Data subject access requests from employees: how to respond
A data subject access request (DSAR) is a formal request by an individual to receive a copy of the personal data an organisation holds about them. Under UK GDPR, every individual has the right to make a DSAR, and employers receive them from employees and former employees more often than most HR teams expect. Knowing how to handle them correctly — within the one-month deadline — avoids ICO enforcement action and the relationship damage of a poorly handled response.
The one-month clock
From the date you receive a valid DSAR, you have one month to respond. If the request is complex or you have received multiple requests from the same individual, you can extend by a further two months — but you must tell the person within the first month that you are extending and why. Failing to respond within the deadline is a reportable breach to the ICO.
What to include
The response must provide: all personal data held about the individual, the purposes for which the data is processed, the legal bases for processing, how long the data will be retained, who the data has been shared with or categories of recipient, information about any automated decision-making, and information about the individual's further rights (rectification, erasure, restriction, objection).
What you can withhold
Third party data: where a document contains the personal data of another identifiable person, that person's information should be redacted unless they have consented or it is reasonable to include it. For example, a grievance investigation report may contain the names and accounts of colleague witnesses — those names should typically be redacted.
Legal professional privilege: legal advice sought about the employee can be withheld if it is subject to legal professional privilege.
Exemptions: there are specific exemptions under the DPA 2018, including an exemption for management information that would be likely to prejudice management planning if disclosed prematurely (for example, a draft redundancy proposal that has not yet been shared with affected employees). These exemptions are narrowly interpreted.
The practical process
1. Log the request and note the one-month deadline
2. Identify all systems holding personal data about the individual: HRIS, payroll, email, documents, correspondence, disciplinary files, absence records, training records
3. Compile the data, redacting third-party information
4. Apply any exemptions, documenting the decision
5. Respond in writing with the data and the accompanying information
6. If the request is from a former employee, confirm the data is being retained only for as long as required
DSARs from employees in the middle of a grievance or disciplinary process are common. Receiving one does not pause the disciplinary process, nor does it give the employee a right to see all documents before the hearing. Manage the two processes in parallel.
See GDPR for employers for the broader data protection obligations that frame DSARs.
Mellow stores employee data centrally, making DSAR compilation significantly faster than searching across multiple disconnected systems. [Start a free trial →](https://mellowhr.com/register)