Employee Data Subject Access Requests (DSARS) – Guidance for Organisations

What is a Data Subject Access Requests?

A DSAR is a request made by an individual asking an organisation to confirm whether it processes their personal data and, if so, to provide access to that data together with certain supporting information.

In practice, this includes information about the purposes for which the data is processed, the categories of personal data involved, who the data has been shared with, how long it is retained and the individual’s rights in relation to that data.

There is no requirement for Data Subject Access Requests to be made in any particular format. In practice, this means a valid request can be received by any employee, including by email, telephone, or informal correspondence. Organisations are expected to be able to recognise and respond to requests regardless of how they are received.

Who can make a DSAR?

A DSAR may be made by any individual whose personal data is processed by an organisation. This commonly includes employees and former employees, customers, service users, suppliers, and contractors. Requests may also be made by authorised representatives acting on behalf of an individual such as solicitor or parent or guardian of a child or vulnerable adult.

Employee DSARs are particularly common and often arise alongside grievances, disciplinary processes, or disputes, which can add complexity to the response process.

How DSARs are made in practice

Because there is no prescribed format, organisations need to ensure that staff are able to recognise requests when they arise and that appropriate internal processes are in place to log and handle them promptly. Requests are frequently received by email, letter, or online contact form, but may also be made verbally or via messaging and social media platforms.

A Subject Access Request provides a right of access to personal data, not to documents as a whole. In practice, this often requires careful review of records that contain a mixture of personal data and other information.

Time limits and extensions

Organisations are required to respond to a DSAR without undue delay and, in most cases, within one month of receipt. The Information Commissioner has guidance showing the time limits organisations must follow when individuals exercise their rights here.

Where a request is complex or numerous, the response period may be extended by up to a further two months. Where an extension is relied upon, the organisation must inform the individual within the original one month period and explain why additional time is needed.

Verifying the identity of the requester

Where there is reasonable doubt about an individual’s identity, organisations may request additional information to verify who is making the request. Any such checks must be reasonable and proportionate. Where an organisation already has an ongoing relationship with the individual and their identity is clear, additional verification may not be appropriate. Where someone is making a request on the behalf of another individual gov.uk have listed out what needs to be included int he letter of authority.

In such cases, the statutory response period does not begin until sufficient information has been provided. Any verification steps taken should be reasonable and proportionate to the circumstances.

Searching for personal data

Responding to a DSAR requires organisations to carry out reasonable and proportionate searches for personal data relating to the requester. What is reasonable will depend on the nature of the request, the systems in use, and the volume of data involved.

Personal data may be held across a range of locations, including email systems, HR records, customer databases, shared drives, messaging platforms, and archived material. It is wise to speak to your IT department early to get ahead of this process.

Scope and clarification

In practice, some requests are broad or unclear. Organisations may ask individuals to clarify the scope or timeframe of a request in order to better understand what information is sought. However, individuals are not required to narrow their request, and organisations must still take reasonable steps to respond even where clarification is not provided.

Tools for managing Subject Access Requests (DSARs)

eDiscovery software can shorten the process of responding to a DSAR by weeks. It removes out of scope emails and data that doesn’t belong to the individual. The process of collecting the data is the same, however once you add it to the eDiscovery tool you’re able to quickly make review and redact information. For this process we use EverLaw as it’s cost effective and provides the right level of security needed when conducting a DSAR.

Reviewing and disclosing information

Once information has been identified, it must be reviewed to determine what falls within scope of disclosure. This typically involves assessing whether the information constitutes personal data, whether any exemptions apply, and whether the disclosure would affect the rights and freedoms of others.

This stage often requires judgement rather than a purely mechanical approach, particularly where documents contain mixed information or relate to multiple individuals.

Redactions and third-party data

It is common for DSAR responses to contain information relating to third parties. The right of access does not override the rights of others, and organisations must take care to avoid inappropriate disclosure.

Where redactions are applied, they should be lawful, proportionate, and justifiable. Both over redaction and under redaction can lead to complaint or regulatory concern.

Refusing a DSAR or charging a fee

In limited circumstances, organisations may refuse to comply with a DSAR, for example where a request is manifestly unfounded or excessive. Any refusal must be clearly explained and documented.

A request is not considered ‘manifestly unfounded or excessive’ simply because it is inconvenient or time consuming. The threshold is high, and decisions must be capable of justification if challenged.

Exemptions from the right of access must be applied on a case by case basis and interpreted narrowly. Blanket approaches or automatic refusals are unlikely to meet regulatory expectations.

In most cases, organisations cannot charge a fee for responding to a DSAR. A reasonable fee may only be charged in specific circumstances, such as where a request is excessive or where additional copies of information are requested when being asked to duplicate records that have already been sent to the individual.

Regulatory expectations

The Information Commissioner’s Office (ICO) publishes guidance setting out how organisations are expected to handle Subject Access Requests under UK GDPR.

From a regulatory perspective, organisations are expected to demonstrate that they have appropriate procedures in place, that requests are identified and handled promptly, and that decision-making is proportionate and documented.

Consequences of non-compliance

Failure to handle a DSAR appropriately may result in complaints to the ICO and, in some cases, legal claims. While compensation is not automatic, courts may award damages where individuals can demonstrate material loss or distress.

Reputational impact is also an important consideration, particularly where requests arise in contentious circumstances.

Policies, procedures and training

Having clear internal policies and procedures can help organisations manage DSARs more consistently and reduce the risk of error. Staff awareness is particularly important for teams likely to receive requests at the first instance.

Looking for practical support?

This page provides general guidance on Subject Access Requests. For information about practical support in managing DSARs, see our separate page on DSAR support for organisations.