Subject Access Requests: How UK Employers Must Respond

A subject access request (SAR) gives any individual the right to obtain a copy of the personal data an organisation holds about them. For UK employers, SARs are one of the most common and most mishandled data protection obligations. Get it wrong and you face enforcement action from the Information Commissioner's Office (ICO), complaints to the tribunal, and reputational damage.

Since February 2026, the Data (Use and Access) Act 2025 has changed how employers must handle SARs. The new "reasonable and proportionate" search standard, combined with amended refusal rights, means existing SAR processes may already be out of date.

This guide explains exactly what UK employers must do when they receive a subject access request, including the 2026 rule changes, valid exemptions, and a practical step-by-step response process.

What Is a Subject Access Request?

A subject access request is a request made under Article 15 of the UK GDPR. It entitles the individual (known as the "data subject") to:

• Confirmation that you are processing their personal data
• A copy of that personal data
• Supplementary information about how and why you process it, including the purposes, categories of data, recipients, retention periods, and the source of any data not collected directly from them

In the employment context, this can cover an enormous range of material: emails mentioning the employee, HR file notes, performance reviews, disciplinary records, CCTV footage, sickness records, payroll data, internal messages between managers about the employee, and much more.

Why SARs Matter for Employers

SARs are increasingly used as a tactical tool in employment disputes. Employees (or their solicitors) frequently submit SARs before or alongside grievances, disciplinary appeals, or employment tribunal claims. The data disclosed can become evidence in proceedings.

Failing to respond properly can:

• Result in ICO enforcement, including fines of up to 17.5 million pounds or 4% of global annual turnover
• Undermine your position in tribunal proceedings
• Create an additional complaint (the SAR failure itself becomes a separate legal issue)
• Damage trust with the wider workforce

The Legal Framework

Subject access requests are governed by three key pieces of legislation:

1. UK General Data Protection Regulation (UK GDPR), Article 15: the core right of access
2. Data Protection Act 2018 (DPA 2018), Schedule 2, Part 2: exemptions relevant to employment
3. Data (Use and Access) Act 2025: amendments to SAR rules effective from February 2026

If you are not already familiar with how the UK GDPR applies to your HR data, read our complete guide to GDPR for HR first. That covers the foundational obligations. This article builds on them with SAR-specific requirements.

Key Changes from the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 introduced several important changes to how SARs work. These took effect in February 2026.

The "Reasonable and Proportionate" Search Standard

Previously, employers were expected to conduct exhaustive searches across all systems to locate every piece of personal data. The 2025 Act introduced a new standard: your search must be reasonable and proportionate, taking into account:

• The nature and sensitivity of the data requested
• The effort involved in locating and retrieving it
• The resources available to the organisation
• Whether the request can be made more specific

This does not mean you can conduct a superficial search and call it done. It means you can apply a proportionate approach. If an employee asks for "all data you hold about me" and you operate across 30 different systems, you are expected to search the systems where their data is reasonably likely to be held, not every obscure archive.

Strengthened Right to Refuse Vexatious or Excessive Requests

The 2025 Act clarified the employer's right to refuse requests that are "vexatious or excessive." This replaces the previous "manifestly unfounded or excessive" threshold. The bar remains high. You cannot refuse a SAR simply because it is inconvenient or arrives at a bad time. But you may refuse where:

• The request is clearly intended to cause disruption rather than exercise a genuine data protection right
• The individual has made repeated, overlapping requests with no reasonable purpose
• The volume of work required is grossly disproportionate to the purpose of the request

If you refuse a SAR, you must inform the requester within one month, explain your reasons, and tell them they can complain to the ICO or seek a judicial remedy.

Cost Recovery for Excessive Requests

Where a request is excessive but you choose to comply rather than refuse, the 2025 Act allows you to charge a "reasonable fee" to cover the administrative cost. You must notify the requester of the fee before proceeding. In practice, most employers will find it simpler to comply without charge, but the option exists for genuinely extreme cases.

How to Handle a Subject Access Request: Step by Step

Step 1: Recognise the Request

A SAR does not need to use specific words. The employee does not need to mention "subject access request," "Article 15," or "GDPR." Any clear request for their personal data qualifies. Examples:

• "I want a copy of my personnel file"
• "Send me all the emails you have about me"
• "I want to see what data HR holds on me"

SARs can be made verbally, by email, through a form, or even via social media. Train all managers and HR staff to recognise them.

Step 2: Log and Acknowledge

As soon as you identify a SAR, log it centrally. Record the date received, the identity of the requester, and what was requested. Acknowledge receipt promptly. While there is no statutory deadline for acknowledgement, best practice is to respond within five working days confirming you have received the request and explaining what happens next.

The one-month response clock starts on the day after you receive the request. Not the day you acknowledge it or the day you start working on it.

