How to Respond to a Subject Access Request from an Employee: The Complete UK Employer Guide

An ex-employee's solicitor emails on a Friday afternoon asking for "all personal data you hold." You have one calendar month to respond — and no idea where to start.

This guide walks UK employers through every step of responding to a subject access request (SAR), from the moment it arrives to dispatching a compliant response with an audit trail the ICO can review.

This guide covers UK employer obligations under UK GDPR and the Data Protection Act 2018. It is not legal advice. For complex SARs — particularly those linked to employment tribunal proceedings — seek specialist legal counsel.

What counts as a subject access request?

A SAR is a request by an individual to see the personal data your organisation holds about them. Under UK GDPR Article 15, anyone — employees, ex-employees, job applicants, contractors — can make one.

The request does not need to:

• Use the words "subject access request" or "SAR"
• Be in writing — verbal requests count
• Follow a specific format or use your form
• Give a reason

A message saying "send me everything you have on me" is a valid SAR. So is a solicitor's letter requesting "all personal data relating to our client." The ICO's employer SAR guidance confirms that requests can arrive by email, letter, social media, or even verbally in a meeting.

Practical tip: Train anyone who receives external correspondence — reception, HR, office managers — to recognise SARs. The clock starts when anyone in your organisation receives the request, not when it reaches the right person.

The 1-month deadline (and when you can extend it)

You must respond within one calendar month of receiving the SAR. If the SAR arrives on 15 March, your deadline is 15 April.

Three situations affect the deadline:

1. Identity verification pauses the clock. Under section 76 of the Data (Use and Access) Act 2025 (in force since 5 February 2026), the response period does not start running until you receive the identity information you have requested. If you ask for ID verification on day 1 and receive it on day 10, those 10 days do not count.

2. Clarification requests also pause the clock. The same DUAA 2025 provision allows the clock to stop while you wait for the requester to narrow a broad request. If someone asks for "everything" and you reasonably need them to specify which systems or time periods, the period between your clarification request and their response does not count toward the deadline.

3. Complex requests get a 2-month extension. If the request is genuinely complex — large volumes of data across multiple systems, or multiple simultaneous requests from the same person — you can extend by a further two months. You must notify the requester within the first month and explain why the extension is needed.

What happens if you miss the deadline? The requester can complain to the ICO. According to the ICO's annual report, SAR complaint volumes rose 23% year-on-year, with over 16,000 complaints in 2022-23 alone. The ICO has issued reprimands and enforcement notices for SAR handling failures. In an employment tribunal context, a late or incomplete response can damage your credibility with the tribunal.

For a detailed breakdown of deadlines, extensions, and the new stop-the-clock rule, see Subject Access Request Time Limit UK. Use the SAR deadline calculator to work out your exact deadline, including stop-the-clock adjustments.

Step-by-step: responding to an employee SAR

Step 1: Log the request immediately

Record the date received, who received it, the requester's name, and the channel it arrived through. This is the start of your audit trail.

Do not wait for the "right person" to see it. The clock starts when anyone in the organisation receives the request.

Step 2: Verify the requester's identity

You need to be reasonably satisfied the requester is who they claim to be. For current employees, your existing records (employee ID, payroll number) may be sufficient. For ex-employees or solicitor-submitted requests, ask for:

• Photo ID (passport, driving licence)
• A signed authority letter if made via a solicitor

Under the DUAA 2025 stop-the-clock provision, the response period pauses until you receive verification. Document what you asked for and when.

Step 3: Define the search scope

Work out where personal data about this person might be held. For a typical employee, check:

• HR information system / personnel files
• Email (their account and emails about them in others' accounts)
• Payroll and pension records
• Occupational health records
• Line manager notes, performance reviews, disciplinary files
• CCTV footage (if the requester appears in it)
• Instant messaging platforms (Teams, Slack)
• Paper files

The DUAA 2025 (section 78) introduces a "reasonable and proportionate search" standard. You do not need to search every backup tape or archived system — but you must document what you searched and why your scope was reasonable.

Log every system you search, the date you searched it, and who performed the search. This audit trail is what the ICO asks for when a complaint is filed.

Step 4: Gather the data

Collect all personal data within scope. Personal data means any information relating to the identifiable individual — not just their name, but opinions about them, decisions affecting them, and any data linked to them.

Common items employers miss:

• Emails about the employee in other people's mailboxes
• Notes in line managers' personal folders
• WhatsApp or Teams messages mentioning the employee
• Interview notes (for job applicants)
• References given about the employee to third parties

Step 5: Check exemptions

Not everything you find must be disclosed. The Data Protection Act 2018 (Schedule 2, Part 4) contains several exemptions employers commonly rely on — see SAR Exemptions Explained for a detailed guide with examples:

• Legal professional privilege (paragraph 19): Documents protected by legal advice privilege or litigation privilege — for example, advice from your solicitor about the employee's tribunal claim
• Management forecasts (paragraph 22): Data used for management planning where disclosure would prejudice the business — for example, restructuring plans that haven't been announced
• Negotiations (paragraph 23): Records of your intentions in negotiations with the individual — for example, your settlement offer strategy
• Confidential references (paragraph 24): References you gave in confidence about the employee — though note that references you received about the employee are not automatically exempt

Each exemption must be assessed on a document-by-document basis. You cannot apply a blanket exemption to an entire category. Document your reasoning for every exemption applied — the ICO expects a written justification for each decision.

