The Information Commissioner's Office (ICO) recently added a 'Q&A' page to its guidance on responding to subject access requests (SARs).

Following the adoption of the GDPR and updated Data Protection Act in 2018 employees and workers, actual and prospective, have found ever more novel – and at times demanding – ways to seek and use information referring to them which has been created or kept by their employer. Whilst some of the areas covered in the new guidance will be familiar ground to business managers and HR professionals, the content is useful in clarifying how the Information Commissioner would expect certain situations to be dealt with.

What amounts to a SAR?

Employees do not have to submit a subject access request in a particular format to a nominated individual, or even in writing at all. The Q&A gives examples of requests a worker may make which could qualify as a SAR, such as 'Can I have a copy of the notes from my last appraisal?', or 'Can I have a copy of the emails sent by my manager to HR regarding my verbal warning?'.

When can we ask an employee to clarify the scope of their SAR?

The option of asking an employee to clarify the scope of their request - in the process stopping the clock in relation to the time limit for responding - must be genuinely justified and not a default tactic simply to buy time. Clarification should only be sought where there is reasonable uncertainty about the request, and when large amounts of information about the individual are processed. 

The ICO expects employers to carry out reasonable and proportionate searches to find personal data. Thus, says the ICO, the option might be justified if an employee of twenty years' service requests a copy of all of their personal information but not for an identically worded request by a shorter served colleague.

Tools such as our Discover by BrodiesAI platform can help employers to filter and sort data returned from IT searches, apply exemptions and redact information that is not disclosable.

Disclosure of third parties' data

The Q&A considers the common situation where a request by a data subject potentially includes the personal data of other individuals. Under data protection law, that data must be disclosed only if the person consents, or it is reasonable to disclose the information without their consent. Employers therefore need to balance the competing rights of the applicant and third parties.

At this point, it is also worth emphasising that the right under a SAR is for personal data held about that individual. It is not a right to a copy of the email or document in which that personal data appears. Information that is not personal data of the applicant can be redacted.

Some examples:

Pay increases

A request is made by an employee wishing to understand why they did not receive a pay rise. Potentially included in the response is a note of a meeting between the person's manager and HR where their performance is discussed by comparison to others in the same team. Those last details may be redacted as they are not the personal data of the person making the request and the meaning of the discussion is not lost in the process. The guidance makes it clear however that the reason for any details being redacted or withheld should be given.
CCTV recordingsThe expectation is that modern CCTV systems should be capable of redacting – for example through pixelation – the images of other people. If not, then again their rights should be considered and disclosure of their images should only be done with their consent or where justified without it being obtained. This will be very situation specific and need a clear rationale in favour of whatever decision is taken.
Witness statements

Some similar but slightly more contentious situations are covered in the guidance on whether to disclose statements given in an internal process such as a grievance or disciplinary investigation and how to treat reports made under a whistleblowing policy.

This is particularly sensitive when one employee has made accusations or given incriminating evidence about another. In this situation it is important to consider the implications of the accused knowing the identity of their accuser. Will there be recriminations or the breakdown of working relationships? Does one individual have significantly more power than the other? In order to obtain the statement did the interviewer promise to keep the person's identity confidential, and was it reasonably necessary to do so? Is it possible to disclose the detail of the allegations themselves without the identity of the informant, or is the latter obvious once the former is known?

Whilst such questions are helpfully articulated in the Q&A they cannot realistically be answered definitively, and each employer will have to exercise good judgment in arriving at its own decision. In our experience this can often be a complex assessment. However, employers can make that process easier by reviewing their disciplinary and grievance processes and being clear with witnesses when the information they provide may be disclosed.


References have been subject to particular rules for some time now but the additional guidance helps illustrate when an employer can choose to disclose or not to disclose the contents.

If HR is asked for a copy of a reference received from a previous employer or given to a prospective employer, it may decline to provide it if it was given in confidence. To avoid misunderstanding (and needless requests) employers should make it clear in a privacy statement or employee handbook that this is the standard approach. If they do not, or recognise that in some cases it is appropriate to disclose a reference, they might choose to provide a summary of the factual details contained in the reference, such as job title, dates of service, and the individual's main responsibilities.

Negotiations and decision making about ending employment

A very real and common concern for those in HR is the possibility of having to disclose information about internal decisions relating to the termination of employment. The Q&A touches on a number of aspects with useful examples:

Legal privilege

Privileged documents (and therefore the data within them) do not need to be disclosed in response to a SAR. Documents can be privileged in one of two ways, namely:

  • if they were created with the purpose of requesting or giving legal advice from legal professionals – legal professional privilege; or
  • if they were prepared predominantly to be used in a dispute such as a tribunal or court claim – litigation privilege.

