IDC Names Securiti a Worldwide Leader in Data Privacy


A Guide to Navigating the UK DPA’s Updated Guidance on Subject Access Requests (SARs) for Employers

By Securiti Research Team
Published July 6, 2023

Listen to the content

Table of contents

The Information Commissioner's Office (ICO), the United Kingdom’s data protection authority, released new guidance on May 24, 2023, to assist organizations and employers in responding to subject access requests (SARs) from current and former employees in a responsible manner and within the stated time frames while ensuring that employees can exercise their right to access their personal data whenever they need to.

Subject access requests, also referred to as data subject access requests (DSARs) or the right to access requests, are submitted when an employee or any other individual wants to exercise the right to access granted under the UK’s General Data Protection Regulation (GDPR) and the Data Protection Act (DPA).

While elaborating on the need for the new guidance, Elanor McCombe, Policy Group Manager at the Information Commissioner’s Office, stated that “It’s important to not get caught out, and that is why we are publishing this guidance today – to support employers in responding to subject access requests in a proper and timely manner, and to ensure that employees are able to access their personal data when desired. For those who continue to fail to respond to subject access requests in accordance with the law, we will continue to uphold and protect the data rights of individuals and take appropriate action where necessary.”

Key Points Under the New Guidance

The new guidance addresses the common questions regarding SARs, enabling organizations or employers to understand the ins and outs of efficiently responding to and avoiding any misunderstandings regarding SARs.

What does a right of access mean under the UK GDPR?

The right of access enables individuals to request organizations to obtain a copy of their personal information, containing details such as where the organization or employer obtained their information, how they are using it, and with whom they are sharing it.

Organizations or employers have one month after receiving a SAR to reply to the request. However, if the SAR is complicated or if an individual has submitted multiple requests, organizations, and employers may be able to extend the deadline for replying by up to two months.

Do individuals need to submit SARs in a specific format?

An individual may submit a SAR verbally, in writing, or online—including through social media. SARs can be made to any department within the organization and are not required to address a particular individual or point of contact. However, as a general rule, organizations should designate a team, individual, and email address to honor SARs.

Notably, a request need not contain the words "subject access request," "right of access," or "Article 15 of the UK GDPR." The request should just be obvious that the individual is requesting their own private information.

Are organizations or employers allowed to clarify the SAR?

Yes. Before replying to the request, organizations or employers could ask the employee or the individual to specify the information or processing activity they're requesting. The deadline for replying to the request is paused until the clarification is received. However, clarification must only be sought when it is genuinely required to respond to the SAR and when the employer processes a great number of worker-related data.

When can organizations or employers withhold information?

There are exemptions to the right of access under the UK GDPR that allow organizations or employers to withhold any or all requested information. However, organizations and employers must use exemptions on a case-by-case basis and explain and document the justifications for doing so. Additionally, organizations can refuse to comply with a SAR if the request is manifestly unfounded or manifestly excessive.

A request may be manifestly unfounded if the employee clearly has no intention of exercising their right to access or if the request is malicious in intent and being used to harass the employer with the purpose of causing disruption. The use of aggressive or abusive language does not necessarily make a request manifestly unfounded.

A request may be manifestly excessive if it is clearly or obviously unreasonable based on its proportionality against the costs involved in dealing with it. A request would not necessarily be excessive just because an employee requested a large amount of information.

Can a SAR disclose information about other individuals?

Personal information may include details of more than one individual. In such an instance, the DPA 2018 states that organizations are not required to comply with a SAR if doing so requires disclosing information that identifies a third-person other than the requestor.

In such a scenario, the organization must consider the possibility to comply with the access request without revealing information that relates to and identifies another individual. The organization may consider redacting any third-party information, deleting names, or editing third-party information and still comply with the access request.

If it is impossible to take out third-party information, then the organization may refuse to respond to the access request and withhold information. The organization must however communicate to the individual why it cannot respond to the request and record reasons to be able to demonstrate compliance.

Organizations can also honor the SAR if the third-person consents to the disclosure or if it is reasonable to comply with the request without their consent.

