Decoding UK SARs: Employer’s Ultimate guide

Decoding UK SARs: Employer’s Ultimate Guide. First and foremost, Subject Access Requests (SARs) have a crucial function in upholding data protection rights, allowing individuals to access their personal information held by organisations. Moreover, between April 2022 and March 2023, the UK Information Commissioner’s Office (ICO) registered an substantial count of over 15,848 complaints related to SARs. This underscores the increasing significance for employers to possess a strong understanding of SAR regulations and protocols. Within this comprehensive guide, we explore SARs comprehensively, furnishing you with intricate details and practical instances to guarantee compliance and the effective management of response procedures.

What is a SAR:

Subject Access Requests (SARs). Navigating Rights and Regulations. Following this, Subject Access Requests (SARs) fall under the UK GDPR and the Data Protection Act 2018 (DPA). These crucial regulations cover individuals, including employees, with the privilege to access their personal data. Including any accompanying information retained by an organisation. The process for initiating a SAR can be through verbal communication, written requests, or even via social media platforms. Furthermore, a single SAR has the potential to cover a range of specific inquiries.

Decoding UK SARs: Employer’s Ultimate guide:

Confirmation of Data Processing:

  • To begin with, individuals have the right to be informed about whether their personal data is being processed by an organisation.

Access to Personal Information

  • Secondly employees can request access to their personal data, allowing them to review and verify the accuracy and lawfulness of the processing.

Lawful Basis of Data Processing:

  • Therefore requester can seek clarification on the lawful basis on which the business processes their personal data.

Data Retention Period:

  • Furthermore, individuals also have the option to inquire about the duration their personal data will be retained.

Data Source and Collection:

  • The organisation should provide relevant information on how the individual’s data was obtained and any third parties it was shared with.

Automated Decision-Making and Profiling:

  • If automated decision-making or profiling is involved, the requester can request relevant information regarding these processes

Under the GDPR, organisations must respond to SARs “without undue delay” and within one month of receiving the request. However, in complex cases, the deadline can be extended by an additional two months, provided the organisation explains the reasons for the delay. Additionally, if the organisation requires further clarification to process the request, the clock stops until the requester provides the necessary information.


A retail company receives a SAR from an employee seeking access to their personal data, including their performance evaluations and work-related emails. Due to the extensive data volume, the organisation may require an extension of one month, which should be communicated to the employee with justifications.

Reasonable Efforts:

The GDPR requires organisations to make reasonable efforts to locate and retrieve the requested information. However, the organisation is not obligated to undertake disproportionate or unreasonable searches.


A large multinational company receives a SAR from a former employee who wants access to all personal data collected during their tenure. Searching through vast archives may prove unreasonably burdensome. The organisation must assess the proportionality and document its decision to search only relevant data within a reasonable timeframe.

Recent Clarifications: Decoding UK SARs: Employer’s Ultimate guide

The ICO recently published new guidance to assist employers in handling SARs effectively. The guidance addresses common misconceptions and questions, offering valuable insights.

Here are some key clarifications: 
Withholding Information:
  • Employers can refuse to comply with a SAR if it is manifestly unfounded, excessive, or if specific exemptions apply. However, the “manifestly unfound” standard is high, and the guidance provides criteria for making this determination.

An employee repeatedly submits SARs, asking for the same information without any specific purpose or reason. The employer may refuse to comply, as the request is manifestly unfounded.

  • The guidance presents examples of applicable exemptions that allow employers to withhold information under certain circumstances.

If an employee requests their personal information but also information about other employees, the organisation can redact the third-party information to preserve privacy.

Non-Work-Related Information:
  • The guidance emphasises that employers should have clear policies in place regarding employees’ personal use of IT systems, helping to distinguish personal information from work-related content.

An employee requests access to their work email account, which includes personal and work-related emails. The employer must consider the context of each email to determine which parts qualify as personal information.

Searching Social Media:
  • Employers who use social media platforms must search these pages for personal information falling under the scope of a SAR.

An employee submits a SAR requesting access to any personal information the organisation holds about them on their official social media pages. The organisation must conduct a thorough search of these platforms to comply with the request.

Failure to Comply:

Failure to respond appropriately to a SAR can lead to enforcement actions by supervisory authorities, including penalties, reprimands, and enforcement notices. In addition, individuals may seek court orders for compliance, and courts may award compensatory awards under certain circumstances.

Reform and the Data Protection and Digital Information Bill:

The UK government is in the process of reforming data protection legislation with the Data Protection and Digital Information (No. 2) Bill. Although minimal changes are proposed regarding SARs, further clarifications on response times and handling complex requests are expected to enhance transparency and efficiency.

In Summary: 

Subject Access Requests (SARs) function as a potent instrument for individuals to assert their data protection rights. Consequently, employers need to be thoroughly prepared to manage them with precision and accountability. Thus thoroughly understanding the GDPR regulations, promptly providing responses, making reasonable efforts to retrieve information, and staying informed about legislative reforms, organisations can ensure compliance and build trust with their employees and stakeholders. In this ever-evolving landscape of data protection, staying ahead is vital.


ICO Guidance For Employers