Managing Employee DSARs

Your heart sinks. It’s a DSAR. It’s from a fellow employee. There’s an ongoing grievance case. You know it’s going to be tricky. Nuanced. Time-consuming. It’s even worse than someone cooking fish in the office microwave.

Current and former employees don’t tend to submit requests when they’re happy. There’s usually another issue at play – an unfair dismissal claim, an allegation of bullying or harassment, perhaps?

Having seen a recent spike in employee-related requests, I thought it might be helpful to provide a refresher on some (but by no all means all) key DSAR matters.

Be prepared

If you’re planning workplace changes, or any other activity likely to unsettle people, be sure to factor in the potential for this to cause an increase in DSARs. Be prepared, with the necessary skilled resources on standby.

Awareness

Do people know what to do if they receive a request – verbally, by email or in the post? Do they know where this should be forwarded to, and pronto?

I’ve known of DSARs to be left languishing in someone’s inbox for a couple of weeks. They aren’t going away. In fact they’ll lurk there, like an alien in a horror movie. Watching. Waiting to pounce. Okay, not really, but you get the drift. Be sure to raise awareness to try and avoid a last-minute panic to meet the statutory response timeframe.

Reason

People don’t have to explain why they’ve submitted a request. Nor do they have to explain how they intend to use the information you provide them with. They don’t have to give you a reason, and many won’t.

You may suspect it’s a fishing exercise linked to another issue, but this mustn’t be allowed to get in the way of fulfilling their request. A DSAR should be handled separately to other matters, to prevent bias and make sure the process is fair. Admittedly, this may be easier in practice for larger organisations than for smaller ones.

And don’t forget you still need to respond on time, even if the statutory response date falls while other matters (such as a grievance) are ongoing.

Clarification

You can always ask for clarification if a request is unclear, or is going to involve searching and/or providing a large amount of information. For example, you can ask specifically what information they’re seeking, and the date range they’d like you to focus on. This can prove not just helpful for you, but also the individual themselves.

However, ultimately, you can’t force the person to narrow their scope. If they want all of their personal data, they are entitled to it – as long as its ‘reasonable and proportionate.’

Reasonable and proportionate searches

The scope of your searches may have to cover structured and unstructured data – such as emails and messaging apps. And I’m afraid there’s no magic wand to solve this one.

It’s a classic example of ‘each case turns on its own merits.’ If you can demonstrate a search is clearly unreasonable or disproportionate, you may refuse it. You need to balance the importance of the information to the individual asking for it, the circumstances of the request and the difficulties involved in retrieving the information.

As an example, it’s likely to be disproportionate to run a search just for someone’s initials in your email system, if this returns thousands of irrelevant results because it scoops up any word with those initials in it.

But remember, the ICO says the burden of proof is on the organisation to justify why a search is unreasonable or disproportionate – which is why it’s difficult to provide a hard and fast rule.

The Regulator also says organisations should design information management systems so personal data can be efficiently located, extracted and redacted. Remember, this is not a new right. Subject access requests were first introduced in the UK back in 1984, were enhanced by the Data Protection Act 1998, and further changes were then introduced in 2018 by GDPR.

The shiny new Data (Use and Access) Act 2025 has clarified searches should be ‘reasonable and proportionate’, and the ICO is planning to publish updated ‘Right of Access’ guidance within the coming months. Here’s hoping we get further detail from the regulator on how this should be interpreted in practise. Some real-world examples would be nice.

Not a right to documentation

People are entitled to a copy of their personal data, but not entire documents, or full email chains. Just because someone’s name or email address appears in a document or email doesn’t mean the rest of the content is their personal data. Especially if this relates to other routine ‘business as usual’ (BAU) matters.

So there can be quite a painstaking process to sift the personal data you need to provide from the information you don’t need or wish to include. You can take steps to exclude BAU correspondence, which is highly unlikely to include additional personal data other than the individual’s email address and name.

Social media 

If your organisation has corporate pages on social media platforms like Facebook, Instagram, WhatsApp or X you’ll be the controller of any information posted, so they’re potentially in scope depending on the nature of the request. Also in scope, are any posts shared with you, for example by other colleagues.

Recordings and transcripts

If you record and or use an AI tool to transcribe meetings – these are likely to capture personal data, so depending on the nature of the request may well be in scope. When is it okay to transcribe meetings?

Information they already have

Information the requester already has in their possession (or has access to) are within scope. For example, letters or other documents previously shared directly with them. They may of course, confirm they are okay for these to be excluded, if you ask.

Information about others

The Data Protection Act 2018 provides an exemption which says you don’t have to comply with a request, if doing so means disclosing information which identifies another individual, unless, the other individual has given their consent, or it’s reasonable to disclose without their consent.

Routinely this won’t mean you don’t have to comply with the request in full, but rather that the protecting others is considered with respect to some of the information that’s been collated.

Often with employee requests searches will retrieve some information which relates to other people. Sometimes it will be reasonable to disclose with or without consent, sometimes it will be possible to apply redaction, so other individuals are no longer identifiable. Alternatively, you might choose to extract only the pertinent personal information relating to the requester.

Where is not possible to render another person unidentifiable, where you have a duty of confidence and/or a real concern this will infringe on the other person’s rights and freedoms, you may decide not to disclose.

Negotiations with the individual

If you have a record of your intentions in any negotiations with the requester, this would be exempt from the right of access if this could prejudice the negotiation. The ICO stresses this exemption is only likely to apply while negotiations are ongoing and may be difficult to apply once they’ve ended. In short, anything you write might ‘be taken down and given in evidence’ (ahem!).

Non-disclosure or settlement agreements

The ICO says people have the right to a copy of their personal information, and this right cannot be overridden by a settlement or non-disclosure agreement. In other words, even if it’s written into an agreement that the individual is not permitted to submit a DSAR, the Regulator says this element of any agreement is likely to be unenforceable.

It’s quite possible someone might willingly withdraw their DSAR as part of a settlement, but this doesn’t render them barred from submitting one again in future.

So, finally…

To sum up, there’s no easy way to handle an employee related DSAR. It requires an eye for detail and an understanding of the rules and principles behind the legislation. Is there anything that might make DSARs more straightforward? Having a robust approach to data retention – only keeping what’s necessary, so there’s less data to trawl through when you get a request. And just to say if a DSAR is especially delicate or complex, it may be a wise to seek legal advice where you’re unsure.