Handling Subject Access Requests (SARs) in Line with UK Employment Law

Subject Access Requests (SARs) are a fundamental part of UK data protection law, allowing individuals to request access to their personal data held by an organisation. For employers, handling SARs correctly is essential to ensure compliance with the UK GDPR and the Data Protection Act 2018. Failure to respond appropriately can lead to fines, reputational damage, and legal disputes.

This article provides a comprehensive guide on how SMEs can effectively manage SARs while balancing legal obligations and operational efficiency.

What Is a Subject Access Request (SAR)?

A Subject Access Request (SAR) is a formal request from an individual asking for access to the personal data that an organisation holds about them. This includes:

• Personal details (e.g., name, address, employment records).
• Emails, notes, or documents referencing the individual.
• Information on how their data is processed and shared.

SARs can be submitted by current or former employees, job applicants, or any individual whose data is held by the organisation.

Legal Obligations for Employers

Under the UK GDPR, employers must:

1. Respond to SARs within one month of receiving the request.
2. Provide a copy of the requested personal data unless exemptions apply.
3. Explain how the data is used, stored, and shared.
4. Ensure the request is handled securely and confidentially.

If the request is complex, employers may extend the response time by up to two months, but they must inform the requester of the delay.

Recognising a Valid SAR

SARs do not need to follow a specific format. Employees can submit requests:

• Verbally or in writing.
• Via email, letter, or even social media.
• Without using the term “Subject Access Request.”

For example, an employee asking, “Can I see my HR file?” or “What information do you hold on me?” qualifies as a SAR. Employers must ensure staff are trained to recognise and escalate such requests appropriately.

How to Handle a SAR Effectively

Verify the Requester’s Identity

Before processing a SAR, employers should confirm the identity of the requester to prevent unauthorised data access. If necessary, request proof of identity (e.g., passport, driving licence).

Clarify the Scope of the Request

If the SAR is broad, employers can ask the requester to specify the information they need. This helps streamline the process and ensures relevant data is provided.

Conduct a Thorough Data Search

Employers must search all relevant systems, including:

• HR records and personnel files.
• Emails and internal communications.
• Payroll and attendance records.
• CCTV footage (if applicable).

Apply Exemptions Where Necessary

Certain information may be withheld under Data Protection Act exemptions, including:

• Third-party personal data (unless consent is obtained).
• Legally privileged documents (e.g., legal advice).
• Confidential references provided for employment purposes.

Provide the Data in a Clear Format

Employers should present the requested information in a structured, accessible format, ensuring clarity and completeness.

Communicate the Response Professionally

The response should include:

• A copy of the requested data.
• An explanation of how the data is used.
• Details of any withheld information and the reasons for doing so.

Common Challenges & How to Overcome Them

Handling Excessive or Repetitive Requests

If an individual submits multiple SARs within a short period, employers may refuse the request if it is manifestly excessive. However, they must justify this decision and inform the requester.

Balancing SARs with Ongoing Disputes

Employees often submit SARs during grievances, disciplinary proceedings, or tribunal cases. Employers must still comply but can withhold legally privileged documents.

Managing Third-Party Data

If a SAR includes information about other individuals, employers must assess whether disclosure is reasonable or whether redaction is necessary.

Consequences of Non-Compliance

Failure to respond to a SAR correctly can result in:

• ICO investigations and fines.
• Legal claims from employees.
• Reputational damage.

Recent ICO guidance emphasises that employers must take SARs seriously, ensuring timely and compliant responses.

Final Thoughts

Handling SARs effectively is crucial for legal compliance and employee trust.

At The HR Team we help businesses navigate SARs, ensuring compliance while protecting sensitive data. If you need support in handling SARs or reviewing your data protection policies, get in touch—we’re here to help!