A written SAR policy solves this. It tells everyone in your organisation who handles SARs, what steps to follow, and when to escalate — before a request arrives.

This guide covers internal SAR policy creation for UK employers. It is not legal advice.

Why you need a written policy

The ICO's right of access guidance recommends organisations have a documented process for handling SARs. While not a strict legal requirement, having a policy:

• Proves accountability. UK GDPR Article 5(2) requires you to demonstrate compliance. A documented policy is evidence you take data rights seriously.
• Prevents missed deadlines. When everyone knows the process, requests do not sit in inboxes unrecognised.
• Ensures consistency. The same exemptions and redaction standards are applied regardless of who handles the request.
• Speeds up response. Staff who have handled a SAR before using a documented process respond faster the next time.

What your SAR policy should cover

1. Scope and purpose

State which requests the policy covers (all SARs under UK GDPR Article 15), who it applies to (all staff), and its purpose (ensuring compliant, consistent, and timely responses).

2. Recognising a SAR

Staff need to know that a SAR does not require magic words. Define what counts:

• Any request for personal data, in any format (email, letter, verbal, via solicitor)
• Does not need to mention "subject access request," "DSAR," or "Article 15"
• The clock starts when any employee receives it — not when HR logs it

Include examples: "Can I see my HR file?" is a SAR. "Send me everything you have on me" is a SAR. A solicitor's letter requesting "all personal data relating to our client" is a SAR.

3. Roles and responsibilities

For SMEs without a DPO, the SAR coordinator is typically the HR manager or the person responsible for data protection compliance.

4. Step-by-step response process

Day 0-1: Receive and log the request. Calculate deadline using the SAR deadline calculator. Send acknowledgement letter. Determine if identity verification or clarification is needed.

Day 1-5: Issue identity verification request if needed (clock pauses under DUAA 2025, section 76). Identify all systems to search. Brief system owners on search scope and deadline.

Day 5-20: System owners search and extract data. SAR coordinator collates results. Identify third-party data requiring redaction. Assess exemptions — use the SAR exemption checker for guidance. Document each exemption decision with DPA 2018 paragraph reference.

Day 20-25: Draft response letter (use the SAR response letter generator for compliant templates). Internal review. If extending, notify the requester before the one-month deadline.

Day 25-30: Final sign-off. Dispatch response with proof of delivery. File the complete audit trail.

See Subject Access Request Time Limit UK for detailed deadline rules.

5. Exemptions procedure

Your policy should list the exemptions your organisation is most likely to use (see SAR Exemptions Explained for the full list) and require:

• Individual assessment of each document (no blanket exemptions)
• Written justification for each application
• Sign-off by the decision-maker
• A schedule of exemptions attached to the response

6. Third-party data and redaction

Define the redaction process: who redacts, what tools they use, how to handle situations where redaction is insufficient to prevent identification. Refer to UK GDPR Article 15(4) and the ICO's guidance on information about other individuals.

7. Record keeping

Specify what gets retained and for how long:

• The SAR request itself
• Acknowledgement and all correspondence
• Search scope documentation
• Exemption decisions with reasoning
• The response sent
• Proof of dispatch

8. Training and awareness

Annual training for all staff on recognising SARs. Specific training for the SAR coordinator and system owners on the response process. Record training dates for accountability.

Adapting this to your organisation

This template works for UK SMEs with 10-250 employees. Scale it up or down:

• Micro businesses (under 10 staff): The SAR coordinator and decision-maker may be the same person. Simplify the roles table but keep the step-by-step process.
• Larger SMEs (100-250 staff): Consider designating department-level search contacts and adding a legal review step for complex exemptions.

Review the policy annually or whenever there is a significant change in data protection law — such as the Data (Use and Access) Act 2025, which introduced the stop-the-clock mechanism and the "reasonable and proportionate search" standard.

For the complete response process, see How to Respond to a Subject Access Request from an Employee.

Sources

• ICO — Right of access (subject access) guidance
• ICO — Subject access request Q&As for employers
• Data (Use and Access) Act 2025 — Section 76 (time limits)
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)

This guide walks through how to construct a response letter step by step, with the structure and required elements for different scenarios.

This guide covers SAR response letters for UK employers under UK GDPR and the Data Protection Act 2018. It is not legal advice.

Required elements (every response letter)

Under UK GDPR Article 15, your response letter must cover these elements. Missing any of them is a compliance gap:

1. Confirmation of processing. State that you do process the requester's personal data (or, if you hold nothing, confirm that you do not).

2. The data itself. Enclosed or attached — the copies of personal data you are providing.

3. Search scope. What systems you searched, what date ranges you covered, and what search terms you used. The DUAA 2025, section 78 requires a "reasonable and proportionate search" — your letter should demonstrate you met this standard.

4. Processing purposes. Why you hold each category of data (employment administration, payroll, legal compliance, etc.).

5. Recipients. Who the data has been shared with (payroll provider, pension administrator, HMRC, occupational health provider).

6. Retention periods. How long you retain each data category.

7. Requester's rights. Their right to rectification, erasure, restriction of processing, and the right to complain to the ICO.

8. Exemptions applied (if any). Which specific data was withheld, under which DPA 2018 Schedule 2, Part 4 exemption, and why. See SAR Exemptions Explained for guidance on each exemption.

9. Third-party redaction (if any). Whether other individuals' data was redacted and the basis for redaction.

Step-by-step construction

Step 1: Opening paragraph

State who you are, reference the SAR by date, and confirm that this is your response:

Dear [Requester],

Thank you for your subject access request dated [date], received by [organisation name] on [receipt date]. This letter is our response under UK GDPR Article 15 and the Data Protection Act 2018.

Use the actual receipt date — this is legally significant. If identity verification caused a delay, note: "Following identity verification completed on [date], our response period ran from [verification date]."

Step 2: Summary of what you are providing

Before the requester opens 200 pages of documents, give them a roadmap:

We have searched the following systems: [list — e.g., HR information system, email (all accounts with correspondence referencing your name), payroll system, performance management records, disciplinary files]. Our search covered the period [start date] to [end date].

Enclosed is a copy of all personal data identified, organised into the following categories: [list categories].

Step 3: Processing purposes and recipients

This can be a table — clearer than prose for multiple categories:

Step 4: Retention statement

We retain employment records for [X years] after the end of employment, in line with our data retention policy and applicable limitation periods.

Match this to your actual retention policy. If you do not have a documented policy, this is a gap to fix — the ICO expects documented retention periods.

Step 5: Exemptions and redactions

If you withheld anything, explain what and why:

The following data has been withheld under the exemptions set out in DPA 2018, Schedule 2, Part 4:

• [Description of data category] — withheld under paragraph 19 (legal professional privilege). This data consists of legal advice obtained in connection with [general description]. Disclosure would breach legal professional privilege.
• [Description] — redacted under UK GDPR Article 15(4) (third-party data). Names and identifying details of other individuals have been removed where those individuals have not consented to disclosure.

Do not describe the withheld content itself — just the category and the legal basis. Use the SAR exemption checker to verify which exemptions apply before drafting this section.

Step 6: Rights and complaints

You have the right to request rectification of inaccurate data, erasure of data we no longer have grounds to process, and restriction of processing. If you are dissatisfied with this response, you have the right to complain to the Information Commissioner's Office at ico.org.uk.

