A Subject Access Request (SAR) is one of the most common data protection requests employers receive. Employees frequently make these requests during workplace disputes, disciplinary procedures, grievances or employment tribunal claims.

Understanding how to respond properly is essential. Organisations that fail to comply with UK data protection law may face significant fines, reprimands and enforcement action from the Information Commissioner’s Office (ICO), as well as potential claims from affected individuals.

This guide explains what a Subject Access Request is, how the law works, and the practical steps employers should follow when responding.

Although this guide focuses on employers responding to employee requests, most of the principles also apply to any organisation responding to a Subject Access Request from an individual.

What Is a Subject Access Request?

A Subject Access Request (SAR) is a request made by an individual asking an organisation to provide the personal data it holds about them.

This right is set out in:

  • The UK General Data Protection Regulation (UK GDPR)
  • The Data Protection Act 2018
  • Amendments introduced by the Data (Use and Access) Act 2025

The right of access has existed in UK data protection law since 1984, but the volume of personal data organisations now process, particularly through digital communications, means that responding to SARs can be far more complex than in the past.

What Counts as Personal Data?

Under UK GDPR, personal data means:

Any information relating to an identified or identifiable living individual.

This includes information that can identify someone directly or indirectly, such as:

  • Name
  • Identification number
  • Location data
  • Online identifiers
  • Information relating to a person’s physical, economic or social identity

In an employment context, personal data commonly includes:

  • Personnel records
  • Performance reviews
  • Disciplinary documents
  • Emails referring to the employee
  • Payroll and benefits information
  • CCTV footage
  • Internal communications discussing the employee

Importantly, personal data only relates to living individuals. If an employee dies before a response is provided, the information ceases to be personal data and the employer is not obliged to respond to the SAR.

What Employees Are Entitled to Receive

If an employee makes a valid SAR, they are entitled to:

1. Confirmation that their personal data is being processed

The employer must confirm whether it holds personal data about the employee.

2. A copy of the employee’s personal data

The employee is entitled to a copy of the personal data being processed, although this does not necessarily mean the employee has the right to copies of all documents.

In practice, employers often provide copies of documents with redactions where necessary.

3. Information explaining how the data is used

Employers must also provide certain additional information, including:

  • The purpose of processing the personal data
  • The categories of personal data
  • The recipients or categories of recipients the data has been shared with
  • The retention period for the data
  • The source of the data, if it was not obtained directly from the employee
  • Whether automated decision-making or profiling is used
  • The employee’s data protection rights
  • The right to complain to the Information Commissioner’s Office (ICO)

If personal data is transferred outside the UK, for example to another country or international organisation, the employee must also be informed about the safeguards in place to protect their data.

Much of this information should already be contained in an organisation’s employee privacy notice, which can be provided as part of the response, along with other compliance documents an employer must legally have in place to legitimately process an employee’s personal data, including a Data Retention Policy, Internal Data Protection Policy, Appropriate Policy Document, and preferably a Response Procedure for Data Subject Requests. If you are an employer and do not have these in place, please get in touch with us.

Information Must Be Clear and Accessible

When responding to a SAR, employers must ensure that the information provided is:

  • Concise
  • Transparent
  • Intelligible
  • Easily accessible
  • Written in clear and plain language

Employers should also be able to explain how they handled the request, including the steps taken to locate personal data and the searches carried out.

How an Employee Can Make a Subject Access Request

One important point is that there are no formal requirements for making a SAR.

Employees can make a request:

  • In writing
  • By email
  • Through social media
  • Verbally
  • To any part of the organisation

They do not need to say “subject access request” or refer to the UK GDPR.

Because of this, organisations should train staff to recognise SARs when they arise.

It is good practice for employers to:

  • Provide a standard request form, and
  • Ask employees to send requests to a specific contact person (for example HR or a data protection officer)

However, employees cannot be forced to use the form, and requests remain valid even if they are made informally.

Step-by-Step: How Employers Should Respond to a SAR

1. Verify the Identity of the Employee

Before disclosing personal data, employers must ensure the request actually comes from the employee.

If there are reasonable doubts about identity, employers can request verification such as:

  • Passport
  • Driving licence
  • Utility bill
  • Other identifying documentation

The timeline for responding begins once the employee’s identity has been sufficiently verified.

In many employment situations, additional ID will not be necessary because the employer already knows the employee.

2. Assess the Request

After receiving the SAR, the employer should conduct an initial assessment to determine:

  • Whether it holds personal data about the employee
  • The scope of the request
  • Whether clarification is needed
  • How the data will be located

If it is unclear whether the employee is making a SAR, the employer should contact them promptly to clarify.

3. Clarify the Scope of the Request

SARs are often phrased very broadly, for example asking for:

“All personal data you hold about me.”

Where organisations hold large amounts of information, they may ask employees to clarify:

  • Relevant time periods
  • Particular issues (for example redundancy or disciplinary matters)
  • Individuals involved
  • Types of documents or communications

This can help the employer carry out a reasonable and proportionate search.

However, employees cannot be forced to narrow the request. The employer must still comply with the request if clarification is refused.