In determining whether it is reasonable to comply without an individual’s consent, organizations must conduct a balancing exercise and take into account all relevant factors, including:

  • the type/categories of information that would be disclosed;
  • any confidentiality obligations owed toward other(s);
  • any actions taken to obtain the other person's consent;
  • whether the other individual is capable of giving consent; and
  • any stated refusal of consent by the other party.

What constitutes information belonging to more than one individual?

A SAR could inquire about information that may be subject to certain safeguards or exemptions. Such information might contain details on other individuals, including, for instance:

Witnesses and their statements

Witness statements are used for internal disciplinary or investigative issues in the workplace. If complying with a SAR will require disclosing information about another individual included in a witness statement, you are not required to do so unless that individual consents to the disclosure or it is reasonable to comply without their consent.

To determine if it is reasonable to disclose the information, the organization should consider the reasonable expectation of the other person, any duty of confidentiality owed to them, any express refusal of consent by such person, and whether they are capable of giving consent, the nature of the information to be disclosed (generally it is more likely to be reasonable to disclose professional information about an employee rather than any private information), and factors such as a person’s seniority and role.

Whistleblowers and their statements

Disclosure of the alleged wrongdoing must be in the public interest. This implies that it must affect others, such as the general public. A whistleblower’s statement will likely include information concerning individuals accused of wrongdoing and that of the informants or other third parties, including witnesses. Whistleblowers are also protected by the Public Interest Disclosure Act of 1998 (PIDA 1998). In such a situation, you must balance the requester’s right of access against the whistleblower’s rights under the UK GDPR and the PIDA 1998.

Confidential references

References given to employers in confidence should not be disclosed when provided for the purposes of education, training, or employment of someone; someone working as a volunteer; appointing someone to office; or provision of any service by someone. Organizations should disclose to employees and referees whether the same is kept confidential, either through the staff manual, privacy statement, or policies.

If it is unclear as to whether references are kept confidential, access requests should be considered on a case-to-case basis, taking into account any clearly-stated confidentiality assurance given to the referee, any reasons the referee may give for withholding consent and any risk caused to the referee by disclosure, the likely impact of the reference on the requester, and the requester’s interest in being able to satisfy the accuracy and truthfulness of the reference.

Confidential communications between lawyers and clients

Certain confidential communications between lawyers and clients are protected by the legal professional privilege (LPP).

Crime and taxation

If personal information is for the purposes of prevention or detection of crime, apprehension or prosecution of offenders, or assessment or collection of a tax or duty or imposition of a similar nature, and compliance with a SAR would likely prejudice any of the foregoing purposes, an employer would be exempt from SAR compliance.

Management information

Personal data processed for management forecasting or planning regarding an organization or other activity is exempt from SAR compliance. If disclosing this information is likely to harm how the business or activity is conducted, an employer may choose to withhold it. Additionally, an employer is not required to disclose that they have such information, as acknowledging or denying having the information could hurt how the business operates and lead to conflicts with employees.

Negotiations with the requestor

Personal information included in a record of your intentions in negotiations with the requestor is exempt from SAR compliance. This only applies if complying with the SAR could prejudice the negotiation; however, an employer must be able to demonstrate the same. However, this exemption is likely to only hold while the negotiations are in progress. After the negotiations are through, if the employer receives another SAR, it might be challenging for them to use this exemption.

Should the organization inform the individual making the SAR if the information is being withheld?

Organizations must always be open and transparent with individuals requesting information access. However, notifying the requester that you withhold their personal information may not always be appropriate, for example, if it would prejudice the purpose of an exemption.

If an employee has consented to a non-disclosure or settlement agreement, does the organization still have to comply with the SAR?

Yes. Employees and individuals are entitled to obtain a copy of their personal information being held by their employer. A settlement or non-disclosure agreement cannot override this right.

Does the organization have to comply with a SAR if the employee is involved in a tribunal or grievance procedure?