Step 7: Closing

If you have any questions about this response, please contact [contact details].

Straightforward vs. complex responses

Straightforward response (current employee, small data set, no exemptions): The letter can be concise — confirmation, search scope, enclosed data, rights. Two pages plus attachments.

Complex response (ex-employee during tribunal, multiple exemptions, large data set, third-party redaction): The letter needs detailed exemption schedules, a thorough search scope description, and potentially an index of enclosed documents. Allow time for legal review.

Partial response with extension: If you have notified the requester of a two-month extension under Article 12(3), your initial letter should confirm the extension. The final response letter follows the same structure above. See Subject Access Request Time Limit UK for extension rules.

Common mistakes

Missing the search scope. The ICO's first question in a complaint investigation is "what did you search?" If your response letter does not describe the search, you are starting from a weak position.

Generic exemption claims. "Some data has been withheld under legal privilege" without specifying which data or why. Each withheld item needs individual justification.

Forgetting recipient disclosure. Article 15 requires you to tell the requester who you have shared their data with. Payroll providers, pension administrators, and occupational health providers are all recipients.

Not offering the right to complain. This is a required element. Omitting it does not stop the requester from complaining — it just demonstrates you do not understand the process.

Generate a complete response letter using the SAR response letter generator — select the response letter type, provide your scenario details, and get a structured template covering all required elements.

For the complete SAR response process, see How to Respond to a Subject Access Request from an Employee. For all five template types, see Free Subject Access Request Templates.

Sources

• UK GDPR — Article 15 (right of access)
• ICO — Right of access (subject access) guidance
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• ICO — Guide to the data protection exemptions

If you have never dealt with one before, this guide covers how to recognise a DSAR, what to do when one arrives, and where employers typically go wrong.

This guide covers DSARs in the UK employment context under UK GDPR and the Data Protection Act 2018. It is not legal advice.

How to recognise a DSAR

A DSAR does not need to use the words "subject access request," "DSAR," or "Article 15." Any request for personal data counts, regardless of format:

• An email saying "I want copies of all data you hold about me"
• A letter from a solicitor requesting "disclosure of our client's personal information"
• A verbal request to a line manager: "Can I see my HR file?"
• A message on Teams or Slack asking for "my records"

The ICO's employer Q&A confirms that the request does not need to be in writing, does not need to mention GDPR, and does not need to go through a specific person or form. If any member of staff receives something that looks like a data request, it is a DSAR — and the clock starts immediately.

Why this matters: The one-month deadline begins when any employee in your organisation receives the request — not when HR formally logs it. A request sitting in a line manager's inbox for two weeks before being forwarded to HR still has a deadline based on the original receipt date.

What to do in the first 24 hours

1. Log the receipt date. This is the most important single step. The deadline is calculated from this date. Use the SAR deadline calculator to work out the exact deadline including weekends and bank holidays.

2. Decide if you need identity verification. Can you confirm who the requester is from existing records? If it is a current employee emailing from their work account, their identity is already established. If it is an ex-employee or a solicitor acting on someone's behalf, you may need to request proof of identity. Under the DUAA 2025, section 76, the clock pauses until identity is verified.

3. Send an acknowledgement. Not legally required, but strongly recommended. Confirm you have received the request, state the deadline, and note whether you need any further information. See Free Subject Access Request Templates for the acknowledgement letter template.

4. Identify the search scope. Which systems hold this person's data? HR records, email, payroll, performance management, disciplinary files, CCTV, IT access logs. The DUAA 2025, section 78 requires a "reasonable and proportionate search" — you must search proportionately to the data you are likely to hold, not just the easiest places to look.

What you must provide

Your response must include:

• A copy of all personal data you hold about the requester
• The purposes of your processing (why you hold each category of data)
• The recipients you have shared their data with
• The retention period (how long you will keep each category)
• Their rights — to rectification, erasure, restriction, and complaint to the ICO

The response is free of charge. You cannot charge a fee unless the request is vexatious or excessive (a high threshold — see Can You Charge for a Subject Access Request? for the rules).

What you can withhold

The DPA 2018 Schedule 2, Part 4 provides exemptions:

• Legal privilege — solicitor advice on the requester's case
• Management forecasts — restructuring plans that would be prejudiced by disclosure
• Negotiations — settlement strategy and walk-away figures
• Confidential references — references you gave in confidence

Each exemption applies to specific documents, not broad categories. Use the SAR exemption checker for a guided walkthrough of which exemptions apply. For detailed guidance, see SAR Exemptions Explained.

Where employers go wrong

Treating DSARs as optional. They are a legal obligation. Ignoring a DSAR exposes you to an ICO complaint, enforcement action, and — if the requester is in a tribunal dispute — adverse inferences about what you might be hiding.

Searching too narrowly. Only checking the personnel file and missing emails, chat messages, and manager correspondence about the employee. The ICO will ask what systems you searched and why.

Missing the deadline. One calendar month sounds generous until you realise the data is spread across six systems and requires redaction of third-party information. Log the receipt date immediately and track the deadline from day one.

Not documenting the process. If the ICO investigates, they want to see your audit trail — when you received the request, what you searched, which exemptions you applied and why, and when you sent the response.

For the complete step-by-step process, see How to Respond to a Subject Access Request from an Employee.

Frequently asked questions

What does DSAR stand for? Data Subject Access Request. It is the same thing as a Subject Access Request (SAR) — the terms are interchangeable. "DSAR" emphasises the data protection angle; "SAR" is the shorter form used by the ICO.

Can a DSAR be made verbally? Yes. There is no required format. A verbal request to a line manager counts as a valid DSAR, and the one-month deadline starts from that moment. This is why training staff to recognise DSARs is important.

Do I have to respond if the DSAR is made during a tribunal claim? Yes. The requester's motivation does not affect your obligation to respond. SARs during tribunal proceedings are common — and courts may draw adverse inferences if you fail to respond properly.

What is the deadline for a DSAR? One calendar month from the date of receipt. Extensions of up to two months are available for genuinely complex requests, but you must notify the requester within the first month. See Subject Access Request Time Limit UK for the full rules.

Sources

• UK GDPR — Article 15 (right of access)
• ICO — Subject access request Q&As for employers
• ICO — Right of access (subject access) guidance
• Data (Use and Access) Act 2025 — Section 76 (time limits)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)

This guide covers the specific data categories employers typically hold, what goes into the response, and what you can legitimately withhold. Use the SAR response letter generator to create a compliant response letter.

This guide covers employer SAR responses under UK GDPR and the Data Protection Act 2018. It is not legal advice. For SARs linked to tribunal claims, seek specialist legal counsel.

Data categories employers must search

Employee SARs are broader than most employers expect. Under UK GDPR Article 15, you must provide all personal data you hold about the requester — not just what you think is relevant. The DUAA 2025, section 78 introduces a "reasonable and proportionate search" standard, but that sets the floor for how thoroughly you must look — it does not limit which data categories you must search.

