In this fourth blog article in our series on de-mystifying Data Subject Access Requests (DSARs), Sue Dowling and Victoria Eustace, in our Employment Law team, outline what to do on receipt of a DSAR from an employee or worker (whether current or former), in the employment context.
Responding to a DSAR can be a very time-consuming, complex and highly technical task, which can be difficult for employers to get right (particularly where, almost invariably, the personal data of the employee making the request is intertwined with personal data of other staff – e.g. the employee’s line manager).
The steps below set out some general pointers on what to consider on receipt of a DSAR; they should not be taken as an exhaustive list or as a substitute for careful consideration of the information available through the ICO and/or taking legal advice in appropriate circumstances.
The starting point is to remember that an employer (as Controller) is under legal duties (under UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025) to facilitate the exercise by an employee of their subject access right; the request must always be handled lawfully, fairly and transparently and the response must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
1. Act quickly – diarise long-stop date for compliance
It is important to respond promptly on receipt of a DSAR. Generally, a response (complying with the legislation) must be provided ‘without undue delay’ and at the latest within one month of receipt of the request. The one-month ‘long-stop’ deadline can be extended in limited circumstances, for example due to a valid request from the employer for ID from the employee (to check the identity of the employee making the request) and/or can be extended by an additional two months if the request is ‘complex’ or a number of requests have been received in respect of the same individual (see below). If an employer intends to rely on the extended deadline, it must notify the employee within the first month of this fact and explain the reasons for the delay.
Given the need to move quickly, employers should ensure that they are prepared in advance to respond to DSAR requests. Employers should establish a procedure for handling requests and effectively communicate that procedure to all staff – see later blog articles in this series.
2. Consider requesting proof of identity
If there is reasonable doubt about the identity of the person submitting the request, their identification should be verified. The additional information sought to verify identification should be reasonable and proportionate.
Identification should not be sought as a matter of course. If the identification of the person submitting the request is obvious, it will not be appropriate to request verification. If proof of identity is reasonably requested, the time limit for responding to the DSAR will not start to run until the requester’s identification has been verified.
3. Preserve and collate data
In order to comply with a DSAR, the employer must provide personal data pursuant to the request having conducted a reasonable and proportionate search. It is worth remembering that DSARs only relate to “automated or structured processing of personal data”, although “automated” covers all IT/automated platforms (e.g. email, What’s App/messaging apps, CCTV,audio recordings etc…), and personal information which is processed partly (as well as wholly) by automated means. Personal data which is not contained on an automated system nor within a non-automated but “structured” process (meaning as part of a filing system or intended to be part of a filing system), does not fall within a DSAR.
On receipt of a DSAR, immediate steps should be taken to preserve any personal data which may fall within the scope of the DSAR.
4. Scope of the request – Is it clear what the employee is requesting?
Where necessary, an employer can ask for a request to be clarified. The time limit for responding to the DSAR will stop running from the date clarification is sought to the date the response is received, effectively stopping the clock.
Clarification should not be automatically sought; it should only be sought where clarification is genuinely required to respond to the request and where the Employer processes large amounts of information about the Employee. Much depends on the employer’s size and resources – it is unlikely to be necessary to seek clarification if the employer can respond to the request quickly and easily due (for example) to sophisticated IT search resources.
5. Is the request for information “manifestly unfounded” or “excessive”?
An employer may refuse to respond to a DSAR where it is “manifestly unfounded” or “excessive” (in particular because of their repetitive character). Alternatively, an employer may respond but subject to the payment of a reasonable fee to cover its administration costs.
A DSAR must be considered in all the circumstances/in context, and an employer must be able to justify a decision (due to exceptional factors) in order to treat a request as “manifestly unfounded or excessive”. As is clear from the ICO Guidance (Right of access | ICO) on the factors to consider when determining whether a request may be considered “manifestly unfounded or excessive”, the bar (for the employer) to establish is high and in most instances, the better approach will be for the Employer to seek clarification of the request and/or respond to the Request to the extent it considers is reasonable and proportionate.
6. Determine whether it is appropriate to extend the time limit
If a DSAR is ‘complex’, or a number of requests are received from the same person, an employer may extend the time limit for responding to a request by an additional two months. Sheer volume of information is unlikely to render a request ‘complex’; it must be considered in all the circumstances of the case. Factors to consider include, but are not limited to:
- How easily information may be retrieved and whether any specialist assistance will be required to overcome technical difficulties or to render information intelligible.
- The likely presence of particularly sensitive data.
- The need to obtain specialist legal advice.
An employer will need to fully justify its decision to deem a DSAR ‘complex’ and thus extend the time limit.
Complying with a DSAR
We will be providing further information on how to respond to DSARs, including what exemptions may be relevant to exclude certain personal data, later in our series of blog articles.
If you require further information in the meantime, the ICO has published detailed guidance ( Right of access | ICO), or our Employment Law team can advise on all aspects of Employment Law, including in relation to Data Subject Access Requests (DSARs or SARs).
For further information or legal advice, please contact law@blandy.co.uk or call 0118 951 6800.
This article is intended for the use of clients and other interested parties. The information contained in it is believed to be correct at the date of publication, but it is necessarily of a brief and general nature and should not be relied upon as a substitute for specific professional advice.