Use the SAR exemption checker for a guided walkthrough of which exemptions may apply to your situation.

Step 6: Redact third-party data

Your response must not disclose personal data about other identifiable individuals unless they have consented or it is reasonable to disclose without consent.

In practice, this means:

• Redact names, email addresses, and identifying details of colleagues mentioned in emails
• Redact witness statements where the witness could be identified
• Use consistent redaction methods — "[REDACTED]" markers in text, black bars in PDFs
• Log each redaction decision with your reasoning

Do not over-redact. The ICO's guidance states you should consider whether the third party would reasonably object to disclosure. Redacting the name of a colleague who simply sent the employee a meeting invite is disproportionate. Redacting a whistleblower's identity is justified.

Step 7: Compile and send the response

Your response should include:

1. Confirmation that you are processing the individual's personal data
2. A copy of the personal data in a commonly used electronic format (PDF, CSV, or similar)
3. Supplementary information: the purposes of processing, categories of data, recipients or categories of recipients, retention periods, and the individual's rights
4. Exemption explanations: where you have withheld data, explain which exemption applies (you do not need to detail the specific content withheld)

Send the response securely — encrypted email, secure file transfer, or recorded delivery for paper copies. Never send unencrypted personal data by standard email.

Use the SAR response letter generator to create a compliant response cover letter. For a comparison of DSAR handling tools for SMEs, see DSAR Software for Small Businesses.

Common employer mistakes

Treating a SAR as hostile. SARs are a legal right, not an attack. The ICO's employer guidance is clear: you must respond regardless of the requester's motive, whether it is a routine request or part of tribunal preparation.

Ignoring verbal requests. A SAR does not need to be in writing. If an employee says "I want to see my file" in a meeting, that is a SAR.

Searching only the HR system. Personal data about an employee exists across email, messaging, line managers' notes, CCTV, payroll, and more. An incomplete search is a common basis for ICO complaints.

Applying blanket exemptions. "We've redacted everything from the tribunal file" is not a valid approach. Each document must be assessed individually.

Missing the deadline without communicating. If you need more time, tell the requester within the first month. Silent delays generate complaints.

Frequently asked questions

Can an employer refuse a subject access request? Only if the request is manifestly unfounded or excessive — for example, repeated identical requests intended to cause disruption. The threshold is high. The Data (Use and Access) Act 2025 refines the refusal standard to "vexatious or excessive" and provides examples including requests not made in good faith or that are an abuse of process. If you refuse, you must explain why and inform the requester of their right to complain to the ICO.

Does a SAR cover emails about the employee? Yes. Emails in other people's mailboxes that contain personal data about the requester are in scope. This includes emails discussing the employee's performance, conduct, or any other matter relating to them.

What if the SAR arrives during a tribunal dispute? You must still respond within the deadline. The ICO's employer guidance explicitly states that SARs must be honoured regardless of concurrent legal proceedings. A non-disclosure agreement does not override the right of access.

Can you charge a fee for responding? In most cases, no. SARs are free under UK GDPR. You can charge a reasonable fee only if the request is manifestly unfounded or excessive, or for additional copies beyond the first.

Can a SAR be made verbally? Yes. A subject access request does not need to be in writing. If an employee says "I want to see my file" in a meeting or by phone, that is a valid SAR and the one-month clock starts immediately. The ICO confirms that requests can arrive by email, letter, social media, or verbally. Train anyone who handles employee interactions to recognise verbal SARs.

What is the DUAA 2025 stop-the-clock rule? The Data (Use and Access) Act 2025 (section 76), in force since 5 February 2026, allows the response clock to pause while you wait for identity verification or clarification from the requester. This replaces the previous position where the clock ran continuously from receipt.

Pre-response checklist

Before dispatching your SAR response, verify:

• All systems identified in the search scope have been searched and documented
• Every exemption applied has a written justification
• Third-party data has been consistently redacted with reasoning logged
• The response includes supplementary information (purposes, categories, retention, rights)
• The response is sent securely (encrypted email or secure transfer)
• You have retained a copy of the response and full audit trail
• The response was dispatched within the deadline (or an extension notice was sent within the first month)

Sources

• ICO — Right of access (subject access) guidance
• ICO — Subject access request Q&As for employers
• ICO — Guide to the data protection exemptions
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• Data (Use and Access) Act 2025 — Section 76 (time limits for responding)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)