Typical categories for employee SARs:

• HR/personnel records: Application forms, interview notes, offer letters, contracts, amendments, probation reviews, appraisal records, sickness absence records, return-to-work notes
• Payroll and benefits: Salary records, tax documents, pension data, benefit elections, expense claims
• Performance management: Performance reviews, objective-setting records, capability meeting notes, personal development plans
• Disciplinary and grievance: Investigation files, hearing notes, outcome letters, appeal records, warnings
• Emails and messages: Any email, Teams/Slack message, or internal communication where the employee is named or identifiable — including emails about them between managers
• IT and access records: Login records, access card data, device monitoring logs (if you have a monitoring policy)
• CCTV: Footage where the employee is identifiable (if applicable — check your retention policy)
• Occupational health: OH referrals, reports, and fitness-to-work assessments (note: some medical data may have separate exemptions under the ICO's right of access guidance)

What catches employers out: Emails between managers discussing the employee. These are personal data about the employee even though the employee is not a sender or recipient. You must search email inboxes beyond the employee's own account.

What your response must include

Under Article 15, the response must provide:

1. Confirmation that you process the employee's personal data
2. A copy of the personal data (in an accessible format)
3. Supplementary information: the purposes of processing, categories of data, recipients the data has been shared with, the retention period, and the employee's rights (rectification, erasure, complaint to the ICO)

Practical response structure:

• Cover letter summarising what is enclosed (use Free Subject Access Request Templates for the correct template)
• Index listing each document or data category provided
• The data itself, organised by category
• A schedule of any data withheld, with the exemption relied on
• A note on the search conducted (systems, date ranges, search terms)

What you can withhold

Not everything goes into the response. The DPA 2018 Schedule 2, Part 4 exemptions most commonly used in employee SARs:

• Legal professional privilege (paragraph 19): Solicitor advice on the employee's case
• Management forecasts (paragraph 22): Restructuring plans naming at-risk employees
• Negotiations (paragraph 23): Settlement strategy ("we'll offer up to £15K")
• Confidential references (paragraph 24): References you gave in confidence

Each exemption applies to specific documents, not categories. See SAR Exemptions Explained for detailed guidance, or use the SAR exemption checker for a guided walkthrough.

Third-party redaction: Emails mentioning other employees by name must be redacted to remove their identifiable details — unless they have consented or disclosure is reasonable in the circumstances.

Common mistakes in employee SAR responses

Searching too narrowly. Only searching the personnel file and missing emails, Teams messages, and manager correspondence. The ICO will ask what systems you searched.

Applying blanket exemptions. Withholding "all legal files" under privilege when only specific solicitor advice letters are privileged. Each document must be assessed individually.

Missing the deadline. Employee SARs often arrive during disputes when workloads are highest. Use the SAR deadline calculator to track the one-month deadline — and the stop-the-clock provisions if you need identity verification.

Over-disclosing third-party data. Sending unredacted emails that reveal other employees' personal information. Redact names and identifiable details of third parties.

For the full SAR response process, see How to Respond to a Subject Access Request from an Employee.

Frequently asked questions

Does an employee SAR cover emails about them? Yes. Any email where the employee is named or identifiable is their personal data — even if they were not a sender or recipient. You must search relevant managers' inboxes.

Can a former employee make a SAR? Yes. The right of access applies regardless of whether the person is a current or former employee. You must search all data you still hold, subject to your retention policy.

Does the employee have to explain why they want their data? No. Under UK GDPR, the requester does not need to give a reason. Even if the SAR is clearly motivated by a tribunal dispute, you must respond if the request is legitimate.

Sources

• UK GDPR — Article 15 (right of access)
• ICO — Subject access request Q&As for employers
• ICO — Right of access (subject access) guidance
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)

There are two narrow exceptions — but the threshold is high, and most employer SARs will not qualify.

This guide covers SAR charging rules for UK employers under UK GDPR, as amended by the Data (Use and Access) Act 2025. It is not legal advice.

The default rule: free

Every SAR response must be provided free of charge. This applies regardless of:

• How much data is involved (even if it takes days to collate)
• How many systems you need to search
• How much it costs your organisation in staff time
• Whether the request comes during a tribunal dispute

Cost and inconvenience are not grounds for charging. The ICO is clear on this: the administrative burden of complying with a SAR is a normal cost of holding personal data.

Exception 1: vexatious or excessive requests

UK GDPR Article 12(5) allows you to charge a "reasonable fee" if a request is manifestly unfounded or manifestly excessive. The Data (Use and Access) Act 2025 updates this threshold to "vexatious or excessive" and provides clearer examples of what qualifies.

What counts as vexatious or excessive:

• Requests intended to cause distress or disruption rather than genuinely exercise data rights
• Requests that are not made in good faith (e.g., an ex-employee filing weekly SARs purely to burden the HR team)
• Requests that are an abuse of process
• Repetitive requests for the same data where nothing has changed

What does NOT count:

• A large request covering years of data — size alone is not excessive
• A request during tribunal proceedings — the requester's motivation does not make it vexatious if they are genuinely exercising their data rights
• A request that is inconvenient or expensive to fulfil — cost to you is not a ground for charging
• A first request from someone, regardless of timing or context

The burden of proof is on you. If you charge a fee and the requester complains to the ICO, you must demonstrate that the request was genuinely vexatious or excessive. "It was a lot of work" will not satisfy the ICO.

If you charge: The fee must be "reasonable" and reflect your actual administrative costs (staff time, materials, postage). You cannot set a flat fee or charge for profit. You must notify the requester of the fee before proceeding, and you cannot begin the work until payment is received.

Exception 2: additional copies

UK GDPR Article 15(3) allows a reasonable fee for further copies of data you have already provided. This applies when someone asks for the same data again — not when they make a new request covering a different time period or additional data categories.

Example: You responded to a SAR in January covering all HR data from 2024. In February, the same person asks for the same 2024 HR data again. You can charge a reasonable fee for the second copy. But if they ask for 2025 HR data — that is a new request, not a further copy.

How to calculate a reasonable fee

If one of the exceptions applies, the fee must be based on your actual administrative costs:

• Staff time: Hours spent searching, compiling, and redacting, at the relevant salary rate
• Materials: Printing, storage media, postage
• Delivery: Tracked postage or secure electronic delivery

You cannot charge for: the time spent deciding whether to apply exemptions (that is your legal obligation), legal advice costs, management oversight, or any element of profit.

Practical reality: Most SMEs handling 1-5 SARs per year will never be in a position to charge. The exceptions are designed for extreme cases — persistent vexatious requesters or identical repeat requests — not for routine SARs that happen to be expensive to fulfil.

What the DUAA 2025 changes

The Data (Use and Access) Act 2025 makes two changes relevant to SAR charging:

1. Updated threshold language: "Manifestly unfounded or manifestly excessive" becomes "vexatious or excessive" — with statutory examples of what these terms mean. This does not lower the bar for charging. The ICO's interpretation remains that most requests are legitimate.

2. Stop-the-clock mechanism (section 76): While not directly about fees, the stop-the-clock provision gives employers breathing room that previously might have tempted them to charge as a delaying tactic. If you need identity verification or clarification, the clock pauses — reducing the pressure to refuse or charge. See Subject Access Request Time Limit UK for the full deadline rules.

