The right to access your personal data is one of the key principles of UK data protection law. Enshrined in the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, this right allows individuals to understand how their information is collected, stored, and used and gives them the right to access this information freely. In the workplace, this can be a powerful tool particularly during disputes or disciplinary processes.

This article explores what a subject access request (SAR) is, how to make one, and why they’ve become increasingly relevant in employment law.

What Is a Subject Access Request?

A subject access request (SAR) is a formal request made by an individual (a “data subject”) asking an organisation to disclose what personal information it holds about them and how it is being used. Essentially, a SAR is a request for access to your own data, whether that’s emails, notes, or other records where you’re identifiable.

In an employment context, this means you can ask your employer to provide the personal data they hold on you, and this can be done during an ongoing employment relationship or even after it ends. SARs can be made verbally or in writing, and there are no special words or legal phrases you must use. However, being specific helps: a broad or vague request may slow down the process or lead the employer to argue that it is “manifestly excessive.”

Who Can Make a SAR?

Any individual has the right to request their personal data, regardless of their employment status. That includes employees, workers, contractors, and even job applicants.

How to Make a Subject Access Request

While there is no formal process set out under the UK GDPR, following a clear structure can help ensure your request is dealt with properly. This checklist breaks down the key steps in making a SAR:

1. Identify the right contact – This is usually the organisation’s Data Protection Officer (DPO). Information on who holds this position can often be found on the organisation’s website, but you can also ask your manager or HR department.
2. Be specific – List the information or categories of data you’re looking for. Think about emails, meeting notes, appraisals, or communications where your name will be mentioned.
3. Make the request – This can be done in writing, by email, or verbally. If you are making a verbal request, it’s a good idea to follow up by letter or email so you have a clear record of the request.
4. Include your details – This will usually be your full name, contact information, and any relevant employment details that may help locate your data.
5. Mention the deadline – Remind your employer that they must respond within one month in most cases, although they can extend this by two months in complex cases.
6. State your legal right – Reference your right to access personal data for free under the Data Protection Act 2018 and UK GDPR.

What Must Your Employer Do?

Once a SAR is received, your employer must respond without undue delay and within one calendar month. They can only extend this timeframe if the request is particularly complex or involves multiple requests.

Employers are expected to carry out proportionate and reasonable searches and provide the requested data in an accessible format. They should also inform you if any exemptions apply (more on that below).

It’s best practice for employers to have a designated person or team, usually a Data Protection Officer, who handles SARs and ensures compliance.

When Can an Employer Withhold Information or Refuse a SAR?

There are limited circumstances in which an employer can refuse to comply with a SAR or redact certain information. These exemptions include:

• Third-party data: If the data includes information about another person (such as in a witness statement or whistleblowing report), it may be withheld unless consent is obtained or redaction is possible.
• Confidential references: References given in confidence for employment, education, or training purposes may be exempt provided they were genuinely confidential.
• Legal professional privilege: Communications between an employer and legal advisers (including legal advice about your employment) are protected and exempt from disclosure.
• Manifestly unfounded or excessive requests: An employer can refuse a request if it is clearly intended to harass, disrupt, or if it places a disproportionate burden on the organisation. However, this bar is high and the burden of proof is on the employer.

If an employer intends to rely on an exemption, they must be as transparent as possible. A decision to refuse a SAR or withhold certain information should not be taken lightly and may result in serious consequences if an exemption does not in fact apply.

What Happens if an Employer Fails to Comply?

Employers who fail to properly respond to a SAR may face serious consequences:

• ICO Enforcement – The Information Commissioner’s Office can investigate and impose enforcement notices or large financial penalties as they see fit.
• Lack of Credibility – in the event that an employee is pursuing a claim in the Employment Tribunal, an employer’s refusal to comply with a SAR may damage their credibility as a Respondent, bolstering the employee’s claim and potentially their prospects of success.
• Reputational Damage – A failure to engage with a SAR may reflect poorly on the organisation and erode trust with employees.

Why Use a SAR in an Employment Dispute?

SARs can be a valuable tool for employees involved in disputes or internal processes. Accessing your personal data can help you:

• Understand how your employer is processing your data.
• Check for unlawful or discriminatory processing.
• Gather evidence in support of a disciplinary, grievance, or tribunal claim.

Here are a few practical examples:

• Disciplinary Process – An employee facing misconduct allegations submits a SAR and discovers internal emails discussing the issue before any formal process began, raising concerns about bias.
• Grievance – A worker submits a SAR during a bullying complaint and obtains emails showing that management was aware of the issue and failed to act.
• Procedural Fairness – A SAR reveals inconsistent or conflicting witness statements, allowing an employee to challenge the fairness of the employer’s investigation.

Subject access requests are not just a legal right, they are a practical tool. Whether you’re preparing for a disciplinary hearing, raising a grievance, or pursuing a legal claim, a well-targeted SAR can reveal valuable insights and help level the playing field.

Contact Us Today

If you’re considering making a subject access request in the context of your employment, or if you’re an employer facing a complex SAR, we can help. Our team advises both employees and employers in employment disputes. For a free initial assessment of your case call us on 01642 843 667. Alternatively, complete our online contact form and one of our employment solicitors will be in touch.

Written by Olivia Heathcote, Employment Law