Step 3: Verify Identity

You need to be reasonably satisfied that the person making the request is who they claim to be. For current employees, this is usually straightforward, as the request comes from their work email or is made in person. For former employees, you may need to request identification.

Do not use identity verification as a delaying tactic. Only request verification where you have genuine doubt. The ICO takes a dim view of employers who demand excessive proof to slow the process.

Step 4: Clarify the Scope (If Needed)

If the request is broad or ambiguous, you can ask the requester to be more specific. For example, if someone asks for "everything you have on me," you can ask whether they are interested in particular categories of data or specific time periods. Under the 2025 Act's proportionality standard, asking for clarification is encouraged.

However, you cannot refuse to act until the requester narrows the scope. If they decline to clarify, you must conduct a reasonable and proportionate search based on the request as stated. The clock pauses only if you genuinely need clarification to identify what is being requested.

Step 5: Search for the Data

Conduct a thorough search across all systems where the employee's data is reasonably likely to be held:

• HR information system (core personnel records, absence data, performance reviews)
• Email (search the employee's name and any aliases in relevant mailboxes)
• Line manager files (local notes, spreadsheets, one-to-one records)
• Payroll and finance systems (salary, tax, pension records)
• Occupational health records (if applicable)
• Disciplinary and grievance files (investigation notes, hearing minutes, outcomes)
• CCTV and access systems (if specifically requested or relevant)
• IT monitoring data (if applicable)
• Recruitment records (interview notes, references)

Document where you searched and what you found. This audit trail protects you if the requester or ICO later challenges whether your search was adequate.

Step 6: Review and Redact

Before disclosing, review every document for:

Third party data. Where documents contain personal data about other individuals (such as a colleague named in a disciplinary investigation), you must consider whether disclosing that data would be fair to the third party. In most cases, you should redact third party names and identifying details unless the third party has consented or it is reasonable to disclose without consent.

Exemptions. Several exemptions may apply (covered below). The most common in employment is legal professional privilege, where you can withhold communications with your lawyers about the employee.

Confidential references. References you have given about the employee to another employer are exempt from disclosure under Schedule 2, Part 3 of the DPA 2018. References you have received from a previous employer are not automatically exempt, but you should consider whether disclosure would identify the referee and whether that would cause harm.

Step 7: Compile and Deliver the Response

Your response must include:

1. A copy of the personal data, in an intelligible form. If the request was made electronically, provide the data in a commonly used electronic format (such as PDF).
2. Supplementary information required by Article 15(1)(a) to (h) of the UK GDPR: the purposes of processing, categories of data, recipients or categories of recipients, retention periods, the individual's rights, the source of data not collected from them, and whether automated decision-making applies.

Deliver the response securely. For sensitive HR data, use encrypted email or a secure file-sharing platform. Do not send unencrypted personal data by ordinary email.

Step 8: Meet the Deadline

The standard deadline is one calendar month from the day after receipt. If the request is complex or you receive multiple requests from the same person, you can extend by up to two additional months (three months total). You must notify the requester of the extension within the first month and explain why.

"Complex" means genuinely complex, not merely time-consuming. A request covering a long employment history across multiple systems may qualify. A standard request for a personnel file does not.

Common Exemptions Employers Can Use

The DPA 2018 provides several exemptions that may apply when responding to an employment SAR:

Legal Professional Privilege

Communications between you and your legal advisers (solicitors, barristers, in-house counsel) that were created for the purpose of obtaining or giving legal advice, or in connection with actual or anticipated legal proceedings, are exempt from disclosure. This is the most commonly used exemption in employment SARs.

Management Forecasting

Data processed for the purposes of management forecasting or management planning can be withheld if disclosure would prejudice those activities. For example, if you are planning a restructure and the employee's SAR would reveal who is at risk of redundancy before the consultation process begins.

Negotiations

Data consisting of a record of your intentions in negotiations with the employee can be withheld if disclosure would prejudice those negotiations. If you have internal documents recording your settlement offer strategy, those may be exempt.

Confidential References

As noted above, references you have given are exempt. References you received are not automatically exempt but require careful consideration.

Crime Prevention and Detection

Data processed for the prevention or detection of crime is exempt if disclosure would prejudice that purpose. If you are investigating an employee for fraud and disclosure of the SAR response would tip them off, this exemption may apply.

What You Cannot Withhold

Some employers assume they can withhold material that is merely embarrassing, commercially sensitive, or critical of the employee. They cannot. The exemptions are specific and limited. You must disclose:

• Manager emails discussing the employee's performance (with third party names redacted where appropriate)
• HR notes from meetings with or about the employee
• Investigation findings (subject to ongoing investigation exemptions)
• Occupational health reports that the employee has not previously seen
• Any personal data that does not fall within a specific exemption

If in doubt, disclose. The ICO's position is clear: exemptions should be applied narrowly, and the default is disclosure.