What to do instead of charging

If a SAR feels overwhelming, there are legitimate steps that do not involve charging:

• Request clarification. Under the DUAA 2025, if the request is too broad ("send me everything"), you can ask the requester to narrow the scope. The clock pauses until they respond.
• Use the two-month extension. If the request is genuinely complex (multiple systems, extensive redaction), notify the requester within the first month and extend by two months.
• Track deadlines properly. Use the SAR deadline calculator to manage your timeline — missed deadlines are a bigger risk than the cost of responding.
• Use templates. The SAR response letter generator creates acknowledgement, extension, and response letters — reducing the time and cost of responding. See Free Subject Access Request Templates for UK Employers for a guide to each template type.

For the complete SAR response process, see How to Respond to a Subject Access Request from an Employee.

Frequently asked questions

Can an employer charge £10 for a SAR? No. The £10 fee was abolished in May 2018 when UK GDPR replaced the Data Protection Act 1998. SARs are now free unless one of the two narrow exceptions applies.

Can I charge if the SAR involves thousands of documents? No. Volume alone does not meet the threshold for "vexatious or excessive." If the request is genuinely complex, use the two-month extension instead.

What if the requester asks for the same data twice? You can charge a reasonable fee for further copies of data already provided. But a request covering a new time period or different data categories is a new request, not a further copy.

Can I refuse instead of charging? Yes. Under Article 12(5), if a request is vexatious or excessive, you can either charge a reasonable fee OR refuse to act. Either way, you must explain your reasoning and inform the requester of their right to complain to the ICO — within the one-month deadline.

Sources

• UK GDPR — Article 12 (transparent communication, fees)
• UK GDPR — Article 15 (right of access, further copies)
• ICO — Right of access (subject access) guidance
• Data (Use and Access) Act 2025 — Section 76 (time limits)
• Data (Use and Access) Act 2025 — Full text

This guide covers what each template should contain, when to use it, and the mistakes that trigger ICO complaints. Use the SAR response letter generator to create customised versions of each letter for free.

This guide covers SAR response templates for UK employers under UK GDPR and the Data Protection Act 2018, as amended by the DUAA 2025. It is not legal advice.

The five letters you need

Most employer SAR responses involve some combination of these:

1. Acknowledgement letter — confirms receipt, logs the start date
2. Identity verification request — asks the requester to prove who they are (pauses the clock under DUAA 2025)
3. Extension notice — tells the requester you need more time (required within the first month)
4. Response cover letter — accompanies the data you disclose
5. Exemption explanation — explains why specific data was withheld

A straightforward request from a current employee might only need an acknowledgement and a response. A tribunal-related SAR from an ex-employee's solicitor might need all five.

1. SAR acknowledgement letter

When to send: Within 1-2 working days of receiving the SAR. Not legally required, but the ICO's right of access guidance recommends it — and it starts your audit trail.

What to include:

• Confirmation you are treating the request as a SAR under UK GDPR Article 15
• The date you received the request (this starts the one-month clock)
• Your calculated response deadline
• Whether you need identity verification or clarification of scope
• Contact details for follow-up

Common mistake: Acknowledging the request but not logging the receipt date internally. If the ICO investigates, you need to prove when the clock started. Use the SAR deadline calculator to work out your exact deadline.

2. Identity verification request

When to send: When you cannot confirm the requester's identity from existing records — ex-employees, requests via solicitors, or requests from unfamiliar email addresses.

Under the Data (Use and Access) Act 2025, section 76, requesting identity verification pauses the one-month deadline. The clock does not start until the requester provides proof.

What to include:

• Why you need verification ("we need to confirm your identity before disclosing personal data")
• What identification you will accept (passport, driving licence, utility bill — keep it proportionate)
• A clear statement that the response deadline is paused until verification is received
• A reasonable deadline for providing verification (28 days is typical)

Common mistake: Requesting ID as a delaying tactic. The ICO will scrutinise whether your request was genuine. If a current employee emails from their work address, asking for a passport copy will look like obstruction — you can already verify their identity from payroll records.

For the full deadline rules including stop-the-clock scenarios, see Subject Access Request Time Limit UK.

3. Extension notice

When to send: If the request is genuinely complex and you need more than one calendar month. UK GDPR Article 12(3) allows a two-month extension — but you must notify the requester within the first month and explain why.

What to include:

• That you are extending the response period under Article 12(3)
• The specific reason (data across multiple systems, complex exemption decisions, numerous third parties requiring redaction)
• The new response deadline
• The requester's right to complain to the ICO

What justifies an extension:

• Data held across multiple systems with no central search
• Large volumes involving numerous third parties requiring redaction decisions
• Complex exemption assessments (legal privilege in tribunal cases, for instance)

Routine requests — even large ones — do not automatically qualify. The ICO distinguishes between "large volume of straightforward data" (not complex) and "difficult decisions about what to include" (genuinely complex).

Common mistake: Failing to notify within the first month. A silent extension is itself a breach of Article 12(3), even if you respond within the extended period.

4. SAR response cover letter

When to send: With every SAR response. This is the main document accompanying the data you disclose.

What to include:

• Confirmation this is your response to the SAR dated [receipt date]
• A summary of the data provided (categories, date ranges, systems searched)
• A description of your search — which systems, what search terms, what time periods. The DUAA 2025, section 78 introduces a "reasonable and proportionate search" standard — your cover letter should demonstrate you met it
• Whether any data was withheld and under which DPA 2018 Schedule 2, Part 4 exemptions
• Whether third-party data was redacted and why
• The requester's right to complain to the ICO

Common mistake: Not documenting the search scope. If the ICO asks "did you search your email system?", you need to answer from your records — not from memory six months later.

For a step-by-step walkthrough of the entire process, see How to Respond to a Subject Access Request from an Employee.

5. Exemption explanation letter

When to send: When you withhold any data under a DPA 2018 exemption — legal professional privilege (paragraph 19), management forecasts (paragraph 22), negotiations (paragraph 23), or confidential references (paragraph 24).

What to include:

• Which data items were withheld (identify the category — you don't need to describe the content)
• Which exemption you relied on, with the DPA 2018 paragraph reference
• A brief explanation of why the exemption applies to this specific data
• The requester's right to challenge the decision through an ICO complaint

Common mistake: Applying exemptions as blanket categories. "All legal correspondence is withheld under legal privilege" will not survive an ICO complaint. Each document must be assessed individually. See SAR Exemptions Explained for the correct approach, or use the SAR exemption checker for a guided walkthrough.

Formatting and delivery

Format: Use your organisation's letterhead. PDF is preferable — it prevents accidental editing and looks professional. Include a SAR reference number so both parties can track correspondence.

Delivery: Use a method that gives you proof of dispatch — tracked email with read receipt, recorded delivery, or secure file sharing. "We sent it" without evidence is not persuasive if the ICO investigates.

Record keeping: Save copies of every letter sent and received. Include the date, delivery method, and who authorised the response. This audit trail is your defence.

Generate all five template types free using the SAR response letter generator — select a letter type, answer scenario-specific questions, and get a customisable template ready to adapt.

Frequently asked questions

Do I have to use a specific template format for SAR responses? No. UK GDPR does not prescribe a format. You can respond by letter, email, or secure portal. The requirements are completeness, accuracy, and proof of delivery.

Should I send templates as Word or PDF? PDF for letters you send to the requester — it prevents editing and maintains formatting. Word internally for drafting.

Where can I find free SAR response templates? The SAR response letter generator creates customised templates for all five letter types — acknowledgement, identity verification, extension, response, and exemption. For tools that automate the full SAR workflow, see DSAR Software for Small Businesses.

