CLOSE SEARCH
Under the UK General Data Protection Regulation (UK GDPR), individuals have the right to request access to their personal data held by an organisation. This right applies to employees, clients, and any other individuals whose personal data is processed by the law firm.
Employers cannot charge a fee for complying with a SAR unless the request is manifestly unfounded or excessive. The response to a SAR must be in an easily accessible format, such as a digital copy.
A Data Subject Access Request (DSAR) allows an individual to request personal data held about them by an organisation under the UK GDPR. In disciplinary or grievance situations, employees may use a DSAR to access records such as emails, meeting notes, or investigation reports. This can help them understand the case against them or support their claims.
Employers must respond within one month and provide relevant data unless exemptions apply (e.g. third-party confidentiality). Failure to comply can lead to complaints to the ICO. For employees, it’s a strategic tool; for employers, it requires careful data management and compliance to avoid legal risks.
As examples of how a DSAR may impact disciplinary or grievance processes:
Disciplinary -an employee accused of misconduct submits a DSAR and discovers internal emails discussing the case before they were formally informed, suggesting potential bias or procedural flaws.
Grievance - an employee raising a grievance uses a DSAR to obtain meeting notes and emails that show management was aware of issues (e.g. bullying) but failed to act, strengthening their complaint.
Mitigation - a DSAR reveals inconsistencies in witness statements or documentation, which the employee uses to challenge the fairness of the process.
Employers should respond to a SAR carefully at all times, but especially if a potential employment dispute exists. Key matters to take into account, and which legal advice may assist with include :-
Informal requests - SARs can be informal, ranging from specific requests like “can I see my last appraisal?” to broad ones like “what data do you hold on me?”
Clarify requests - it’s acceptable to ask for clarification on vague or broad SARs, especially when dealing with extensive employee records.
Reasonable judgment - employers have discretion to determine what data to disclose or withhold, considering factors like privacy and confidentiality.
Risk assessment - consider potential risks and liabilities associated with the SAR.
Comprehensive search - conduct a thorough search of all relevant systems and records.
Identify sensitive information - determine if any sensitive or confidential information needs to be redacted or withheld.
Protect sensitive information - redact any sensitive personal data that is not directly relevant to the SAR.
Anonymise third-party data - anonymise any personal data belonging to third parties to protect their privacy.
Accurate and complete information - provide accurate and complete information, but avoid disclosing unnecessary details.
Adhere to deadlines - respond to the SAR within the statutory timeframes.
Anticipate follow-up requests - be prepared for potential follow-up requests or clarifications.
· Have a clear SAR Policy - develop a clear policy outlining your procedures for handling SARs.
Maintain consistent approach - maintain a consistent approach to all SARs, regardless of the underlying circumstances.
Employers can only refuse a SAR in limited circumstances, such as when the request is manifestly unfounded or excessive. In most cases, employers are legally obligated to comply with SARs.
If an employer refuses to comply with a SAR, they could face significant consequences can include :-
ICO enforcement action - the Information Commissioner's Office (ICO) can investigate and take enforcement action, including issuing very large fines.
Employment Tribunal claims - employees who are denied their right to access personal data may bring claims before an employment tribunal, potentially leading to compensation awards.
Reputational damage - refusing a SAR can damage the employer's reputation and erode trust with employees and clients.
Legal costs - if the employer loses a legal challenge, they may be liable for the employee's legal costs.
For Employers:
Assist in identifying and reviewing relevant data for DSAR responses
Ensure compliance with GDPR timelines and legal exemptions
Minimise business disruption and protect confidential information
Provide guidance on managing DSARs during active disciplinary or grievance processes
For Employees:
Advise on how to draft and submit an effective DSAR
Help interpret the information received to support your case
Identify any data protection concerns or irregularities
Support you in using DSARs strategically in disputes or negotiations
Get in touch
If you would like to speak with a member of the team you can contact us on:
Partner - Commercial law and Data issues
Phil specialises in assisting SMEs and owner-managed businesses with their non-contentious commercial contracts and data protection needs. He qualified as a Solicitor in 2002 and has worked in Legal 500 ranked firms during his career.
His experti...
