond to a Subject Access Request within one month unless a lawful extension applies. Extensions are limited and must be notified within the original timeframe. Clarification and identity verification may affect the timing, but only where genuinely necessary. Strict deadline management is essential to avoid regulatory breach.
Section D: Can an Employer Refuse a Subject Access Request? Exemptions and Legal Risks
Although the right of access under the UK GDPR is broad, it is not absolute. Employers may, in limited circumstances, refuse to comply with a Subject Access Request or withhold certain information. However, the threshold for refusal is high and must be applied cautiously. Blanket refusals or routine reliance on exemptions are likely to result in regulatory criticism.
For HR professionals, this is the most legally sensitive stage of the process. A refusal decision must be defensible, documented, and grounded in statute.
1. Manifestly unfounded requests
An employer may refuse to act on a Subject Access Request if it is manifestly unfounded. This typically applies where the individual has no genuine intention of exercising their right of access, where the request is malicious or intended to harass, or where the individual makes unsubstantiated or false allegations as part of the request. The standard is deliberately high.
A request made in anticipation of litigation is not, by itself, manifestly unfounded. Nor is a request made during a grievance or disciplinary process automatically abusive. Employers must be able to evidence why they consider a request manifestly unfounded. Mere inconvenience, frustration or suspicion of tactical use will not suffice.
2. Manifestly excessive requests
A request may be refused or subject to a reasonable administrative fee if it is manifestly excessive. This most commonly arises where the individual makes repeated requests for the same information without reasonable interval, or where the scope of the request is clearly disproportionate.
However, a request is not excessive simply because it covers a large volume of data, is time-consuming, requires extensive searches, or is costly to comply with. The ICO makes clear that size or cost alone does not meet the threshold. The employer must assess whether the request is genuinely disproportionate in light of the purpose of the right of access.
Where relying on this ground, employers must explain their reasoning clearly and retain documentary justification.
3. Statutory exemptions under the Data Protection Act 2018
The Data Protection Act 2018 provides specific exemptions which may justify withholding certain personal data. Common workplace exemptions include legal professional privilege, the management planning exemption, and exemptions relating to crime and taxation.
Legal professional privilege means information covered by legal advice privilege or litigation privilege does not need to be disclosed. This frequently arises where solicitors have been instructed during a dispute.
Management planning exemption may apply to personal data processed for management forecasting or planning where disclosure would be likely to prejudice the conduct of the business. This can arise during restructuring, redundancy planning, or succession discussions. The exemption is narrow and must not be applied broadly to routine HR deliberations, including routine discussion within a disciplinary procedure or the handling of a workplace grievance.
Confidential references may also be exempt in certain circumstances, for example where the employer has provided a confidential reference for employment, training, or educational purposes.
Each exemption must be applied to specific data, not to the request as a whole. Employers should redact rather than refuse entirely wherever possible.
4. Third-party personal data
One of the most common practical issues in employment DSARs concerns documents that contain personal data relating to both the requesting employee and another individual.
The employer must consider whether it is reasonable to disclose the information without the consent of the third party. Factors to assess include any duty of confidentiality owed to the third party, whether the third party has consented to disclosure, the nature and sensitivity of the information, the expectations of the third party, and whether redaction can adequately protect the third party.
Redaction is usually the first step. Full refusal should be a last resort and must be justified.
5. Legal risks of wrongful refusal
If an employer refuses a Subject Access Request without lawful basis, the individual may complain to the Information Commissioner’s Office (ICO), seek an order from the court compelling compliance, and claim compensation for material damage or distress. Compensation may be awarded for distress alone, even without financial loss.
The ICO has the power to investigate, issue enforcement notices, and impose administrative fines for serious breaches. While fines for DSAR failures are less common than for large-scale data breaches, repeated non-compliance or systemic failures increase regulatory risk.
In practice, DSAR disputes often sit alongside employment disputes that may ultimately be resolved through an agreed exit and settlement agreement, or proceed towards litigation with professional support such as employment tribunal representation.
Section Summary
An employer can refuse or limit a Subject Access Request only in defined and limited circumstances. The thresholds for “manifestly unfounded” or “manifestly excessive” are high, and statutory exemptions must be applied narrowly and carefully. Poorly justified refusals expose employers to ICO investigation, court orders and compensation claims. Any decision to withhold information must be legally reasoned and fully documented.