Sources

• ICO — Right of access (subject access) guidance
• Data (Use and Access) Act 2025 — Section 76 (time limits)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• ICO — Guide to the data protection exemptions

This guide covers the exemptions UK employers rely on most frequently, with practical examples for each.

This guide covers DPA 2018 exemptions relevant to employer SAR responses. It is not legal advice. For SARs linked to litigation or tribunal claims, seek specialist legal counsel before applying exemptions.

How exemptions work

SAR exemptions are not blanket permissions to ignore a request. Each exemption:

• Applies to specific documents or data items, not entire categories
• Must be assessed on a case-by-case basis — you cannot exempt "all legal correspondence" or "the entire tribunal file"
• Requires written justification for each application — this is what the ICO asks for when a complaint is filed
• Can be challenged by the requester through an ICO complaint or court order

The ICO's guide to data protection exemptions is the definitive reference. The practical summary below covers the exemptions employers encounter most often.

Legal professional privilege (paragraph 19)

What it covers: Personal data that is subject to legal professional privilege — advice from your solicitor, correspondence prepared in connection with legal proceedings, or documents created for the dominant purpose of obtaining legal advice.

Employer example: An ex-employee submits a SAR while a tribunal claim is ongoing. Your solicitor has sent you advice on how to respond to the tribunal claim, including assessments of the employee's conduct. This advice is privileged and can be withheld.

What it does NOT cover:

• Internal discussions about the employee that happen to mention the solicitor's involvement (the discussion itself is not privileged unless it reveals the substance of the legal advice)
• HR investigation notes that were not created for the purpose of obtaining legal advice
• The fact that legal advice was sought (you can acknowledge it; you can withhold the content)

Common mistake: Applying privilege to the entire tribunal file. Privilege attaches to specific documents — the solicitor's advice letter, the litigation strategy memo — not to every document that happens to be in the same folder.

Management forecasts (paragraph 22)

What it covers: Personal data processed for management forecasting or management planning, where disclosure would prejudice the conduct of the business.

Employer example: You are planning a restructure that will result in 10 redundancies. The restructuring plan includes names of employees in the at-risk pool. An employee in the pool submits a SAR before the consultation process has been announced. Disclosing their inclusion in the redundancy plan would prejudice the proper conduct of the consultation process.

Two conditions must both be met:

1. The data is being processed for management forecasting or planning
2. Disclosure would prejudice the conduct of the business or activity

Once the restructuring plan is announced and the consultation begins, the exemption falls away — the data is no longer confidential management planning.

Negotiations (paragraph 23)

What it covers: Records of your intentions in negotiations with the individual, where disclosure would prejudice those negotiations.

Employer example: An employee has raised a grievance and you are considering offering a settlement. Your internal notes state: "We are prepared to offer up to £15,000 but will start at £8,000." Disclosing this to the employee would directly prejudice the negotiation.

Key limitation: This only covers your intentions — the strategy, the walk-away figure, the settlement parameters. It does not cover the facts of the situation, correspondence exchanged during the negotiation, or the outcome of the negotiation once it concludes.

Confidential references (paragraph 24)

What it covers: References given in confidence for the purposes of education, training, employment, or appointment.

Employer example: You provided a reference for a departing employee to their new employer. The reference was given in confidence. If the employee submits a SAR, you can withhold the reference you gave.

Important distinction:

• References you gave in confidence — exempt from disclosure
• References you received about the employee — NOT automatically exempt. The ICO's employer guidance states you may need to disclose references you received, potentially with third-party details redacted

This catches many employers off guard. The exemption protects the referee's confidence when giving the reference. It does not prevent the subject from seeing references held about them by the recipient organisation.

Third-party data (not an exemption — a separate rule)

Strictly, this is not a Schedule 2 exemption but a separate obligation under UK GDPR Article 15(4). You must not disclose personal data about other identifiable individuals unless:

• The third party has consented, or
• It is reasonable to disclose without consent

Employer example: An employee's SAR captures emails between their line manager and HR discussing performance concerns. The emails mention other team members by name. You must redact the other employees' names and identifying details unless they have consented to disclosure or disclosure is reasonable in the circumstances.

Practical approach:

• Redact names, email addresses, and identifying details of third parties
• Consider whether the third party would reasonably expect their data to be disclosed in this context
• A colleague copied on a routine email may not object to disclosure; a whistleblower reporting misconduct almost certainly would
• Document your reasoning for each redaction decision

Refusing the request entirely

Separately from withholding specific data, you can refuse an entire SAR if it is manifestly unfounded or manifestly excessive.

The Data (Use and Access) Act 2025 amends this threshold to "vexatious or excessive" and provides examples: requests intended to cause distress, requests not made in good faith, or requests that are an abuse of process.

The bar is high. Most SARs — even those submitted during tribunal disputes — are not vexatious. The ICO expects you to respond to routine requests regardless of the requester's motivation. Refusing a legitimate SAR exposes you to an ICO complaint and potential enforcement action.

If you refuse, you must:

1. Explain why you consider the request vexatious or excessive
2. Inform the requester of their right to complain to the ICO
3. Do so within the one-month deadline

Frequently asked questions

Can an employer refuse a SAR from an employee? Only if the request is vexatious or excessive. The threshold is high — most requests must be honoured. You can withhold specific data using the exemptions above, but refusing the entire request requires strong justification.

Do I need to tell the requester which exemptions I applied? Yes. You should tell the requester that certain data has been withheld and identify the exemption relied upon. You do not need to describe the specific content of the withheld data.

What if I am not sure whether an exemption applies? Err on the side of disclosure. The ICO's guidance favours transparency — if you are uncertain whether privilege applies to a specific document, disclose it (with third-party data redacted if necessary). Where the decision is genuinely borderline, document your reasoning and seek legal advice.

Can I apply multiple exemptions to the same document? Yes. A single document could be partly withheld under legal privilege (paragraph 19) and partly redacted for third-party data. Document each decision separately.

What happens if I wrongly apply an exemption? The requester can complain to the ICO. If the ICO finds the exemption was incorrectly applied, they can order you to disclose the data. In serious cases, this may result in an enforcement notice or reprimand.

Use the SAR exemption checker for a guided walkthrough of which exemptions may apply to your situation.

For the full SAR response process including deadlines and redaction, see How to Respond to a Subject Access Request from an Employee. For deadline rules including the DUAA 2025 stop-the-clock mechanism, see Subject Access Request Time Limit UK. For tools that help document exemption decisions alongside your full SAR workflow, see DSAR Software for Small Businesses.

Exemption documentation checklist

For every SAR where you withhold data, record:

• The specific document or data item withheld
• Which exemption you are relying on (with the DPA 2018 paragraph reference)
• Your written reasoning for why the exemption applies to this specific data
• Whether the exemption is partial (some data withheld) or full (entire document withheld)
• The date the exemption was assessed and by whom

This record is your defence if the ICO investigates. Without it, you are relying on verbal explanations after the fact — which the ICO does not find persuasive.

Sources

• ICO — Guide to the data protection exemptions
• ICO — Subject access request Q&As for employers
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• ICO — Right of access (subject access) guidance

If you are a UK SME handling 1–20 subject access requests a year, none of that is relevant to you. Here is what actually matters when choosing DSAR tools for your business.