Regardless if an employee is involved in a tribunal or grievance process with the employer, they have the right to obtain a copy of their personal information. If an employer believes that disclosing the requested information is inappropriate, they must explain the exemption they are utilizing and why. Even if an employee’s information has been disclosed to their legal representative under other legal requirements, an employer should still fulfill their employee’s right to access whenever requested.

If an employee requests information that isn’t work-related but was conducted on the office laptop, they should review the organization’s policy on using their IT systems and fair usage. If the employer is not the controller for any type of personal information, even though it may be available on the employee’s laptop, such information need not be disclosed, such as the contents of personal email communications.

Does the organization need to disclose email content that the employee is copied into?

Organizations must consider what information in the email pertains to the requester personally, as the email's content and the information's context is important to rule whether to disclose the entire information or certain sections.

Does the organization need to address SARs via social media?

Yes. Employers are the controllers for the information processed on social networking sites like Facebook, WhatsApp, Twitter, and chat channels on Microsoft Teams, if the same are used by the organization for official purposes. Therefore, the employer must search these platforms to identify any information that falls within the scope of the SAR.

Does the organization need to disclose CCTV footage if it contains details of others?

The organization has an obligation to respond to a SAR that requests video footage containing an employee’s personal information. However, if that footage contains details of other individuals, the organization must obtain their consent before sharing the footage unless it’s reasonable to do so without their consent. Employers should ensure that their CCTV system makes it simple to discover and retrieve personal data in response to SARs and enables the redaction of third-party information as necessary.

What to do if an employee is dissatisfied with their SAR response?

The employee can raise their concern with the organization, which must take it seriously, and try to devise a solution with the requester. However, the worker has the right to raise an issue with the ICO if the concern isn’t resolved.

Best Practices for Responding to SARs

Employers must establish best practices to respond to SARs to ensure swift compliance and protection of personal data. Here are a few suggestions:

Establish DSAR Procedures

Establish written guidelines that spell out the measures to be taken when handling DSARs. Timelines for each process step should also be included, along with instructions for receiving, reviewing, and responding to requests.

Publicize Rights

Ensure that employees and individuals know their DSAR rights, how to submit requests, what information may be requested, and the anticipated response times.

Designate a Team or an Individual

Designate a specific individual or team in charge of managing DSARs for the organization. This single point of contact will allow for process streamlining, uniformity, and rapid and effective response to requests.

Verify the Requestor’s Identity

To avoid unauthorized access to personal data, take steps to confirm the identity of the person submitting the DSAR. To verify the requestor's identity, if necessary, request more details or supporting proof.

Obtain Clarification

If needed, request clarification if a request seems vague or not specific. Compile data from various organizational departments or systems that contain the requestor’s personal information and ensure you take into account all relevant data sources and collect such data securely.

Conduct a Thorough Review

Identify any personal information that might be exempt from disclosure under data protection laws by thoroughly evaluating the obtained data. Redacting or anonymizing data belonging to third parties is one way to do this.

Provide a Thorough Response

Create a thorough response to the DSAR that includes the requested information and any other relevant details. It's important to present the information in an understandable and structured way to make it easier for the requester to understand. Ensure that requests are addressed in a timely manner as required under the applicable law.

Maintain a SAR Audit

Maintain a record of each SAR received, actions taken, decisions made, and communications with the requester during the process. Review the process periodically and make upgrades as and when necessary.

How Securiti Can Help?

Securiti harnesses the power of AI-driven process automation, enabling organizations to comply with their data protection legal obligations efficiently and on time.

Securiti helps with building customizable DSAR forms, verifying requestors’ identity, establishing predefined workflows, mapping personal data to data subjects using AI, enabling stakeholders to safely collaborate on access requests without sending personal data over email and collecting a central repository of records for use in case of regulatory reviews, audits or lawsuits.

To learn more about the automation and orchestration of data subject requests and how much time you can save, request a demo to see Securiti in action!

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.


Gartner Cool Vendor Award Forrester Badge IAPP Innovation award 2020 IDC Worldwide Leader RSAC Leader CBInsights Forbes Security Forbes Machine Learning G2 Users Most Likely To Recommend