4. Search for Personal Data

Employers must carry out a reasonable and proportionate search for personal data.

Since changes introduced by the Data (Use and Access) Act 2025, employees are only entitled to information that the employer can provide based on a reasonable and proportionate search.

Typical sources of personal data include:

  • Email systems
  • HR databases
  • Personnel files
  • Messaging platforms
  • CCTV systems
  • Social media accounts used by the organisation
  • Work computers and devices

Emails are often the most time-consuming part of a search because they frequently contain unstructured information involving multiple individuals.

Determining Whether a Request Is Complex

Employers may extend the deadline for responding if a request is complex.

Examples of factors that may contribute to complexity include:

  • Technical difficulties retrieving archived information
  • Searching large volumes of unstructured records
  • Applying exemptions involving sensitive information
  • Obtaining specialist legal advice
  • Clarifying confidentiality concerns around medical data
  • Situations where multiple requests are made simultaneously, such as:
    • a Subject Access Request
    • a request for erasure
    • a request for data portability

However, it is important to note that a request for a large amount of information does not automatically make the request complex or excessive.

Complexity depends on the specific circumstances of the organisation and the request.

Time Limits for Responding

Employers must respond:

Within one month of receiving the request (regardless of public holidays, and if the following month does not have the corresponding number of days then the last day of that month is acceptable, meaning the deadline could be 28 days in practice).

The one-month period starts from the latest of the following events:

  • The date the request is received
  • The date the employee’s identity is verified
  • The date any applicable fee is paid

The deadline may be extended by up to two additional months where the request is complex.

If an extension is required, the employee must be informed within the first month, and the timeline can actually be paused if clarification is genuinely required from the employee, provided the employee is told that the clock has stopped until clarification is received.

Can an Employer Refuse a SAR?

In limited circumstances, an employer may refuse to comply with a request if it is manifestly unfounded or manifestly excessive (including additional copies).

Examples may include:

  • Requests made solely to harass or disrupt the organisation
  • Requests that repeat previous requests without reasonable justification
  • Requests intended to obtain leverage in negotiations
  • Requests that are not limited to focused or specific information where there are thousands (or even hundreds of thousands) of data entries relating to the employee

However, employers should be cautious about refusing SARs. The ICO expects organisations to justify clearly why a request is manifestly unfounded or excessive.

If an employer refuses a request, it must explain:

  • The reasons for the refusal
  • The employee’s right to complain to the ICO
  • The employee’s right to seek a court remedy

Can Employers Charge a Fee?

SAR responses are usually free of charge.

However, employers may charge a reasonable fee where a request is manifestly unfounded or excessive.

The fee can reflect administrative costs such as:

  • Staff time
  • Copying
  • Printing
  • Postage

However, the fee must be reasonable, and it is advisable for organisations to create a clear and accessible charging structure explaining how fees are calculated.

If the employer asks the employee whether they are willing to proceed with the request subject to the fee, and no response is received within one month, it would generally be reasonable to close the request.

The same practical approach can also apply where the employer seeks clarification on a complex, unclear or potentially excessive request and does not receive a response within a reasonable period.

Redacting Information About Other Individuals

A SAR may involve information that also identifies other individuals.

For example:

  • Emails discussing the employee
  • Complaint records
  • Witness statements

Employers must balance:

  • The employee’s right to access their data
  • The privacy rights of the other individual

Possible solutions include:

  • Obtaining the other individual’s consent
  • Redacting identifying information
  • Providing a partial summary of the data, although be very careful with summaries in general. They should only really be used in circumstances where the rights of others overrides the individual’s right to further context, and this should be made clear.

Exemptions That May Apply

Certain categories of information may be withheld from a SAR response, including:

  • Legally privileged communications
  • Confidential employment references
  • Management forecasting or planning information
  • Records relating to negotiations with the employee

These exemptions are set out in the Data Protection Act 2018.

Complaints and New Requirements from 2026

From 19 June 2026, organisations must also facilitate complaints made directly to them about data protection issues.

This may include:

  • Providing a complaints form
  • Allowing complaints to be submitted electronically

Organisations must:

  • Acknowledge a complaint within 30 days, and
  • Take appropriate steps to respond

Employees will still have the right to escalate complaints to the Information Commissioner’s Office (ICO) if they are dissatisfied with the organisation’s response.

What Happens If an Organisation Gets It Wrong?

Failure to comply with UK GDPR requirements can lead to:

  • ICO investigations
  • Significant regulatory fines
  • Enforcement notices
  • Civil claims from individuals

Employers should therefore ensure they have clear procedures for handling SARs.

Final Thoughts

Subject Access Requests are now a routine part of workplace data protection compliance, particularly in employment disputes.

Employers should ensure they:

  • Recognise SARs quickly
  • Verify identity appropriately
  • Conduct reasonable and proportionate searches
  • Respond clearly and transparently
  • Meet the one-month legal deadline

With the right internal procedures in place, responding to SARs becomes much more manageable and reduces legal risk for your organisation.

This article is not legal advice and there are nuanced areas of the law in respect to a responding to a SAR, which can be complex and risky. Please get in touch with us for assistance.

Published by Fergus Thompson