Guide to responding to a Data Subject Access Request

As an employer, you must comply with a data subject access request without undue delay and usually within one month of receiving the request. This time limit may be extended in exceptional circumstances by a further two months if the request is particularly complex or time-consuming.

Personal data is information that relates to an identified or identifiable individual. For example, this could include their name, identification number, location data, or an IP address or cookie identifier. In certain circumstances, it can also include specific characteristics of that person (e.g. physical, mental, economic or social characteristic).

The majority of personal data will be held on the employer’s main servers, however, it may also be held on backup servers, hard drives or mobile devices.

Under the GDPR, the old £10 fee was abolished so now you can only make a charge if the request is “manifestly unfounded or excessive” in which case you can charge a reasonable fee or refuse to respond altogether.

What employee data can you withhold?

You do not always need to hand over every single piece of personal data.

There is no obligation to comply with a DSAR in relation to:

  • information which relates to a third party which can be identified from the personal data of the employee making the DSAR, unless the third party consents to the disclosure or it is reasonable in all the circumstances for you to comply with the DSAR without the third party’s consent. You can release a document that refers to such data if you can redact/black out any information which would identify the third party.
  • confidential references given by you. This doesn’t work the other way around so any references received by you in relation the employee when he/she started with you will have to be released, subject to the rules on disclosure of third party information.
  • personal data processed in connection with management forecasting or planning to the extent that complying with the request would prejudice the conduct of your business. For example, if information relating to say a staff redundancy programme were to be disclosed in advance of it being announced to the rest of your workforce this would arguably prejudice the conduct of your business.
  • health records where disclosure would be likely to cause serious harm to the physical or mental health of the employee or any other person.
  • personal data subject to legal professional privilege including confidential communications made for the purpose of giving or receiving legal advice from lawyers – not HR consultants or even in-house lawyers in certain circumstances (see below).
  • personal data which consists of records of intentions in relation to negotiations between the employer and the employee, disclosure of which would be likely to prejudice those negotiations.


Legal professional privilege does not apply to documentation between your business and an HR consultant (internal or external to your business) or given by in-house legal counsel where the dominant purpose of its creation was not current or potential litigation.

So, for example, if you are thinking about exiting an employee and you are advised on the process by an HR consultant, any communications (some of which may be highly detrimental to your case) may have to be disclosed if the employee makes a DSAR. They may also have to be disclosed in any litigation.

The safest way to protect your communications is to instruct an employment lawyer  to advise you on the possible risks to your business of exiting the employee so that legal professional privilege will attach and protect such communications.

The growth in the nature and quantity of data held by employers about their staff has made compliance with subject access requests increasingly onerous. Understanding from the outset how to respond to such requests is crucial as failing to comply within the usual one month time limit can expose your business to a claim for compensation, enforcement/criticism by the Information Commissioner’s Office (ICO), Court or tribunal.

Conversely, inadvertently going beyond what is legally required is likely to waste your time /resources and may result in you exposing your business to unnecessary risk by giving the employee material that could be used against you.

Obtaining legal advice as soon as you receive a request and planning how to respond and process that request is likely to save you significant amounts of management and administrative time, control your costs and risk, and prevent the provision of material that could properly be withheld.

Here are our top tips for dealing with requests:

The request 

Although a request will normally be in writing, it can also be made verbally. You should not try to delay (or ignore) dealing with a request on the basis it does not mention the Data Protection Act 2018 or the General Data Protection Regulation (GDPR) or because it does not explicitly state it is a subject access request. A subject access request does not have to include either, it just has to be clear that the individual is asking for their own personal data. Similarly, you cannot require the employee to use a specific form/document to make a request. We advise employers to have a Privacy Notice in place for their employees which sets out the preferred process for making a subject access request.


Always diarise to deal with a request well in advance of the one month deadline. Missing the deadline will be looked upon unfavourably by the ICO, Court or Tribunal.  Make sure you leave time for checking any data obtained from your searches as often legal input will be needed in deciding what has to be disclosed and what can be excluded or needs blanking out.

