How to Make a Data Subject Access Request and What Employers Must Disclose

Published : December 29, 2025

Access to personal data can be a powerful tool in the workplace. Whether an employee is facing disciplinary action, raising a grievance, or preparing for potential legal proceedings, understanding what information an employer holds can be critical. This is where a subject access request comes into play.

Under UK data protection law, employees have the right to request copies of their personal data from their employer. When used properly, this right can bring transparency to internal decision-making and ensure accountability. When misunderstood or mishandled, however, it can lead to disputes, delays and regulatory consequences.

In this article, we explain what a subject access request is, when employees might want to make one, what employers are required to disclose, and where the limits of this right lie. We also consider the risks of misuse and the potential penalties for non-compliance.

If you are considering making a DSAR and want expert help, contact us. Redmans Solicitors are sector specialists, and following a brief chat, we can provide expert advice. To get started, simply:

What is a Subject Access Request?

A data subject access request, often abbreviated to SAR or DSAR, is a right granted under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This entitlement allows individuals to request a copy of the personal data an organisation holds about them, along with certain supplementary information.

In employment contexts, job applicants and employees (both current and former) may request access to personal data held by an employer. This could include recruitment notes, disciplinary reviews and other information that identifies the individual.

Read More: Employment Tribunal Claims: How to Complete The ET1 Form and Strengthen Your Claim

Requests can be made in writing, by email, or verbally, and they don’t need to use specific legal terminology. Importantly, even if an individual makes a DSAR with the intention of obtaining evidence for a potential claim, the employer cannot refuse to comply simply to avoid litigation.

What are Common Reasons to Submit a SAR?

An individual may submit a subject access request for various reasons. That said, a SAR can be useful when addressing workplace conflict.

Suppose an employee is facing allegations of misconduct; for example, they may wish to better understand the situation and learn the basis for the allegations. A DSAR could reveal emails that demonstrate procedural flaws in the disciplinary process, providing the employee with grounds for appeal.

Individuals can also submit subject access requests if they believe they have been treated unlawfully. This could include an unfair recruitment process or discrimination during a promotion decision. Access to personal data can strengthen one’s position and help them during settlement negotiations or tribunal proceedings.

However, it’s important to note that strategy and timing matter. If a subject access request is made when discussions are already progressing constructively, relations may be strained, hindering their progress. As such, it’s recommended to seek legal advice to ensure any request is only made if it will support, rather than undermine, the individual’s objective.

Employer Obligations: What Must Be Disclosed?

When employers receive valid subject access requests, they must respond without undue delay, usually within one calendar month. This timeline can be extended by up to two additional months, but this only applies to complex requests and requires justification.

Regarding personal data itself, employers must disclose information relating to the individual requesting it. Depending on the specifics of the request, this could include personnel records, emails, disciplinary documents, Microsoft Teams messages and more. Employers must also provide supplementary information, including why the data was processed, the categories of recipients, and details of the individual’s data protection rights.

Notably, the right of access to data isn’t absolute. Employers may lawfully refuse to disclose certain information in response to a SAR where exemptions apply. Such exemptions can include limitations relating to third-party data, where the information of others cannot be redacted; legal professional privilege, and requests that are “manifestly unfounded or excessive.” When employers refuse a request, though, they must explain their reasoning and inform the employee of their right to complain to the Information Commissioner’s Office (ICO).

GDPR Penalties for Non-Compliance

Where an employer fails to comply with a subject access request, individuals can complain to the ICO. The ICO will subsequently investigate the matter and, where applicable, issue enforcement notices or impose fines. In serious cases, such fines can reach millions of pounds, although this will be dependent on the size and nature of the organisation.

Additionally, individuals can apply to the courts for an order compelling compliance with their data subject access request. In some cases, they may also seek compensation for material damage or distress caused by the employer’s failure to comply.

From an employer’s perspective, complying with a SAR is essential. Unjustified delays, incomplete disclosures, or blanket refusals could lead to reputational and legal risks. Proper systems and training are therefore essential to ensure SARs are recognised and handled correctly.

Concerns Around DSAR Misuse and “Fishing Expeditions”

While individuals are entitled to make a subject access request, there’s sometimes concern about their misuse. This particularly concerns “fishing expeditions,” where requests are made in search of incriminating material.

Read More: NHS Doctor Awarded £85k After Unfair Dismissal Claim

UK law acknowledges this tension but doesn’t prohibit employees from using a DSAR to support legal claims. The key issue is proportionality. Requests that are deliberately vague, repetitive, or intended solely to harass may be considered manifestly unfounded and/or excessive, depending on the circumstances, and will be assessed individually.

For employees, this highlights the importance of precision. A targeted subject access request that specifies relevant timeframes, individuals, and communication channels is more likely to succeed and less likely to encounter delays or refusals.

Making a Subject Access Request

If an individual wants to make a subject access request, they can do so without legal assistance. That being said, obtaining legal advice can make the difference in submitting a precise request that supports one’s case.

Contact Redmans Solicitors today for expert help with your SAR. Our team of specialists is here to help. After a brief chat, we can assess your case, answer your questions, and discuss your options.

To begin your journey with us now, simply:

The information on this page is intended for general informational purposes only and does not constitute legal advice.