Subject Access Request Redaction: What UK Employers Can and Can't Remove
Published 5 May 2026 · Last reviewed 15 March 2026
Redaction is where most SAR responses go wrong. Remove too much and the ICO finds you non-compliant. Remove too little and you breach someone else's data rights. Getting the balance right requires understanding exactly what you can redact, what you must keep, and how to document the decisions.
This guide covers the redaction rules for UK employers responding to SARs, with practical examples for the situations you are most likely to encounter.
This guide covers SAR redaction for UK employers under UK GDPR and the Data Protection Act 2018. It is not legal advice. For SARs involving complex redaction decisions, seek specialist legal counsel.
Two types of removal
SAR responses involve two distinct types of data removal, governed by different rules:
1. Third-party redaction — removing another person's identifiable data from documents you are disclosing. Governed by UK GDPR Article 15(4) and the ICO's guidance on information about other individuals.
2. Exemption-based withholding — removing entire documents or data items under DPA 2018 Schedule 2, Part 4 exemptions (legal privilege, management forecasts, negotiations, references). Covered in detail in SAR Exemptions Explained.
This guide focuses primarily on third-party redaction — the more complex and commonly mishandled area.
When to redact third-party data
You must not disclose personal data about other identifiable individuals unless:
- The third party has consented to disclosure, OR
- It is reasonable to disclose without consent
The test is reasonableness, not automatic redaction. You do not automatically redact every mention of another person. You assess whether disclosure is reasonable in the circumstances.
Factors to consider:
- The third party's expectations. A manager who wrote a performance review knows the employee may see it. A whistleblower reporting misconduct expects confidentiality.
- The nature of the information. A colleague's name on a meeting attendee list is less sensitive than a colleague's health information mentioned in an email.
- Duty of confidentiality. If you owe a duty of confidentiality to the third party (e.g., a whistleblower, a complainant in a harassment investigation), that weighs heavily against disclosure.
- The effort to seek consent. If the third party is easily contactable, consider asking for consent before defaulting to redaction.
What to redact (and what to keep)
Emails between managers about the employee
Scenario: The requester's line manager emailed HR discussing performance concerns. The email names two other team members as comparators.
Redact: The other team members' names and any details that would identify them (job titles in a small team, specific performance details about them).
Keep: The manager's name (the manager wrote the email in their professional capacity — the requester has a reasonable expectation to know who discussed them). The substance of the discussion about the requester.
Grievance investigation notes
Scenario: The requester raised a grievance. Witnesses were interviewed. The investigation notes name witnesses and summarise their evidence.
Redact: Witness names and identifying details if disclosure would identify them and you owe them a duty of confidentiality. Consider: were witnesses promised anonymity? Would disclosure put them at risk?
Keep: The substance of the evidence if it can be anonymised. "A colleague in the same department reported observing [behaviour]" may be disclosable even if the witness's name is not.
Disciplinary hearing records
Scenario: The requester was disciplined for bullying. The complainant's statement names them and other affected employees.
Redact: The complainant's name (if promised confidentiality) and the names of affected employees. Be careful — in a small team, redacting a name but leaving the job title may still identify the person.
Keep: The factual substance of the complaint as it relates to the requester's conduct.
Emails where the requester is CC'd or mentioned
Scenario: A team email chain mentions the requester alongside colleagues. Colleagues discuss project assignments.
Redact: Other colleagues' personal information that is not relevant to the requester's data (e.g., a side conversation about another colleague's absence).
Keep: Content relating to the requester — project assignments involving them, performance discussions about them, decisions affecting them.
How to redact properly
Use PDF redaction tools, not manual deletion. Redacting by highlighting text in black in Word or drawing black boxes over text in a PDF viewer does not actually remove the data — it can often be recovered by copying the text or removing the annotation layer. Use a proper PDF redaction tool that permanently removes the underlying text.
Redact consistently. If you redact a third party's name in one document, redact it everywhere. Inconsistent redaction lets the requester piece together identities from the unredacted mentions.
Check for indirect identification. Removing a name but leaving "the Finance Director" in a two-person finance team does not protect the third party's identity. Redact titles and contextual details when the team is small enough for identification.
Create a redaction log. For each redaction, record:
- The document and page number
- What was redacted (e.g., "third-party employee name")
- The legal basis (Article 15(4) — third-party data, or the specific DPA 2018 exemption)
- The reasoning (e.g., "colleague's name redacted — not reasonable to disclose without consent, small team would enable identification")
This log is your evidence if the ICO investigates. Without it, you are relying on after-the-fact explanations.
Common mistakes
Redacting the requester's own data. The requester is entitled to everything about them. Do not confuse third-party redaction with withholding the requester's information.
Over-redacting to avoid difficult decisions. Blanket redaction of all third-party mentions is not compliant. The ICO expects you to assess each instance individually.
Under-redacting in a rush. Disclosing another employee's sensitive information (health data, pay details, disciplinary history) because you did not review documents carefully enough is a breach of that person's data rights.
Using Word track changes instead of proper redaction. The requester can see the deleted text by turning on track changes. Always convert to PDF and use proper redaction tools.
For the full SAR response process, see How to Respond to a Subject Access Request from an Employee. For exemption-based withholding, see SAR Exemptions Explained. Use the SAR exemption checker for a guided walkthrough.
Sources
Handle your next SAR step by step
dsartracker guides UK employers through every stage of a subject access request — deadlines, exemptions, redaction, and the audit trail the ICO expects.
Related guides
Subject Access Requests and Employment Tribunals: What UK Employers Need to Know
How to handle a SAR during tribunal proceedings — your legal obligations, exemption decisions, timing considerations, and what happens if you get it wrong.
Subject Access Request Policy Template: How to Create Your Internal SAR Process
How to create an internal SAR policy for UK employers — who handles requests, response steps, escalation rules, and a practical template to adapt.
Subject Access Request Response Letter: How to Write It Step by Step
How to write a SAR response letter step by step — what to include, how to structure it, and sample formats for straightforward and complex employer responses.