Be sure of the applicant’s identity

You should ensure that you are certain of the applicant’s identity before you provide any personal data. If you have any doubts about the identity of the individual, you can ask for more information from them to confirm their identity. The period of responding to the subject access request begins from when you receive the additional information.

The inadvertent or wrongful disclosure of personal data to the wrong person is treated extremely seriously by the ICO.

Third party request

If you receive a third party request on someone else’s behalf you should obtain satisfactory written evidence of their authority from the subject of the data before proceeding. You should seek legal advice if you are uncertain whether you should proceed.

Personal Data

The applicant is entitled to copies of their personal data held by you. The concept of “personal data” is not static – the scope of the term has changed over the years – and the Courts, EU, and ICO all have different interpretations.

The search

The obligation on you is to carry out a reasonable and proportionate search for the applicant’s personal data.  There is no requirement to ‘leave no stone unturned’.  You cannot refuse to check for any data merely because responding to the request may be labour intensive or inconvenient but you can push back if the request is manifestly unfounded or excessive.  So for example where the request and related grievance is surrounding a particular event and the applicant asks for all their personal data over many years since they started you may be able to seek to limit this to the period around the date of the event.  That said you should always provide a full copy of the personnel file (subject to any applicable redactions).

In certain circumstances you can refuse to act on the request if it is manifestly unfounded or excessive e.g. it is a repeated request. If so, you must tell the employee without delay and at the latest within one month of receipt of the request and give reasons for not taking action. Employers must also tell the employee of the possibility of complaining to the ICO and taking legal proceedings. However, where possible, employers should first try to engage with the employee and seek to limit the request.

Exempt data

As above, certain data is exempt from a request. In particular personal data processed in connection with management forecasting or planning to the extent that complying with a request would prejudice the conduct of the business. Similarly, you do not need to provide material that is subject to legal professional privilege.  There are several other categories of exemption including data which also relates to third parties.

The disclosure

There is no obligation to provide an original document (e.g. a letter) containing personal data – if the information constituting personal data is contained in the document a copy must be supplied.

The information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language (e.g. on paper or disk).

Intelligible form

The obligation to provide information in an intelligible form means that it must be understandable to the “average person” not that it is intelligible to the particular individual. Accordingly, there is no obligation to make the material legible or to translate it into the applicant’s mother tongue. However, where information is denoted by the employer’s use of codes etc. a key should be included so the applicant can understand the information.

Response letter

In addition to providing the applicant’s personal data being disclosed, the employer’s response letter should set out:

  1. whether personal data has been processed;
  2. the purposes of data processing;
  3. categories of personal data processed;
  4. recipients or categories of recipients who receive personal data from the data controller;
  5. where possible, how long the data controller stores the personal data, or the criteria the data controller uses to determine retention periods;
  6. information on the personal data’s source if the data controller does not collect it directly from the data subject;
  7. whether the data controller transfers personal data outside of the jurisdiction to a country that does not provide an adequate level of data protection, and if so, the safeguards used to secure the transfer; and
  8. whether the data controller uses automated decision-making, including profiling, the auto-decision logic used, and the consequences of this processing for the data subject.

It should also notify the data subject of their right to:

  1. request correction or erasure of their personal data;
  2. restrict or object to certain types of personal data processing; and
  3. make a complaint to the ICO.

Careful consideration should be given about whether to disclose and for what reasons any data has been withheld from disclosure.

Complying with subject access requests requires up to date technical legal knowledge of this challenging and ever evolving area. Similarly, knowing how to limit the scope of the search can be invaluable – especially when an employee is fishing for ammunition to support a claim against your organisation.

and finally…

Dealing with DSARs can be a significant drain on the resources of your business. Not responding is not an option  – the Information Commissioner can hand out fines of up to 20 million Euros or 4% of the group worldwide turnover (whichever is greater).

If you need advice or have any questions in relation to Data Subject Access Requests or GDPR, please contact David Greenhalgh on 020 3603 2177 and we can give you advice on the best way to fulfill your obligations quickly and efficiently.

This article/blog is for reference purposes only. It does not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking or deciding not to take any action.