Employee Subject Access Request Template: What UK Employers Must Include

When an employee submits a subject access request, you need to disclose every category of personal data you hold about them — not just their personnel file. That means HR records, emails, performance reviews, payroll data, and anything else where they are identifiable.

This guide covers the specific data categories employers typically hold, what goes into the response, and what you can legitimately withhold. Use the SAR response letter generator to create a compliant response letter.

This guide covers employer SAR responses under UK GDPR and the Data Protection Act 2018. It is not legal advice. For SARs linked to tribunal claims, seek specialist legal counsel.

Data categories employers must search

Employee SARs are broader than most employers expect. Under UK GDPR Article 15, you must provide all personal data you hold about the requester — not just what you think is relevant. The DUAA 2025, section 78 introduces a "reasonable and proportionate search" standard, but that sets the floor for how thoroughly you must look — it does not limit which data categories you must search.

Typical categories for employee SARs:

• HR/personnel records: Application forms, interview notes, offer letters, contracts, amendments, probation reviews, appraisal records, sickness absence records, return-to-work notes
• Payroll and benefits: Salary records, tax documents, pension data, benefit elections, expense claims
• Performance management: Performance reviews, objective-setting records, capability meeting notes, personal development plans
• Disciplinary and grievance: Investigation files, hearing notes, outcome letters, appeal records, warnings
• Emails and messages: Any email, Teams/Slack message, or internal communication where the employee is named or identifiable — including emails about them between managers
• IT and access records: Login records, access card data, device monitoring logs (if you have a monitoring policy)
• CCTV: Footage where the employee is identifiable (if applicable — check your retention policy)
• Occupational health: OH referrals, reports, and fitness-to-work assessments (note: some medical data may have separate exemptions under the ICO's right of access guidance)

What catches employers out: Emails between managers discussing the employee. These are personal data about the employee even though the employee is not a sender or recipient. You must search email inboxes beyond the employee's own account.

What your response must include

Under Article 15, the response must provide:

1. Confirmation that you process the employee's personal data
2. A copy of the personal data (in an accessible format)
3. Supplementary information: the purposes of processing, categories of data, recipients the data has been shared with, the retention period, and the employee's rights (rectification, erasure, complaint to the ICO)

Practical response structure:

• Cover letter summarising what is enclosed (use Free Subject Access Request Templates for the correct template)
• Index listing each document or data category provided
• The data itself, organised by category
• A schedule of any data withheld, with the exemption relied on
• A note on the search conducted (systems, date ranges, search terms)

What you can withhold

Not everything goes into the response. The DPA 2018 Schedule 2, Part 4 exemptions most commonly used in employee SARs:

• Legal professional privilege (paragraph 19): Solicitor advice on the employee's case
• Management forecasts (paragraph 22): Restructuring plans naming at-risk employees
• Negotiations (paragraph 23): Settlement strategy ("we'll offer up to £15K")
• Confidential references (paragraph 24): References you gave in confidence

Each exemption applies to specific documents, not categories. See SAR Exemptions Explained for detailed guidance, or use the SAR exemption checker for a guided walkthrough.

Third-party redaction: Emails mentioning other employees by name must be redacted to remove their identifiable details — unless they have consented or disclosure is reasonable in the circumstances.

Common mistakes in employee SAR responses

Searching too narrowly. Only searching the personnel file and missing emails, Teams messages, and manager correspondence. The ICO will ask what systems you searched.

Applying blanket exemptions. Withholding "all legal files" under privilege when only specific solicitor advice letters are privileged. Each document must be assessed individually.

Missing the deadline. Employee SARs often arrive during disputes when workloads are highest. Use the SAR deadline calculator to track the one-month deadline — and the stop-the-clock provisions if you need identity verification.

Over-disclosing third-party data. Sending unredacted emails that reveal other employees' personal information. Redact names and identifiable details of third parties.

For the full SAR response process, see How to Respond to a Subject Access Request from an Employee.

Frequently asked questions

Does an employee SAR cover emails about them? Yes. Any email where the employee is named or identifiable is their personal data — even if they were not a sender or recipient. You must search relevant managers' inboxes.

Can a former employee make a SAR? Yes. The right of access applies regardless of whether the person is a current or former employee. You must search all data you still hold, subject to your retention policy.

Does the employee have to explain why they want their data? No. Under UK GDPR, the requester does not need to give a reason. Even if the SAR is clearly motivated by a tribunal dispute, you must respond if the request is legitimate.

Sources

• UK GDPR — Article 15 (right of access)
• ICO — Subject access request Q&As for employers
• ICO — Right of access (subject access) guidance
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)