This guide covers UK SME requirements for DSAR handling tools. It is not legal advice.

The SME DSAR problem

UK employers must respond to subject access requests within one calendar month under UK GDPR. The Data (Use and Access) Act 2025 (section 78) adds a "reasonable and proportionate search" standard — you need to document what you searched and why.

Most SMEs handle SARs with a combination of:

• Email chains between HR, IT, and the line manager
• Word documents for the response letter
• A spreadsheet (or nothing) for deadline tracking
• No documented audit trail

This works until it does not. According to the ICO's annual report, over 16,000 SAR-related complaints were received in 2022-23 — a 23% year-on-year increase. A single ICO investigation can consume weeks of management time. In an employment tribunal, an incomplete or late SAR response damages your credibility.

What DSAR tools do SMEs actually need?

Enterprise privacy platforms solve a different problem. They automate data discovery across hundreds of integrated systems, manage cross-border transfer assessments, and process thousands of requests per month. An SME with 50 staff, one HR system, and a few SARs per year does not need any of that.

Here is what SMEs actually need from DSAR handling software:

1. Deadline tracking with calendar awareness

The tool should calculate the one-month deadline automatically from the date you log the SAR. It should account for:

• Calendar month calculations (31 January → 28 February)
• Weekend and bank holiday adjustments on the final day
• The DUAA 2025 stop-the-clock mechanism — pausing the clock while waiting for identity verification or clarification
• Two-month extensions for complex requests

Most enterprise platforms include this, but so should any tool priced for SMEs. If you are still tracking deadlines manually, try the SAR deadline calculator — it handles the full calculation including stop-the-clock adjustments.

2. A guided workflow — not just a dashboard

Enterprise tools assume the user knows the SAR process. SME tools should guide you through it:

• Identity verification — what to request, when the clock pauses
• Search scope definition — which systems to check, what counts as personal data
• Exemption checking — which DPA 2018 Schedule 2 exemptions apply and how to document them (see SAR Exemptions Explained for a detailed guide, or try the SAR exemption checker)
• Redaction — what to remove, how to log decisions
• Response generation — compliant cover letter with supplementary information

The difference matters. A dashboard tells you a SAR is overdue. A guided workflow prevents it from becoming overdue in the first place.

3. An audit trail the ICO can review

If a requester complains to the ICO, you need to demonstrate:

• What search you conducted and why it was reasonable
• Which exemptions you applied and your justification for each
• What you redacted and why
• That the response was dispatched within the deadline

The DUAA 2025's "reasonable and proportionate search" standard makes this explicit. Your audit trail is your evidence.

Enterprise platforms generate audit trails as a side effect of their complex workflows. An SME tool should build the audit trail into the workflow itself — logging each step as you complete it, not requiring you to retrospectively document what you did.

4. Response letter templates

A compliant SAR response is more than "here's your data." It must include:

• Confirmation you are processing the individual's personal data
• A copy of the data in a commonly used format
• The purposes of processing
• Categories of data held
• Recipients or categories of recipients
• Retention periods
• The individual's rights (rectification, erasure, complaint to ICO)

Writing this from scratch every time is error-prone. Template letters — pre-populated with the SAR details — save time and reduce compliance risk.

The SAR response letter generator creates these templates for free — acknowledgement letters, identity verification requests, response cover letters, extension notices, and partial exemption explanations.

5. Affordable pricing

The pricing gap in DSAR software is stark:

The gap between £50 one-off templates and £10,000+/year enterprise platforms is where most UK SMEs sit. An SME handling a few SARs per year needs a tool priced in the tens of pounds per month — not thousands.

Features you do NOT need

Enterprise DSAR platforms pack features that make sense at scale but add unnecessary complexity for SMEs:

• Automated data discovery — scanning hundreds of integrated systems for personal data. If you have one HR system and an email server, you know where the data is.
• Cross-border transfer impact assessments — relevant for multinationals, not for a UK employer with staff in one country.
• Consent management — a separate compliance function that has nothing to do with SAR response.
• Cookie banner management — bundled by privacy platforms as an upsell. Irrelevant to SAR handling.
• Privacy impact assessment workflows — valuable, but a separate tool for a separate purpose.

If a vendor bundles all of these into a "privacy suite" and prices accordingly, you are paying for capabilities you will never use.

How to evaluate DSAR software for your SME

Ask these five questions before committing to any tool:

1. Does it guide you through the process, or just track requests? A tracking dashboard is not enough if nobody on your team has handled a SAR before.

2. Does it handle UK-specific requirements? UK GDPR, DPA 2018 exemptions, and DUAA 2025 provisions differ from EU GDPR. Tools built for the EU or US market may miss UK-specific nuances (the stop-the-clock mechanism, Schedule 2 Part 4 exemptions, UK enforcement thresholds).

3. Does it create an audit trail automatically? If you need to manually document what you searched and why after the fact, the tool is not saving you enough time.

4. Can you be operational in under an hour? Enterprise platforms take weeks to implement with professional services. An SME tool should work from day one.

5. Is the pricing transparent? If you need to "book a demo" or "contact sales" to see pricing, the tool is not built for SMEs. SME buyers expect to see the price on the website and sign up without a sales call.

What dsartracker is building

dsartracker is a SAR response tracker designed specifically for the gap described above — UK SMEs handling employee SARs without a dedicated DPO.

It guides you through every step: log the incoming SAR, calculate the deadline (including DUAA 2025 stop-the-clock), follow a structured workflow for identity verification, search scope, exemption checking, and redaction, generate response letters from templates, and export an audit-ready compliance pack. For a walkthrough of the full SAR response process, see How to Respond to a Subject Access Request from an Employee.

Planned free tier: SAR deadline calculator + 2 requests/year. Planned paid tier: unlimited requests with the full workflow.

Join the waitlist for early access.

Sources

• ICO — Right of access (subject access) guidance
• Data (Use and Access) Act 2025 — Section 76 (time limits)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)

This guide breaks down exactly how the deadline works, when you can extend it, and how the new stop-the-clock rule under the Data (Use and Access) Act 2025 changes the calculation.

This guide covers UK SAR time limits under UK GDPR and the Data Protection Act 2018, as amended by the DUAA 2025. It is not legal advice.

The basic rule: one calendar month

Under UK GDPR Article 12(3), you must respond to a SAR "without undue delay" and within one calendar month of receipt.

The clock starts on the day you receive the request — not when you acknowledge it, assign it, or start searching. If any employee in your organisation receives the request, it counts.

How to calculate the deadline:

• SAR received 15 March → deadline 15 April
• SAR received 31 January → deadline 28 February (or 29 in a leap year — the last day of the month)
• If the deadline falls on a weekend or bank holiday, it moves to the next working day

Use the SAR deadline calculator to work out your exact deadline automatically.

The DUAA 2025 stop-the-clock rule

The Data (Use and Access) Act 2025, section 76 — in force since 5 February 2026 — introduces a stop-the-clock mechanism that fundamentally changes how SAR deadlines work.

When the clock pauses

The response period does not start until you receive:

1. Identity verification. If you request proof of identity from the requester, the clock does not start until they provide it. Previously, the one-month period ran from receipt of the SAR regardless of whether you had verified the requester's identity.

