News and Events

How to manage employment related Data Subject Access Requests

View profile for Sarah Whitemore
  • Posted
  • Author

Data Subject Access Requests (DSAR) are becoming more prevalent, and while there is currently a maximum fee of £10 to make a request, under new data protection rules, namely GDPR, they will be free of charge in the future.  Sarah Whitemore, Employment Partner, explains here the rules and guidance surrounding an employment related Data Subject Access Request under the Data Protection Act.

Who can make a Data Subject Access Request?

While anyone can make a DSAR against a company, when it comes to employment related requests, it is not only employees or former employees who can make a request.  It could include successful and unsuccessful job applicants, current and former agency staff and casual or contract staff.  Ordinarily following some form of dismissal or disciplinary procedure, the individual will be making the request to see if the company did anything wrong.

In order to make a valid DSAR, the individual must make the request in writing, either by letter or email.  The business can request verification of ID, and currently can also request a fee of up to £10. 

A DSAR must be logged internally and should include the following details:

  • Name/contact details of the individual making the request
  • Date the request was received
  • Whether a fee was provided
  • Information as to how the data will be located
  • Information to identify the individual
  • The date the information is provided

Responding to a Data Subject Access Request

There must be a response to the individual within 40 calendar days of either the receipt of the request or receipt of further information and/or the fee.  This 40 calendar day time limit will also change with the introduction of GDPR in May 2018, to 30 calendar days.  The Information Commissioner’s Office (ICO) may be inclined to show leniency if you run over the 40 day time limit, if you can demonstrate that you have informed the individual of reasons why there may be a delay. The ICO have however in the past taken a very ‘David and Goliath’ approach to complaints, thinking of the big company withholding data from the little individual.

When responding it is advisable to do so in a non-confrontational and accommodating fashion, particularly if you are requesting further information prior to beginning your search.  The ICO does allow you to filter to narrow your search.  You can ask the individual to be more specific as to dates between which to search, relevant senders and recipients of emails or the relevant business line or function. 

In a response you must specify whether or not you hold their personal data, a description of the personal data you hold, where it came from and why their data is being processed.  If the data has been sent elsewhere you must also detail the recipients. Copies of the data must also be supplied.

What is data under a Data Subject Access Request?

For the purpose of a DSAR data means:

  • Electronic Data: Data held on computers, phones, CCTV, swipe cards etc
  • Manual Data: Hard copy documents held in a manual filing system where it can be found by using the name, or other identifier for the data subject.
  • It must be personal data:
    • So must relate to the individual
    • May include opinions about the individual.

The definition of personal data under the Data Protection Act is incredibly wide.  The leading case on the topic is the case of Durant v FSA.  This case defined personal data as data that has biographical significance and focus. While this case has merit in terms of understanding how to deal with a DSAR, the ICO are more likely to refer you to their own Code of Practice rather than relying on the definition from this case.

The ICO guidance states that the data to be provided to the individual is not limited to facts about a person, but can also include expressions of opinion or indications of intention.

Personal data in this context includes, but is not limited to, name, address (including email address), date of birth, salary and bank account, emails involving the worker, their personnel file and application forms. 

The ICO’s Employment Practices Code talks about personal information as including information which is about a living persona and affects that person’s privacy whether in his personal or family life, or business or professional capacity provided that the information has the data subject as its focus or is otherwise biographical in nature.  It includes anonymous information if the organisation has other information which could be used to link it to the data subject.  By way of demonstration, the Code confirms that it would include information on a worker in a supervisor’s notebook where there is an intention to put the information on the computerised personnel file. 

You are not, however, bound to provide information which identifies other individuals or where other workers are involved, for example, providing information on the entire workforce’s salary, given by grade, even if other individuals are not identifiable. 

Other exemptions to Data Subject Access Requests

There are certain exemptions under the regulations.  One example is data with legal privilege; if an HR Manager is emailing a lawyer for advice about the individual, those emails are not required to be included.  Confidential references given about the individual are also not to be included, however confidential references received are.  Other exemptions include evidence of criminal activity, corporate finance and management forecasts, or details of negotiations between the company and the individual.

If a company receives a DSAR, they will understandably be concerned about how to collate all the data, and about how much time and resource the request will take up.  From a number of cases however, such as Ezsias v Welsh Ministers, it is clear that a company cannot refuse to comply just because it would be costly and time consuming.  It is recommended that businesses work out in advance how they would manage a DSAR, not just regarding employment related individuals, but also clients, former clients or indeed anyone who has had contact with the company.  This would take involvement from IT, heads of department and marketing to name a few, but when the time comes that a request is made, having a plan in place could mean the difference between a fine or not.

The Data Protection Act 1998 is to be replaced by the General Data Protection Regulation on 25th May 2018. Whilst the rules on DSAR remain substantially unchanged, businesses will need to adapt their data processing practices to comply.

To find out more about employment related Data Subject Access Requests, you can contact Sarah or the Employment team on 02380 717717 or email


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.