Changes to employment law and the rise in Subject Access Requests

What changes in January 2027?

The Advisory, Conciliation and Arbitration Service (ACAS) says that, from 1 January 2027, protection from unfair dismissal is expected to become available after six months in a job, rather than after two years. ACAS also notes that the detail of implementation remains subject to consultation in many areas.

This means employees may reach the point of legal protection much sooner than before. For employers, this could increase scrutiny of dismissals linked to probation, performance, conduct, attendance, or workplace relationships at a much earlier stage.

Why could this lead to more Subject Access Requests?

Data Subject Access Requests are already a common feature of employment disputes. With the use of AI they are likely to become even more common. Employees often use them to obtain copies of emails, HR records, meeting notes, internal messages and other personal data that may help them understand what happened and whether the organisation handled matters fairly. This can be time consuming and often costly for an employer.

This information may be particularly useful where there has been:

• A probation dismissal
• Concerns about performance or conduct
• A grievance or complaint
• Inconsistent manager communications
• A dispute about the reasons given for dismissal
  

The real risk is often poor record-keeping

Many organisations focus on the burden of responding to the DSAR itself. In practice, the greater problem is often the quality of the records you keep.

If managers are careless with their wording in emails, HR records are inconsistent, or AI is used to make decisions without proper compliance policies in place, the organisation may face more of a challenge to find and review the data.

Individuals are also entitled to know the description of the personal data being processed, purpose, categories, recipients, retention periods for this processing, where its been collected from and the use of automated decision-making. This is why it’s important to have a robust and up to date employee privacy policy in place which covers these additional points.

It’s also worth knowing that retention policies should be up to date and outdated data regularly deleted. This reduces the work required to find the information and limits it to what is needed. Most retention policies are 6 years to cover the legal requirement to keep finance data.

How DSARs are used in employment tribunal claims

There are already clear examples of employees using Data Subject Access Requests strategically in employment disputes. In McWilliams v Citibank, an employer’s failure to properly respond to a DSAR contributed to a finding of unfair dismissal. Regulators are willing to intervene where employers fail to comply, meaning organisations face both tribunal and regulatory risk if not done correctly.

The key issue in McWilliams was not simply the failure to respond to the DSAR, but the fact that it materially affected the employee’s ability to defend herself during the disciplinary process.

The courts have also made clear that subject access requests can be used strategically in disputes. In Dawson-Damer v Taylor Wessing LLP, the Court of Appeal confirmed that a DSAR is not invalid simply because it is made in the context of litigation or for tactical reasons. While organisations can rely on exemptions such as legal privilege, they cannot refuse to comply simply because the request is seen as a “fishing exercise”.

When read alongside cases such as McWilliams v Citibank, this highlights a clear risk for employers: DSARs are both a legitimate tool for employees and something that tribunals may scrutinise when assessing fairness.

What does this mean for employers now?

Organisations should use the time before 2027 to review how employment-related personal data is created, stored and searched.
That means looking at:

• Whether retention periods are clear and followed;
• If you’re using Ai, have a “Ai Fair Use Policy” in place stop employees generating reams of extra data about other individuals;
• Whether Privacy policies are up to date and in line with the new Data (Use and Access) Act
• Whether the use of multiple platforms such as Teams, Slack or email discussions are being handled appropriately;
• Whether the organisation has had data protection training to spot a DSAR and a workable process on place to handle them;
• A DSAR response is much easier to deal with when the organisation already knows where relevant data sits, who is likely to hold it, and how a search should be carried out;

Reasonable and proportionate searches

The Data (Use and Access) Act 2025 is not the reason employers may see more DSARs. The likely driver is the employment law change.

However, the DUAA is still worth mentioning because it makes it clearer that organisations responding to a subject access request only need to carry out reasonable and proportionate searches. Government and ICO material present this as a clarification of the approach rather than a major change in principle. This means that employers may find it harder to justify a two month extension. Organisations still need a sensible and defensible search methodology that they can show the ICO if requested. They cannot simply avoid difficult searches because the request is inconvenient or time-consuming.

Final thoughts

If more employees become able to challenge dismissals after only six months’ service, employers may also see more DSARs being used earlier in the employment relationship. Especially with the use of AI tools such as ChatGPT which are known to coach individuals on raising DSARs when they are dismissed. The organisations that manage that best are likely to be the ones that prepare now: by improving record-keeping, tightening HR processes, having an AI Fair Use Policy and making sure their DSAR response process is ready before the pressure increases.