2. Clarification of a broad request. If a request is too vague to action — "send me everything" with no indication of time period or data category — you can ask the requester to narrow it down. The time between your clarification request and their response does not count toward the deadline.

How this works in practice

Example: A SAR arrives on 1 March. You request ID verification on 2 March. The requester provides their passport on 12 March. Your one-month clock starts on 12 March, giving you until 12 April to respond.

Example: A SAR arrives on 1 March asking for "all my data." You ask for clarification on 3 March — which systems, which time period? They respond on 20 March specifying "HR records and emails from 2024-2025." Your clock starts on 20 March, giving you until 20 April.

Key requirement: Your request for verification or clarification must be genuine and reasonable. The ICO will not accept stop-the-clock being used as a delaying tactic. If you ask for ID for a current employee whose identity you can already verify from payroll records, that is not a genuine need.

What to document

Log the exact dates:

• Date SAR received
• Date you requested verification/clarification
• Date verification/clarification was received
• Calculated deadline (one month from the later date)

This timeline is your evidence that the clock was legitimately paused.

When you can extend by two months

Separately from the stop-the-clock mechanism, UK GDPR Article 12(3) allows a two-month extension if:

• The request is complex (large volumes of data across multiple systems, difficult exemption decisions)
• You receive multiple requests from the same individual at the same time

You must tell the requester within the first calendar month that you are extending and explain why. Failing to notify is itself a breach — even if you ultimately respond within the extended deadline.

The extension adds two months to the original one-month deadline, giving you three months total from the start of the applicable period.

When does complex mean complex? The ICO's right of access guidance gives examples: the request covers data held across multiple systems with no central search, the data involves numerous third parties requiring redaction decisions, or the data requires careful exemption assessment (legal privilege in tribunal cases, for instance).

Routine requests — even if they involve a large volume of straightforward data — are not automatically complex enough to justify an extension.

For a step-by-step guide to the full SAR response process, see How to Respond to a Subject Access Request from an Employee. If your request involves exemptions, see SAR Exemptions Explained. For an overview of tools that help track SAR deadlines across multiple requests, see DSAR Software for Small Businesses.

Stop-the-clock vs. extension: which applies?

These are two separate mechanisms and they can apply in sequence:

Combined example: SAR received 1 March. ID requested 2 March, received 15 March (clock starts). The request covers 6 systems and involves tribunal-related legal privilege assessments — genuinely complex. You notify the requester on 10 April that you are extending by 2 months. New deadline: 15 May + 2 months = 15 July.

What happens if you miss the deadline

The consequences escalate:

ICO complaint. The requester complains to the ICO. The ICO asks you to demonstrate that your search was reasonable and that your response was sent within the deadline (or that a valid extension was notified). If you cannot demonstrate this, the ICO can issue:

• An assessment notice requiring you to take specific corrective action
• A reprimand — a formal finding of non-compliance published on the ICO's website
• An enforcement notice requiring you to respond within a specified period
• A penalty notice — fines up to £17.5 million or 4% of annual global turnover (whichever is higher)

Employment tribunal impact. In tribunal proceedings, a late or incomplete SAR response can damage your credibility. Tribunals may draw adverse inferences from delays — particularly if the data withheld is relevant to the case.

Practical reality for SMEs: The ICO's enforcement action typically starts with reprimands and enforcement notices rather than maximum fines. But the reputational damage, management time spent responding to ICO investigations, and potential tribunal consequences make deadline compliance a business-critical issue.

Frequently asked questions

Does the one-month deadline include weekends and bank holidays? Yes — it is one calendar month, counting all days. Only the final day shifts: if the deadline falls on a weekend or bank holiday, it extends to the next working day.

Can you extend the deadline without telling the requester? No. You must notify the requester within the first month and explain why the extension is necessary. A silent extension is a breach of Article 12(3) even if you respond within the extended period.

What if the requester never responds to your clarification request? Under the DUAA 2025 stop-the-clock provision, the clock remains paused until clarification is received. If the requester abandons the request, you should follow up at a reasonable interval and document your attempts.

Does the stop-the-clock rule apply to SARs received before 5 February 2026? The DUAA 2025 provisions apply to requests handled after the commencement date. SARs received before 5 February 2026 but still being processed after that date should be handled under the new rules for the remaining response period. Seek legal advice if the timing is ambiguous.

Can the requester complain to the ICO before the deadline has passed? The ICO will generally wait until the deadline expires before assessing a complaint about response time. However, if you have neither responded nor communicated about an extension, the ICO may contact you to remind you of your obligations.

Deadline checklist

Before your SAR deadline arrives, confirm:

• The SAR receipt date and deadline are logged with an audit trail
• Any stop-the-clock periods (ID verification, clarification) are documented with exact dates
• If extending by 2 months, the requester was notified within the first month with reasons
• The response was dispatched before the deadline (keep proof of dispatch)
• If the deadline was missed, an explanation is documented for any ICO inquiry

Sources

• ICO — Right of access (subject access) guidance
• ICO — Time limits for responding to data protection rights requests
• Data (Use and Access) Act 2025 — Section 76 (time limits for responding)
• Data Protection Act 2018

This guide walks UK employers through every step of responding to a subject access request (SAR), from the moment it arrives to dispatching a compliant response with an audit trail the ICO can review.

This guide covers UK employer obligations under UK GDPR and the Data Protection Act 2018. It is not legal advice. For complex SARs — particularly those linked to employment tribunal proceedings — seek specialist legal counsel.

What counts as a subject access request?

A SAR is a request by an individual to see the personal data your organisation holds about them. Under UK GDPR Article 15, anyone — employees, ex-employees, job applicants, contractors — can make one.

The request does not need to:

• Use the words "subject access request" or "SAR"
• Be in writing — verbal requests count
• Follow a specific format or use your form
• Give a reason

A message saying "send me everything you have on me" is a valid SAR. So is a solicitor's letter requesting "all personal data relating to our client." The ICO's employer SAR guidance confirms that requests can arrive by email, letter, social media, or even verbally in a meeting.

Practical tip: Train anyone who receives external correspondence — reception, HR, office managers — to recognise SARs. The clock starts when anyone in your organisation receives the request, not when it reaches the right person.

The 1-month deadline (and when you can extend it)

You must respond within one calendar month of receiving the SAR. If the SAR arrives on 15 March, your deadline is 15 April.

Three situations affect the deadline:

1. Identity verification pauses the clock. Under section 76 of the Data (Use and Access) Act 2025 (in force since 5 February 2026), the response period does not start running until you receive the identity information you have requested. If you ask for ID verification on day 1 and receive it on day 10, those 10 days do not count.

2. Clarification requests also pause the clock. The same DUAA 2025 provision allows the clock to stop while you wait for the requester to narrow a broad request. If someone asks for "everything" and you reasonably need them to specify which systems or time periods, the period between your clarification request and their response does not count toward the deadline.

3. Complex requests get a 2-month extension. If the request is genuinely complex — large volumes of data across multiple systems, or multiple simultaneous requests from the same person — you can extend by a further two months. You must notify the requester within the first month and explain why the extension is needed.

What happens if you miss the deadline? The requester can complain to the ICO. According to the ICO's annual report, SAR complaint volumes rose 23% year-on-year, with over 16,000 complaints in 2022-23 alone. The ICO has issued reprimands and enforcement notices for SAR handling failures. In an employment tribunal context, a late or incomplete response can damage your credibility with the tribunal.