Management information exemption

In the context of a business reorganisation, there may have been high level discussions about merging teams and the consequent reduction in staff by job type. This, we are told, is likely to come within the exemption for 'management information' – i.e. business forecasting or planning materials. This means that it need not be disclosed as part of a SAR and, further, that the employer may choose not even to confirm that the information is held by them at all.

Negotiations exemption

It is recognised that a business could be prejudiced in, for example, mediation or negotiations over a termination package if the employee could ask for details of internal discussions and decisions. The guidance confirms that documents containing those details do not need to be given to the employee. Crucially this exemption only applies as long as the negotiations themselves could be prejudiced, and so care must still be taken with what is put into document form – unless any such items are covered by another exemption they will become disclosable as soon as the negotiations come to an end, whether a deal is agreed or not.

Manifestly unfounded or excessive  

In many ways the regime is more onerous than pre-2018 – for example employers can no longer automatically charge a fee and wait until it is paid before responding, and they must now provide a response to a SAR without undue delay and in any event within one month, unless the request is complex, in which case the response period can be extended by up to two months. However, the guidance helpfully reassures employers that there are limits to the demands that individuals can make for their personal data.

One way in which employers may be able to refuse to comply with a SAR is if it is manifestly unfounded or excessive. It is recognised that factors such as the time and resources involved in carrying out a search or providing the results of a search; the timing and context of a request; or even the motive of the employee in making a SAR may offer grounds to refuse a request or at least depart from the full set of requirements.

Manifestly unfounded

Sight should not be lost of the word 'manifestly' in relation to a request suspected of being unfounded. An employer refusing one or more SARs on this basis should be prepared to show that there was a sound basis for reaching the conclusion if a challenge is referred to the ICO. The suspicion of an ulterior motive will not be enough. Some examples:

  • An employer faced with either a disruptive series of identical or similar SARs from one individual, or a targeted and co-ordinated set of requests by a group of individuals working together, could argue that the requests were not properly founded.
  • If someone who is at risk of redundancy submits a SAR only to offer to withdraw it in return for a better termination package, the employer would be entitled to refuse to comply with the SAR as it had been made for an ancillary purpose, essentially in bad faith.
  • If an employer believes that a SAR is targeted at putting undue pressure on a confidential informer in a whistleblowing, grievance or disciplinary situation it may decline to respond, even by using anonymisation or redaction.

Manifestly excessive

A request is not necessarily excessive just because the individual requests a large amount of information. It may for example be readily retrievable from an IT system, require little vetting for data of other individuals and be easily transferred via an upload, USB stick or similar.

The ICO confirms that where a particularly extensive request would be time intensive, resource heavy or costly to comply with then the 'manifestly excessive' test may be met. This will be fact specific. What is excessive for one employer may not be excessive for another. If the request is excessive, then the employer is entitled to either refuse the request outright or at least to take more time to respond and/or charge a proportionate fee.

However, an employer would be expected to document and explain the basis for reaching this conclusion. Before doing so it may well be expected to go back to the employee, explain the likely challenges with responding to the SAR in its current form and ask if they can be more specific or narrow down what they are looking for.

When taken together with ICO's guidance in relation to clarifying requests, employers should consider the scope of each request and whether it can and should be challenged. If the employee does not engage, then employers should consider taking the lead in setting out what searches they propose to carry out, including search terms, time periods and other parameters.

Settlement agreements

Finally, the guidance also reminds employers that the right to make a SAR, or to exercise other data subject rights under data protection law, is not something that can be waived in a settlement agreement. These are statutory rights.

However, if an employee submits a SAR shortly after entering into a settlement agreement, it may be possible for the employer to show that the request is manifestly unfounded or excessive. Whether this is possible will depend on the facts and circumstances. Employers may therefore want to think about what to include in the settlement agreement to make it easier to reject a request on this basis.


The above are some of the situations likely to arise for employers where subject access rights are exercised. The additional guidance provided by the Q&A serves the dual purposes of highlighting the requirements of the existing regime and giving a clearer indication of how some of the rules – at times clear but generic - should be applied in the workplace. Inevitably however the final decisions, many of them finely balanced, will come down to management and the HR and other advisors who assist them.

If you would like more information, please get in touch with a member of Brodies Employment and Immigration or Data Protection teams. Workbox by Brodies users can access a dedicated page on Subject Access Requests. You can find out more about our Discover by Brodies AI tool on the Brodies website.


Brian Campbell

Legal Director

Martin Sloan