DSARs and Employee Data Requests: What They Are and How to Respond

Introduction

If you are an employer or someone responsible for HR tasks in a small business, receiving a Data Subject Access Request (DSAR) from an employee can feel unexpected and confusing. Many employers are unfamiliar with the term, and may not realise that a simple request to “see what’s been written about me” is a legal right under the UK GDPR and Data Protection Act 2018.

DSARs are becoming a common feature of employment law processes, particularly where grievances, disciplinary action, or disputes are involved. This guide explains what a DSAR is, why employees submit them, and how to respond correctly and confidently, especially when the request relates to HR matters.

What Is a DSAR and Why Might Someone Submit One?

A DSAR allows individuals to request access to the personal data your organisation holds about them. In an employment context, this includes emails, meeting notes, performance reviews, disciplinary records, and any other documentation where the employee is identified.

Employees often submit DSARs when:

• They are involved in a grievance or complaint and want to understand how it was handled.
• They are subject to a disciplinary process and want to see the evidence or internal communications.
• There has been a breakdown in working relationships, and they suspect unfair treatment or discrimination.
• They are preparing for legal action, such as an employment tribunal claim.

While the request may feel personal or even tactical, it is a legal right and must be handled professionally. A well-managed response can help resolve concerns and avoid escalation.

What to Do When a DSAR Comes In

• Confirm the identity of the requester.
• Clarify the scope if the request is vague or overly broad.
• Locate and review all relevant personal data across systems and formats.
• Redact third-party information where necessary to protect others’ privacy.
• Respond within one calendar month, with a possible two-month extension for complex cases.

Confirming the Identity of the Requester

Before disclosing any personal data, you must be confident that the request is coming from the individual it relates to. This is essential to prevent unauthorised access.

How to confirm identity:

• Ask for official ID, such as a passport or driving licence, especially if the request comes from a personal email address.
• Verify internal records if the requester is a current employee, but do not rely solely on email addresses.
• Check contact details against your HR records and confirm via known channels if needed.
• Be cautious with third-party requests, such as solicitors or family members. Ask for written authorisation and ID for both parties.

Keep a record of how identity was verified and do not release any data until you are satisfied.

Clarifying the Scope of a DSAR

DSARs can be broad, but you are allowed to ask for clarification to help manage the response.

You can ask:

• What type of data they are looking for, such as emails or HR records.
• Which time period they are interested in.
• Which individuals or departments may hold relevant data.
• Whether they are referring to a specific issue, such as a grievance or disciplinary meeting.

You must still respond even if they do not clarify, but narrowing the scope can help you respond more efficiently and proportionately.

Where to Look for Personal Data

• Email accounts, including internal discussions.
• HR systems, such as BreatheHR or spreadsheets.
• Shared drives or cloud storage.
• Meeting notes and performance reviews.
• Disciplinary records and grievance documents.
• Messaging platforms, such as Teams or Slack.
• Paper files and printed correspondence.
• Third-party systems, such as payroll or recruitment platforms.

Even informal notes or draft documents may contain personal data and should be reviewed.

Writing with Care: Minimising Risk in HR Communications

Many DSARs relate to how employees are spoken about internally. Emails, meeting notes, and informal messages can all be subject to disclosure. That is why it is essential to write with care and professionalism, especially when dealing with employee relations matters.

To reduce risk:

• Use factual, objective language in emails and notes.
• Avoid speculation, emotional language, or informal commentary.
• Keep communications proportionate and relevant to the issue at hand.
• Use secure channels for sensitive matters, such as performance concerns or disciplinary discussions.
• Train managers and team leaders on appropriate written communication, especially when documenting employee behaviour or decisions.

Only Use Personal Information When Necessary

Avoid including personal information or naming employees unless it is essential to the context. For example:

• Instead of saying “John Smith failed to meet the deadline again,” consider “the report was not submitted on time.”
• If referring to a team issue, use collective terms where appropriate, such as “the marketing team” or “the department,” rather than naming individuals unnecessarily.

This approach helps reduce the volume of personal data held and lowers the risk of future DSAR complications. It also encourages a more respectful and professional tone in internal communications.

What Is Redacting and Why It Matters

Redacting means removing or obscuring information that should not be disclosed. In HR-related DSARs, this often includes:

• Names or details of other employees.
• Opinions or commentary not relevant to the requester.
• Legal advice or confidential business information.

Use the right tools:

• Do not rely on strikethrough or font colour, as these can be reversed.
• Use proper redaction software, such as Adobe Acrobat Pro.
• Flatten or secure files before sending.
• Always double-check the final version.

Poor redaction can lead to data breaches and complaints to the ICO.

What If Data Has Been Deleted Before a DSAR Is Received?

If data was lawfully deleted before the DSAR was received, you do not need to recover or recreate it. However, you must be able to show:

• The deletion followed your retention policy.
• It was not done in response to the DSAR.
• It occurred before the request was made.

Can Data Be Deleted After a DSAR Is Received?

No. Once a DSAR is received, all relevant data must be preserved. Deleting it could be seen as obstruction.

• Pause automatic deletion processes.
• Notify relevant staff.
• Document your actions.

How to Send the DSAR Response to the Requester

Once the data is reviewed and redacted, send it securely.

Best practice:

• Use encrypted email or secure file-sharing.
• Confirm the requester’s contact details.
• Include a cover letter explaining what is included and why.
• Keep a record of what was sent and when.
• Offer support or clarification if needed.

If sending by post, use tracked delivery and secure packaging.

Top Ten Misunderstandings About DSARs in Employment Contexts

1. “It is not a DSAR unless they say ‘DSAR’.” Any request for personal data, even informal or verbal, can trigger your legal obligation to respond.
2. “We can ignore it if it is not in writing.” DSARs can be made verbally or informally. You must still respond.
3. “We have to disclose everything, including internal discussions.” You must disclose personal data, but you can redact third-party information and legally privileged content.
4. “We can delete data once the request comes in.” You must preserve all relevant data once a DSAR is received.
5. “We do not need to respond if the employee is being difficult.” DSARs are a legal right, regardless of the employee’s behaviour or employment status.
6. “We can charge a fee for the request.” DSARs are free unless the request is manifestly unfounded or excessive.
7. “We have to respond immediately.” You have one calendar month to respond, with a possible two-month extension for complex cases.
8. “We cannot ask what they are looking for.” You can ask for clarification to help locate relevant data.
9. “We do not need a data retention policy.” A clear policy helps justify why certain data is no longer held and protects against claims of selective deletion.
10. “We can just send everything we find.” Over-disclosure can breach other people’s privacy. Review and redact carefully.

How We Can Help

We support SME employers with every aspect of DSAR handling, especially when it relates to HR and employment law. Whether you are dealing with a grievance, disciplinary issue, or preparing for a sensitive conversation, we can help you:

• Review and redact documents.
• Draft compliant responses.
• Train managers on communication and documentation.
• Put policies in place to reduce future risk.

If you are facing a DSAR or the early stages of an employee issue, we are here to guide you through it.

Final Thoughts

DSARs are becoming a common feature of employment law processes, particularly where grievances, disciplinary action, or disputes are involved. With the right knowledge and support, you can respond confidently and compliantly. Being proactive about how you handle employee data and internal communications will help protect your business and maintain trust.

Call to Action

If you have received a DSAR or are at the beginning of an employee issue and want to make sure you are handling things correctly, get in touch with us. We can help you manage the process professionally, protect your business, and reduce the risk of future claims.