SARs and Disciplinary or Grievance Processes

SARs frequently arrive during or immediately after disciplinary or grievance processes. Employees want to see the evidence used against them, the internal discussions about their case, and the decision-making process.

This is entirely legitimate. Do not treat a SAR as hostile or obstructive simply because the timing is inconvenient. Process it in the normal way, applying exemptions where they genuinely apply.

One common mistake: assuming that because a disciplinary investigation is ongoing, you can withhold all related data. The exemption for ongoing investigations is narrow. It only applies where disclosure would genuinely prejudice the investigation itself, not where it would merely be awkward.

SARs from Former Employees

You have the same obligations to former employees as current ones. The right of access continues for as long as you hold their data. If you have followed proper data retention policies, you will only hold data for as long as necessary, which limits the scope of any post-employment SAR.

Former employees often submit SARs through solicitors as a precursor to tribunal claims. The same rules and deadlines apply regardless of who submits the request on their behalf.

Building a SAR Process That Works

Rather than handling each SAR as a fire drill, build a repeatable process:

Assign a SAR lead. One person (typically in HR or data protection) owns every SAR from receipt to response. They coordinate searches, manage redaction, track the deadline, and sign off the response.

Create a SAR register. Track every request: date received, requester, scope, deadline, extension (if any), date responded, any refusals or exemptions applied.

Prepare template responses. Draft standard acknowledgement letters, extension notifications, and response cover letters. Adapt them for each case rather than starting from scratch.

Train managers. Front-line managers receive more SARs than they realise (the "can I see my file?" conversation). They need to recognise when a SAR has been made and escalate immediately.

Run periodic audits. Test your process. Pick a sample employee record and run a mock SAR. Can you locate the data across all relevant systems within the time limit? If not, fix the gaps before a real request exposes them.

Document everything. If the ICO investigates a complaint about your SAR response, your contemporaneous records of what you searched, what you found, what you redacted, and why will be your defence.

Penalties for Getting It Wrong

The ICO can take enforcement action if you fail to respond to a SAR, respond late, or fail to disclose data you should have included. Penalties range from a reprimand and enforcement notice to fines under the UK GDPR's tiering framework.

Beyond ICO action, the requester can bring a claim for compensation under Section 167 of the DPA 2018 for distress or damage caused by your failure to comply. In the employment tribunal context, SAR failures often become additional complaints that complicate and increase the cost of existing proceedings.

Practical Checklist: Responding to a SAR

Use this checklist for every subject access request your organisation receives:

1. Recognise the request (it does not need to use specific words)
2. Log the date received and start the one-month clock
3. Acknowledge receipt within five working days
4. Verify the requester's identity (proportionately)
5. Clarify scope if genuinely needed (do not use this to stall)
6. Search all systems where data is reasonably likely to be held
7. Review for third party data, exemptions, and redaction needs
8. Compile the response with supplementary information
9. Deliver securely by the one-month deadline
10. Record what was disclosed, withheld, and why

If you are unsure whether your current processes meet these requirements, our EmployeeKit Compliance Audit can identify gaps in your SAR handling and wider data protection compliance before they become problems.

FAQ

Q: Does a subject access request have to be in writing?

A: No. A SAR can be made verbally, by email, through a web form, or by any other means. There is no requirement for the request to be in writing, although you can ask the requester to confirm in writing to avoid misunderstandings. You cannot refuse to act on a verbal request.

Q: Can I charge a fee for responding to a subject access request?

A: In most cases, no. SARs are free. However, since the Data (Use and Access) Act 2025 took effect in February 2026, you may charge a reasonable fee if the request is excessive. You must notify the requester of the fee before proceeding. You cannot use fees as a deterrent for legitimate requests.

Q: What happens if I miss the one-month deadline?

A: You are in breach of Article 15 of the UK GDPR. The requester can complain to the ICO, which may investigate and take enforcement action. The requester can also bring a compensation claim under Section 167 of the DPA 2018. Late responses also damage your credibility if the matter progresses to a tribunal.

Q: Can I refuse a subject access request from an employee who is in a disciplinary process?

A: No. The fact that an employee is subject to a disciplinary process does not give you grounds to refuse their SAR. You must process it in the normal way. You may apply specific exemptions (such as legal professional privilege or the narrow ongoing investigation exemption) where they genuinely apply, but you cannot refuse the entire request.

Q: Do I have to include emails between managers that mention the employee?

A: Yes, if those emails contain the employee's personal data. You should redact personal data about third parties where disclosure would be unfair to them, but the employee is entitled to see data about themselves, including opinions and assessments expressed in internal communications.

Q: How long do I have to keep records that might be subject to a SAR?

A: You should only retain personal data for as long as necessary for the purpose it was collected. Once your retention period expires, delete or anonymise the data. You are not required to keep data specifically in case a SAR arrives. Your data retention policy should set clear timescales for each category of HR data.