Subject Access Requests – The Relentless Rise

Aug 8, 2023

In recent years, employers have seen an overwhelming rise in data subject access requests (‘DSARs’) from their employees as a tactical move in workplace disputes and this is only set to continue. Responding to DSARs takes up considerable time and administrative resources which could be better spent elsewhere, and we have increasingly been advising employers on how to navigate the fine line between processing their employee’s requests efficiently and remaining fully compliant with complex data protection legislation.

DSARs in Employment

An individual’s right to make a DSAR to obtain the information an organisation holds about them has long been an integral element of UK data protection legislation. However, as information technology has advanced, the vast increase in electronic data held relating to employees means that processing DSARs is now a far more onerous task for employers than was ever envisioned.

In recent years, this has led to a rapid rise in DSARs from employees involved in ongoing workplace disputes who recognise that the cost and administrative burden this places on their employers can seriously increase their willingness to reach a settlement, or a settlement on more favourable terms.

However, with the growing inevitability of receiving employee DSARs in such situations, employers are increasingly less inclined to agree a settlement just to avoid the costs and administrative burdens of complying with DSARs and are instead looking for ways to respond with improved efficiency.

Difficulties with Compliance

In the year to March 2023, the Information Commissioner’s Office (ICO), the independent body responsible for upholding information rights in the UK, received 15,848 complaints regarding DSARs. This casts into focus the difficulty of remaining compliant with data protection law when responding to DSARs.

Further, as the ICO may take enforcement action for non-compliance, including enforcement notices, reprimands and fines, and the civil court may order compliance, and potentially compensatory awards, it is vitally important to navigate these difficulties to ensure that DSAR responses are fully compliant.

The following are some of the main difficulties faced by employers when responding to employee DSARs:

Time to Respond

A DSAR must be dealt with without undue delay, but within one month of being received at the latest. It is, therefore, important to note the date upon which the DSAR is received to avoid missing the deadline to respond one month later.

The one month period for response may be extended by a further two months where the DSAR is particularly complex. In such cases, the employee must be informed of the extension, stating the relevant reasons, as soon as possible within the initial one month period. A DSAR will not necessarily be complex just because a large volume of data is involved so it is important to consider the potential complexity of each individual DSAR carefully.

Establishing Scope

Where an employer holds large volumes of data relating to the employee, it may be necessary to discuss narrowing the scope of the DSAR with them, to focus the search on the information they wish to receive. Not only will conducting too broad a search incur unnecessary costs, it also may not be possible to complete the search within the period for response whilst also remaining compliant with the ICO’s requirements.

Identifying Relevant Personal Data

Under the Data Protection Act 2018 (‘the Act’), personal data is any information relating to an identifiable individual. This extremely broad definition covers data referring to an individual by which they may be identified either directly or indirectly.

Having located the employee’s potential personal data, consideration must turn to whether it constitutes personal data under the Act. Data can refer to or be linked to the employee without relating to them if it is about a separate topic, such as in day-to-day business communication.

Identifying Exempted Data

Further, when assessing the relevance of personal data, any potential exemptions to the right to access personal data should be considered, as data falling within an exempted category will not be disclosable. The most commonly encountered form of exempted data will be other peoples’ personal information where it appears alongside that of the employee making the DSAR. In such cases, caution should be exercised to ensure that the personal data rights of other individuals are not breached inadvertently.

How We Can Help

We can provide an expert view on a difficult area of law so that employers will be well informed and fully prepared when an employee DSAR is received.

The ICO’s guidance makes clear its expectation that employers should have DSAR policies in place covering the processing and accessing of data, alongside parameters covering what employers may use their IT systems for. We can advise with drafting DSAR policies and ensuring they remain up to date.

Further, our specialist DSAR team can help to:

  • make the process more efficient whilst complying with the requirements of the ICO;
  • manage data and engage with the ICO on your behalf regarding what is a reasonable search;
  • assist with narrowing the scope of the search to reduce the results;
  • define relevant personal data;
  • identify exempted data and ensure it is not disclosed; and
  • set up secure data transfer rooms for processing and disclosure.

If you require any advice or assistance regarding DSARs, please contact us to speak to a member of our Employment Team.

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Darren Smith

Darren Smith

Partner, Employment Law

David Fullbrook

David Fullbrook

Trainee Solicitor, Employment Law

Latest News & Insights

All in a Day’s Work: Employment Podcast Series

Our Employment team bring you a monthly podcast covering all aspects of Employment law for businesses and individuals. You can browse our podcasts below…
All in a Day’s Work: Introduction to TUPE

All in a Day’s Work: Introduction to TUPE

In this episode, we discuss the basic principles of TUPE including when a transfer arises, the impact this has on employees and how best to prepare for a potential TUPE transfer.

Top Legal Insights


Contract Law

Material Breach of Contract

What is a ‘material’ breach of contract by a party to a commercial contract? This is a critical issue regularly considered by the courts. What constitutes a material breach and what are the remedies?

Property Law

Commercial Lease: The Financial impact on Landlord and Tenant

Coronavirus (COVID-19) and the restrictions now in place to control its spread, are having a significant effect on many business sectors.

Divorce and Family Law

Divorce in Lockdown: Can I get some discreet legal advice?

We have spoken to clients who are unfortunately experiencing some family issues, and would like to obtain expert legal advice, yet don’t know how...

Land & Property Dispute

Restrictive Covenants – The Price of Modification

Having identified that your land is burdened by a restrictive covenant and for the purposes of this article the covenant in question will be that only one residential building can be erected on the land. What do you do next?

Wills, Trusts and Probate

Why is having a will so important?

It is entirely up to you if and when you want to create a Will, but it is important to be aware of the consequences of not having a Will.

Award winning legal advice

Herrington Carmichael offers legal advice to UK and International businesses as well as individuals and families. Rated as a ‘Leading Firm 2023’ by the legal directory Legal 500 and listed in The Times ‘Best Law Firms 2023’. Herrington Carmichael has offices in London, Farnborough, Reading, and Ascot.

+44 (0)1276 686 222


Brennan House, Farnborough Aerospace Centre Business Park, Farnborough, GU14 6XR

Reading (Appointment only)
The Abbey, Abbey Gardens, Abbey Street, Reading RG1 3BA

Ascot (Appointment only)
102, Berkshire House, 39-51 High Street, Ascot, Berkshire SL5 7HY

London (Appointment only)
60 St Martins Lane, Covent Garden, London WC2N 4JS

Privacy Policy   |   Legal Notices, T&Cs, Complaints Resolution   |   Cookies  |   Client Feedback   |  Diversity Data



Our Services

Corporate Lawyers
Commercial Lawyers
Commercial Property Lawyers
Conveyancing Solicitors
Dispute Resolution Lawyers
Divorce & Family Lawyers
Employment Lawyers
Immigration Law Services
Private Wealth & Inheritance Lawyers
Startups & New Business Lawyers

Pay Online >

Please be aware that we have no plans to change our bank details. If you receive any indication that any of our bank details have changed please contact us before sending us any funds. We take no responsibility for monies you transfer into the wrong bank account.

© 2023 Herrington Carmichael LLP. Registered in England and Wales company number OC322293.

Herrington Carmichael LLP is authorised and regulated by the Solicitors Regulation Authority with registration number 446245.