Free Subject Access Request Templates for UK Employers

UK employers responding to a subject access request need up to five different letters — not just one. Each covers a different stage of the SAR process, from acknowledging receipt to explaining why you withheld data under a DPA 2018 exemption.

This guide covers what each template should contain, when to use it, and the mistakes that trigger ICO complaints. Use the SAR response letter generator to create customised versions of each letter for free.

This guide covers SAR response templates for UK employers under UK GDPR and the Data Protection Act 2018, as amended by the DUAA 2025. It is not legal advice.

The five letters you need

Most employer SAR responses involve some combination of these:

1. Acknowledgement letter — confirms receipt, logs the start date
2. Identity verification request — asks the requester to prove who they are (pauses the clock under DUAA 2025)
3. Extension notice — tells the requester you need more time (required within the first month)
4. Response cover letter — accompanies the data you disclose
5. Exemption explanation — explains why specific data was withheld

A straightforward request from a current employee might only need an acknowledgement and a response. A tribunal-related SAR from an ex-employee's solicitor might need all five.

1. SAR acknowledgement letter

When to send: Within 1-2 working days of receiving the SAR. Not legally required, but the ICO's right of access guidance recommends it — and it starts your audit trail.

What to include:

• Confirmation you are treating the request as a SAR under UK GDPR Article 15
• The date you received the request (this starts the one-month clock)
• Your calculated response deadline
• Whether you need identity verification or clarification of scope
• Contact details for follow-up

Common mistake: Acknowledging the request but not logging the receipt date internally. If the ICO investigates, you need to prove when the clock started. Use the SAR deadline calculator to work out your exact deadline.

2. Identity verification request

When to send: When you cannot confirm the requester's identity from existing records — ex-employees, requests via solicitors, or requests from unfamiliar email addresses.

Under the Data (Use and Access) Act 2025, section 76, requesting identity verification pauses the one-month deadline. The clock does not start until the requester provides proof.

What to include:

• Why you need verification ("we need to confirm your identity before disclosing personal data")
• What identification you will accept (passport, driving licence, utility bill — keep it proportionate)
• A clear statement that the response deadline is paused until verification is received
• A reasonable deadline for providing verification (28 days is typical)

Common mistake: Requesting ID as a delaying tactic. The ICO will scrutinise whether your request was genuine. If a current employee emails from their work address, asking for a passport copy will look like obstruction — you can already verify their identity from payroll records.

For the full deadline rules including stop-the-clock scenarios, see Subject Access Request Time Limit UK.

3. Extension notice

When to send: If the request is genuinely complex and you need more than one calendar month. UK GDPR Article 12(3) allows a two-month extension — but you must notify the requester within the first month and explain why.

What to include:

• That you are extending the response period under Article 12(3)
• The specific reason (data across multiple systems, complex exemption decisions, numerous third parties requiring redaction)
• The new response deadline
• The requester's right to complain to the ICO

What justifies an extension:

• Data held across multiple systems with no central search
• Large volumes involving numerous third parties requiring redaction decisions
• Complex exemption assessments (legal privilege in tribunal cases, for instance)

Routine requests — even large ones — do not automatically qualify. The ICO distinguishes between "large volume of straightforward data" (not complex) and "difficult decisions about what to include" (genuinely complex).

Common mistake: Failing to notify within the first month. A silent extension is itself a breach of Article 12(3), even if you respond within the extended period.

4. SAR response cover letter

When to send: With every SAR response. This is the main document accompanying the data you disclose.

What to include:

• Confirmation this is your response to the SAR dated [receipt date]
• A summary of the data provided (categories, date ranges, systems searched)
• A description of your search — which systems, what search terms, what time periods. The DUAA 2025, section 78 introduces a "reasonable and proportionate search" standard — your cover letter should demonstrate you met it
• Whether any data was withheld and under which DPA 2018 Schedule 2, Part 4 exemptions
• Whether third-party data was redacted and why
• The requester's right to complain to the ICO

Common mistake: Not documenting the search scope. If the ICO asks "did you search your email system?", you need to answer from your records — not from memory six months later.

For a step-by-step walkthrough of the entire process, see How to Respond to a Subject Access Request from an Employee.

5. Exemption explanation letter

When to send: When you withhold any data under a DPA 2018 exemption — legal professional privilege (paragraph 19), management forecasts (paragraph 22), negotiations (paragraph 23), or confidential references (paragraph 24).

What to include:

• Which data items were withheld (identify the category — you don't need to describe the content)
• Which exemption you relied on, with the DPA 2018 paragraph reference
• A brief explanation of why the exemption applies to this specific data
• The requester's right to challenge the decision through an ICO complaint

Common mistake: Applying exemptions as blanket categories. "All legal correspondence is withheld under legal privilege" will not survive an ICO complaint. Each document must be assessed individually. See SAR Exemptions Explained for the correct approach, or use the SAR exemption checker for a guided walkthrough.

Formatting and delivery

Format: Use your organisation's letterhead. PDF is preferable — it prevents accidental editing and looks professional. Include a SAR reference number so both parties can track correspondence.

Delivery: Use a method that gives you proof of dispatch — tracked email with read receipt, recorded delivery, or secure file sharing. "We sent it" without evidence is not persuasive if the ICO investigates.

Record keeping: Save copies of every letter sent and received. Include the date, delivery method, and who authorised the response. This audit trail is your defence.

Generate all five template types free using the SAR response letter generator — select a letter type, answer scenario-specific questions, and get a customisable template ready to adapt.

Frequently asked questions

Do I have to use a specific template format for SAR responses? No. UK GDPR does not prescribe a format. You can respond by letter, email, or secure portal. The requirements are completeness, accuracy, and proof of delivery.

Should I send templates as Word or PDF? PDF for letters you send to the requester — it prevents editing and maintains formatting. Word internally for drafting.

Where can I find free SAR response templates? The SAR response letter generator creates customised templates for all five letter types — acknowledgement, identity verification, extension, response, and exemption. For tools that automate the full SAR workflow, see DSAR Software for Small Businesses.

Sources

• ICO — Right of access (subject access) guidance
• Data (Use and Access) Act 2025 — Section 76 (time limits)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• ICO — Guide to the data protection exemptions