Subject access requests – an employers’ guide

SARs can be a commercial and data protection minefield. Nicola Clarke explains what to do when staff ask for a copy of all their personal data

Credit: Getty Images

Awareness of data protection rights is increasing among employees. A key aspect of this is the subject access request (SAR), which gives workers the ability to access the personal data relating to them held by their employer.

Dealing with SARs carries many risks for employers, who must comply with data protection laws while protecting their businesses. It is vital that organisations understand the key facets of SARs, including the right to request, protocols for handling, data redaction and potential pitfalls to avoid.

The right to initiate a SAR

Regulated by the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), employees have the right to request access to personal data about themselves retained by their employer. 

This includes copies of documents and communications which contain their personal data, and which a business might have thought were confidential (ie, between management).

This can also extend to data containing their initials, job title and anything else from which they can be identified. SARs are commonly made by employees contemplating or having brought an employment tribunal claim.

The Information Commissioner’s Office (ICO) emphasises the importance of responding to SARs promptly, typically within one month and without charge, unless the request is complex or part of multiple requests, which allows for an extension.

Effective protocols

  1. Acknowledgment and verification

Upon receiving a SAR, employers must acknowledge the request. They must also authenticate the identity of the employee making the request to avoid unauthorised access to data.

  1. Compilation and evaluation of data

Commence a comprehensive search across systems and databases to gather the requested data. This would include emails, personnel records and more.

While employees cannot be required to narrow their SAR, it might be reasonable to ask for clarification, such as whether the employee requires data over a particular time frame.

Subsequently, employers will need to review the collected data to ascertain its compliance with exemptions and make any necessary redactions.

  1. Data redaction

Redacting involves the alteration or removal of information that is not relevant to the employee. This often causes the most issues when responding to SARs but particular points to bear in mind include:

  • it isn’t always necessary to provide complete chains of communication, just the parts which include the employee’s personal data

  • employers should redact third-party data, confidential business information and legally privileged communications.

Striking the balance

Transparency is pivotal to complying with SARs, but protecting sensitive information that could potentially jeopardise the business or third parties is equally vital. To ensure GDPR compliance, employers should:

  • Carve out sensitive data: pinpoint personal data you do not need to disclose

  • Question manifestly unfounded or excessive requests: these should be considered on a case-by-case basis. The ICO sets out useful guidance in circumstances where employers may be justified in refusing to provide personal data or charging a fee

  • Use suitable software: this can help to redact information effectively and minimise manual redaction to avoid accidental disclosure

  • Maintain records: keep accurate records of the redaction process, encompassing the criteria employed, individuals involved and rationales for data removal.

Common hurdles and precautionary measures

  • Third-party data: overlooking the redaction of third-party information is a common pitfall. Safeguarding the privacy of individuals not linked to the SAR is pivotal because non-compliance could lead to legal repercussions

  • Excessive redaction: striking the right balance between transparency and confidentiality is a challenge. Over-redaction might yield incomplete responses, raising suspicion

  • Missing timelines: failing to respond within the stipulated time frame could result in ICO penalties. To avert this, employers should institute an efficient SAR handling process to ensure timely responsiveness

  • Inadequate verification: failure to verify the requestor's identity could result in unauthorised data disclosure. Therefore, employers should implement robust verification procedures.

As an employer, ensuring compliance with data protection laws not only shields your business from legal pitfalls but also underscores your commitment to respecting employee privacy and rights. By instituting a well-structured SAR management protocol, you establish a robust foundation for data protection.

Nicola Clarke is a senior associate in the employment team at Glaisyers ETL