FAQs
Subject Access Requests often raise practical questions for HR teams, particularly where requests arise during disputes. The following answers address the most common employer concerns.
1. What is a Subject Access Request?
A Subject Access Request is a statutory right under Article 15 of the UK GDPR allowing an individual to obtain a copy of their personal data and supplementary information about how that data is processed. In employment, it enables employees, former employees and applicants to access personal data held by their employer.
2. How long does an employer have to respond to a Subject Access Request?
An employer must respond without undue delay and within one month of receipt. This can be extended by up to two further months where the request is complex or multiple requests have been received, provided the individual is informed within the original one-month period.
3. Can an employer refuse a Subject Access Request?
Yes, but only in limited circumstances. An employer may refuse if the request is manifestly unfounded or manifestly excessive, or where a statutory exemption applies under the Data Protection Act 2018. The threshold for refusal is high and must be justified and documented.
4. Does an employer have to provide internal emails?
If internal emails contain the employee’s personal data, they may fall within scope. However, employers can redact third-party information or withhold material covered by legal professional privilege or other exemptions.
5. Can an employer charge a fee?
Subject Access Requests must generally be handled free of charge. A reasonable administrative fee may be charged only where the request is manifestly unfounded, manifestly excessive, or for additional copies of data already provided.
6. Can an employee make repeated Subject Access Requests?
Employees are entitled to make multiple requests. However, repetitive requests for the same information within a short period may be considered manifestly excessive, depending on the circumstances.
7. What happens if an employer ignores a Subject Access Request?
Failure to respond may result in a complaint to the Information Commissioner’s Office, regulatory investigation, court proceedings and potential compensation claims for distress or financial loss.
Conclusion
A Subject Access Request is a routine feature of modern employment relationships, but it carries significant legal weight. For employers and HR professionals, compliance is not simply about locating documents. It requires structured handling, strict deadline management, and careful application of statutory exemptions.
The right of access under the UK GDPR is broad, and the thresholds for refusal are deliberately high. Employers must respond within one month unless a lawful extension applies, conduct reasonable and proportionate searches, redact third-party data where necessary, and document every decision made. Poor handling can expose the organisation to ICO investigation, court orders, and compensation claims.
In practice, many Subject Access Requests arise during grievances, disciplinary proceedings or redundancy consultations. This makes them both a regulatory issue and a litigation risk. A proactive compliance framework, including clear internal policies, trained managers and robust information management systems, is essential. DSARs may also arise in sensitive contexts such as protected disclosures, and employers should ensure their approach is consistent with governance expectations set out in their whistleblowing policy.
Handled correctly, a Subject Access Request is a manageable legal process. Handled poorly, it can quickly become a costly compliance failure.
Glossary
| Subject Access Request (DSAR) | A statutory right under Article 15 of the UK GDPR allowing an individual to obtain a copy of their personal data and information about how it is processed. |
| UK GDPR | The United Kingdom General Data Protection Regulation, which governs the processing of personal data in the UK. |
| Data Protection Act 2018 (DPA 2018) | UK legislation that supplements the UK GDPR, including exemptions and enforcement provisions. |
| Personal Data | Any information relating to an identified or identifiable individual. |
| Data Controller | The organisation that determines the purposes and means of processing personal data. In employment, this is usually the employer. |
| Manifestly Unfounded | A high legal threshold allowing refusal of a Subject Access Request where the request is abusive or made with no genuine intention of exercising the right of access. |
| Manifestly Excessive | A high threshold permitting refusal or a fee where a request is clearly disproportionate, commonly due to repetition without reasonable interval. |
| Legal Professional Privilege | A protection allowing an employer to withhold privileged communications with legal advisers. |
| Information Commissioner’s Office (ICO) | The UK’s supervisory authority responsible for enforcing data protection law. |
Useful Links
| ICO: Right of access (Subject access requests) | https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/ |
| UK GDPR: Article 15 (Right of access) | https://www.legislation.gov.uk/eur/2016/679/article/15 |
| Data Protection Act 2018 | https://www.legislation.gov.uk/ukpga/2018/12/contents |
| ICO: Employment practices and data protection | https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/ |
