Subject Access Request Response Letter: How to Write It Step by Step
Published 14 April 2026 · Last reviewed 15 March 2026
The SAR response letter is the document that accompanies the data you disclose. Get it wrong — missing a required element, failing to explain an exemption, or omitting your search scope — and you hand the requester grounds for an ICO complaint.
This guide walks through how to construct a response letter step by step, with the structure and required elements for different scenarios.
This guide covers SAR response letters for UK employers under UK GDPR and the Data Protection Act 2018. It is not legal advice.
Required elements (every response letter)
Under UK GDPR Article 15, your response letter must cover these elements. Missing any of them is a compliance gap:
1. Confirmation of processing. State that you do process the requester's personal data (or, if you hold nothing, confirm that you do not).
2. The data itself. Enclosed or attached — the copies of personal data you are providing.
3. Search scope. What systems you searched, what date ranges you covered, and what search terms you used. The DUAA 2025, section 78 requires a "reasonable and proportionate search" — your letter should demonstrate you met this standard.
4. Processing purposes. Why you hold each category of data (employment administration, payroll, legal compliance, etc.).
5. Recipients. Who the data has been shared with (payroll provider, pension administrator, HMRC, occupational health provider).
6. Retention periods. How long you retain each data category.
7. Requester's rights. Their right to rectification, erasure, restriction of processing, and the right to complain to the ICO.
8. Exemptions applied (if any). Which specific data was withheld, under which DPA 2018 Schedule 2, Part 4 exemption, and why. See SAR Exemptions Explained for guidance on each exemption.
9. Third-party redaction (if any). Whether other individuals' data was redacted and the basis for redaction.
Step-by-step construction
Step 1: Opening paragraph
State who you are, reference the SAR by date, and confirm that this is your response:
Dear [Requester],
Thank you for your subject access request dated [date], received by [organisation name] on [receipt date]. This letter is our response under UK GDPR Article 15 and the Data Protection Act 2018.
Use the actual receipt date — this is legally significant. If identity verification caused a delay, note: "Following identity verification completed on [date], our response period ran from [verification date]."
Step 2: Summary of what you are providing
Before the requester opens 200 pages of documents, give them a roadmap:
We have searched the following systems: [list — e.g., HR information system, email (all accounts with correspondence referencing your name), payroll system, performance management records, disciplinary files]. Our search covered the period [start date] to [end date].
Enclosed is a copy of all personal data identified, organised into the following categories: [list categories].
Step 3: Processing purposes and recipients
This can be a table — clearer than prose for multiple categories:
| Data Category | Processing Purpose | Recipients |
|---|---|---|
| HR/personnel records | Employment administration | N/A (internal only) |
| Payroll data | Salary payments, tax compliance | HMRC, [pension provider] |
| Performance reviews | Performance management | N/A (internal only) |
| Occupational health | Fitness-to-work assessment | [OH provider name] |
Step 4: Retention statement
We retain employment records for [X years] after the end of employment, in line with our data retention policy and applicable limitation periods.
Match this to your actual retention policy. If you do not have a documented policy, this is a gap to fix — the ICO expects documented retention periods.
Step 5: Exemptions and redactions
If you withheld anything, explain what and why:
The following data has been withheld under the exemptions set out in DPA 2018, Schedule 2, Part 4:
- [Description of data category] — withheld under paragraph 19 (legal professional privilege). This data consists of legal advice obtained in connection with [general description]. Disclosure would breach legal professional privilege.
- [Description] — redacted under UK GDPR Article 15(4) (third-party data). Names and identifying details of other individuals have been removed where those individuals have not consented to disclosure.
Do not describe the withheld content itself — just the category and the legal basis. Use the SAR exemption checker to verify which exemptions apply before drafting this section.
Step 6: Rights and complaints
You have the right to request rectification of inaccurate data, erasure of data we no longer have grounds to process, and restriction of processing. If you are dissatisfied with this response, you have the right to complain to the Information Commissioner's Office at ico.org.uk.
Step 7: Closing
If you have any questions about this response, please contact [contact details].
Straightforward vs. complex responses
Straightforward response (current employee, small data set, no exemptions): The letter can be concise — confirmation, search scope, enclosed data, rights. Two pages plus attachments.
Complex response (ex-employee during tribunal, multiple exemptions, large data set, third-party redaction): The letter needs detailed exemption schedules, a thorough search scope description, and potentially an index of enclosed documents. Allow time for legal review.
Partial response with extension: If you have notified the requester of a two-month extension under Article 12(3), your initial letter should confirm the extension. The final response letter follows the same structure above. See Subject Access Request Time Limit UK for extension rules.
Common mistakes
Missing the search scope. The ICO's first question in a complaint investigation is "what did you search?" If your response letter does not describe the search, you are starting from a weak position.
Generic exemption claims. "Some data has been withheld under legal privilege" without specifying which data or why. Each withheld item needs individual justification.
Forgetting recipient disclosure. Article 15 requires you to tell the requester who you have shared their data with. Payroll providers, pension administrators, and occupational health providers are all recipients.
Not offering the right to complain. This is a required element. Omitting it does not stop the requester from complaining — it just demonstrates you do not understand the process.
Generate a complete response letter using the SAR response letter generator — select the response letter type, provide your scenario details, and get a structured template covering all required elements.
For the complete SAR response process, see How to Respond to a Subject Access Request from an Employee. For all five template types, see Free Subject Access Request Templates.
Sources
Handle your next SAR step by step
dsartracker guides UK employers through every stage of a subject access request — deadlines, exemptions, redaction, and the audit trail the ICO expects.
Related guides
Employee Subject Access Request Template: What UK Employers Must Include
What to include when responding to an employee subject access request — data categories, search scope, exemptions, and a practical response template for UK employers.
Subject Access Request Policy Template: How to Create Your Internal SAR Process
How to create an internal SAR policy for UK employers — who handles requests, response steps, escalation rules, and a practical template to adapt.
What Is a DSAR? A Plain-English Guide for UK Employers
What a DSAR means for UK employers — how to recognise one, what you must do in the first 24 hours, and the practical steps to respond without missing the deadline.