How to make a subject access request

What to include in your request

A subject access request does not need to be in a specific format, but it should be made in writing and include:

• Your name and contact details;
• A clear statement that you are making a subject access request under the UK GDPR;
• Any specific documents, date ranges, or types of data you are seeking (e.g., “emails containing my name between January and March 2024”).

Although you can request all data held about you, targeted requests are often more manageable for both parties.

Who to send your request to

You should send your SAR to your employer’s HR department or the individual responsible for data protection — often referred to as the Data Protection Officer (DPO). If you’re unsure, your company’s privacy policy or internal HR portal may indicate the appropriate contact.

Template wording for employees

A simple example of SAR wording might be:

“I am making a subject access request under the UK GDPR. Please provide me with copies of all personal data you hold about me, including emails, personnel files, and internal communications, for the period of [insert relevant dates].”

What your employer must do in response

Time limits for responding to a subject access request

Your employer must respond without undue delay and within one calendar month of receiving your request. This period may be extended by up to two months if the request is complex or if multiple requests have been made, but the employer must inform you of the extension and the reasons for it within the initial one-month timeframe.

What information should be disclosed

Your employer should provide:

• A copy of your personal data;
• Information about how and why your data is being processed;
• The categories of data involved;
• Details of third parties who have received your data.

The data must be supplied in a format that is easy to understand.

Can your employer refuse or limit disclosure?

Yes, there are circumstances where an employer may lawfully withhold certain information. For example:

• Data that identifies another individual, unless that person has consented;
• Legally privileged documents (e.g., confidential legal advice);
• Information that could prejudice an ongoing investigation;
• Confidential references or management forecasting.

In such cases, the employer should explain the legal basis for withholding the information.

Common issues with subject access requests in employment

Withholding documents or redacting information

It is common for employers to redact (black out) parts of documents that contain third-party personal data or sensitive business information. However, redactions must be justified and proportionate. Overuse of redactions or failure to disclose clearly relevant documents may give rise to complaints to the Information Commissioner’s Office (ICO).

Disputes over excessive or unfounded requests

Employers may reject SARs they consider “manifestly unfounded” or “excessive,” particularly if a request is repetitive or disruptive. However, simply requesting a large volume of data is not in itself grounds for refusal. Employers should assess each request on its merits and explain any refusal.

Can disciplinary or grievance records be requested?

Yes, employees are entitled to access personal data contained within grievance or disciplinary documents. This includes witness statements, investigation notes, and correspondence where the employee is identifiable. However, employers must still balance this with the privacy rights of others.

Using a subject access request before or during a dispute

Gathering evidence for grievances, disciplinaries or employment tribunal claims

Subject access requests are frequently used to support grievances or claims for unfair dismissal, discrimination, or whistleblowing. They can uncover emails, meeting notes, or internal discussions that may not otherwise be accessible to the employee.

That said, SARs are not a substitute for legal disclosure obligations in tribunal proceedings, and the scope of disclosure under UK GDPR is not the same as under civil procedure rules.

Timing and strategic use in employment disputes

Timing can be important. Making a SAR early in a dispute may help clarify facts, identify gaps in communication, or provide leverage in negotiations. However, if tribunal proceedings are already under way, formal disclosure procedures may be more effective.

Limitations of subject access requests in litigation

SARs cannot compel an employer to create documents that do not already exist. They are limited to personal data and may exclude internal documents that do not directly relate to the individual. SARs are not a tool for general “fishing expeditions.”

What to do if your employer doesn’t respond properly

Raising concerns with your employer or HR

If your employer fails to respond within the statutory timeframe, or provides an incomplete response, you should first raise the issue directly with them—ideally in writing. Set out your concerns clearly and request a full response within a reasonable period.

Complaining to the Information Commissioner’s Office (ICO)

If you are not satisfied with your employer’s response, you can lodge a complaint with the Information Commissioner’s Office. The ICO has powers to investigate and take enforcement action against employers who fail to comply with their data protection obligations.

Seeking legal advice or enforcement options

In some cases, it may be appropriate to take legal action to enforce your rights. This could involve making a claim in the civil courts for compliance, damages, or both. Legal advice should be sought before taking this step.

Related rights and legal considerations

The right to erasure, rectification and restriction

In addition to access, individuals have other rights under the UK GDPR, including the right to:

• Request correction of inaccurate data;
• Request deletion of data in certain circumstances;
• Object to processing or request that processing be restricted.

These rights may be relevant in employment disputes involving incorrect or unfair records.

How subject access interacts with confidentiality and privilege

Employers may withhold documents that are protected by legal professional privilege, such as confidential advice from solicitors. Likewise, documents marked “confidential” are not automatically exempt, but the contents and context will determine whether disclosure is required.

Impact on settlement agreements and exit negotiations

SARs are sometimes used by employees before negotiating a settlement agreement. While this can strengthen the employee’s position, employers may also include terms in a settlement that address data access or deletion. Legal advice should be taken before agreeing to such terms.

If you are considering making a subject access request or have concerns about how your data has been handled by your employer, it is often helpful to seek advice from an employment solicitor. Understanding your rights can help you navigate disputes more effectively and ensure that your personal data is treated lawfully.