For a detailed breakdown of deadlines, extensions, and the new stop-the-clock rule, see Subject Access Request Time Limit UK. Use the SAR deadline calculator to work out your exact deadline, including stop-the-clock adjustments.

Step-by-step: responding to an employee SAR

Step 1: Log the request immediately

Record the date received, who received it, the requester's name, and the channel it arrived through. This is the start of your audit trail.

Do not wait for the "right person" to see it. The clock starts when anyone in the organisation receives the request.

Step 2: Verify the requester's identity

You need to be reasonably satisfied the requester is who they claim to be. For current employees, your existing records (employee ID, payroll number) may be sufficient. For ex-employees or solicitor-submitted requests, ask for:

• Photo ID (passport, driving licence)
• A signed authority letter if made via a solicitor

Under the DUAA 2025 stop-the-clock provision, the response period pauses until you receive verification. Document what you asked for and when.

Step 3: Define the search scope

Work out where personal data about this person might be held. For a typical employee, check:

• HR information system / personnel files
• Email (their account and emails about them in others' accounts)
• Payroll and pension records
• Occupational health records
• Line manager notes, performance reviews, disciplinary files
• CCTV footage (if the requester appears in it)
• Instant messaging platforms (Teams, Slack)
• Paper files

The DUAA 2025 (section 78) introduces a "reasonable and proportionate search" standard. You do not need to search every backup tape or archived system — but you must document what you searched and why your scope was reasonable.

Log every system you search, the date you searched it, and who performed the search. This audit trail is what the ICO asks for when a complaint is filed.

Step 4: Gather the data

Collect all personal data within scope. Personal data means any information relating to the identifiable individual — not just their name, but opinions about them, decisions affecting them, and any data linked to them.

Common items employers miss:

• Emails about the employee in other people's mailboxes
• Notes in line managers' personal folders
• WhatsApp or Teams messages mentioning the employee
• Interview notes (for job applicants)
• References given about the employee to third parties

Step 5: Check exemptions

Not everything you find must be disclosed. The Data Protection Act 2018 (Schedule 2, Part 4) contains several exemptions employers commonly rely on — see SAR Exemptions Explained for a detailed guide with examples:

• Legal professional privilege (paragraph 19): Documents protected by legal advice privilege or litigation privilege — for example, advice from your solicitor about the employee's tribunal claim
• Management forecasts (paragraph 22): Data used for management planning where disclosure would prejudice the business — for example, restructuring plans that haven't been announced
• Negotiations (paragraph 23): Records of your intentions in negotiations with the individual — for example, your settlement offer strategy
• Confidential references (paragraph 24): References you gave in confidence about the employee — though note that references you received about the employee are not automatically exempt

Each exemption must be assessed on a document-by-document basis. You cannot apply a blanket exemption to an entire category. Document your reasoning for every exemption applied — the ICO expects a written justification for each decision.

Use the SAR exemption checker for a guided walkthrough of which exemptions may apply to your situation.

Step 6: Redact third-party data

Your response must not disclose personal data about other identifiable individuals unless they have consented or it is reasonable to disclose without consent.

In practice, this means:

• Redact names, email addresses, and identifying details of colleagues mentioned in emails
• Redact witness statements where the witness could be identified
• Use consistent redaction methods — "[REDACTED]" markers in text, black bars in PDFs
• Log each redaction decision with your reasoning

Do not over-redact. The ICO's guidance states you should consider whether the third party would reasonably object to disclosure. Redacting the name of a colleague who simply sent the employee a meeting invite is disproportionate. Redacting a whistleblower's identity is justified.

Step 7: Compile and send the response

Your response should include:

1. Confirmation that you are processing the individual's personal data
2. A copy of the personal data in a commonly used electronic format (PDF, CSV, or similar)
3. Supplementary information: the purposes of processing, categories of data, recipients or categories of recipients, retention periods, and the individual's rights
4. Exemption explanations: where you have withheld data, explain which exemption applies (you do not need to detail the specific content withheld)

Send the response securely — encrypted email, secure file transfer, or recorded delivery for paper copies. Never send unencrypted personal data by standard email.

Use the SAR response letter generator to create a compliant response cover letter. For a comparison of DSAR handling tools for SMEs, see DSAR Software for Small Businesses.

Common employer mistakes

Treating a SAR as hostile. SARs are a legal right, not an attack. The ICO's employer guidance is clear: you must respond regardless of the requester's motive, whether it is a routine request or part of tribunal preparation.

Ignoring verbal requests. A SAR does not need to be in writing. If an employee says "I want to see my file" in a meeting, that is a SAR.

Searching only the HR system. Personal data about an employee exists across email, messaging, line managers' notes, CCTV, payroll, and more. An incomplete search is a common basis for ICO complaints.

Applying blanket exemptions. "We've redacted everything from the tribunal file" is not a valid approach. Each document must be assessed individually.

Missing the deadline without communicating. If you need more time, tell the requester within the first month. Silent delays generate complaints.

Frequently asked questions

Can an employer refuse a subject access request? Only if the request is manifestly unfounded or excessive — for example, repeated identical requests intended to cause disruption. The threshold is high. The Data (Use and Access) Act 2025 refines the refusal standard to "vexatious or excessive" and provides examples including requests not made in good faith or that are an abuse of process. If you refuse, you must explain why and inform the requester of their right to complain to the ICO.

Does a SAR cover emails about the employee? Yes. Emails in other people's mailboxes that contain personal data about the requester are in scope. This includes emails discussing the employee's performance, conduct, or any other matter relating to them.

What if the SAR arrives during a tribunal dispute? You must still respond within the deadline. The ICO's employer guidance explicitly states that SARs must be honoured regardless of concurrent legal proceedings. A non-disclosure agreement does not override the right of access.

Can you charge a fee for responding? In most cases, no. SARs are free under UK GDPR. You can charge a reasonable fee only if the request is manifestly unfounded or excessive, or for additional copies beyond the first.

Can a SAR be made verbally? Yes. A subject access request does not need to be in writing. If an employee says "I want to see my file" in a meeting or by phone, that is a valid SAR and the one-month clock starts immediately. The ICO confirms that requests can arrive by email, letter, social media, or verbally. Train anyone who handles employee interactions to recognise verbal SARs.

What is the DUAA 2025 stop-the-clock rule? The Data (Use and Access) Act 2025 (section 76), in force since 5 February 2026, allows the response clock to pause while you wait for identity verification or clarification from the requester. This replaces the previous position where the clock ran continuously from receipt.

Pre-response checklist

Before dispatching your SAR response, verify:

• All systems identified in the search scope have been searched and documented
• Every exemption applied has a written justification
• Third-party data has been consistently redacted with reasoning logged
• The response includes supplementary information (purposes, categories, retention, rights)
• The response is sent securely (encrypted email or secure transfer)
• You have retained a copy of the response and full audit trail
• The response was dispatched within the deadline (or an extension notice was sent within the first month)

Sources

• ICO — Right of access (subject access) guidance
• ICO — Subject access request Q&As for employers
• ICO — Guide to the data protection exemptions
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• Data (Use and Access) Act 2025 — Section 76 (time limits for responding)
• Data (Use and Access) Act 2025 — Section 78 (reasonable and proportionate search)