Complying With Subject Access Request Timescales: Legal Requirements for Employers

Subject Access Requests (SARs) are likely the most commonly known data subject right under UK data protection law. These requests can be especially common for employers, particularly when a disgruntled employee submits a SAR during grievance or disciplinary proceedings. Your business should understand that responding to SARs on time is critical, as failing to meet deadlines can result in penalties under UK data protection law. Your business should ensure it handles SARs with careful planning and clear internal procedures to meet its legal obligations and maintain employee trust. The UK ICO has issued specific guidance for employers regarding SARs. This article explores key considerations for employers regarding SARs, their timescales and practical advice on navigating these time limits. 

When May an Employer Face a SAR?

Employers typically handle a lot of employee personal information. As such, they can often receive SARs in various scenarios, particularly during disputes with employees, such as disciplinary actions, grievance proceedings, or employment tribunal claims. A disgruntled employee may use a SAR to try to gather evidence or review the handling of their personal data. 

Your business should treat a SAR with urgency and care, as delays or incomplete responses could escalate tensions and increase the risk of problems arising from employees.

What Does the Law Say About SARs?

Data protection law rules govern how employers may process personal data and set clear rules for handling SARs. SARs allow individuals to access a copy of their personal data and request information on how and why it is being processed (e.g. information regarding processing purposes, data recipients, retention periods, alongside other key information). 

As an employer, you are likely to hold various types of employee data, such as HR records, disciplinary notes, or performance appraisals. Your business should, therefore, ensure it understands its obligations clearly to avoid costly mistakes. Failing to respond accurately or on time risks regulatory penalties and can damage employee trust.

How Strict Are the Timelines for Responding?

SAR deadlines are strict, so your business must act promptly to meet them. 

Put simply, the standard response time is without undue delay and, at the latest, one month from when your business receives the request (or identity verification or fee, if applicable). 

If the SAR is complex, your business should notify the requester within the original one-month period to clarify it and explain the reasons for the delay. Extensions in time are allowed for up to two additional months, but only in genuinely complex cases. If a SAR is unclear or too broad, your business should ask for clarification. In such cases, the clock pauses until clarification is received. However, your business should only request clarification when it genuinely processes large volumes of data about the individual and needs the clarification to process the request. This is not simply an excuse to delay responding to the SAR because you think it will be onerous to do so. 

These are some high-level examples of guidance around extending timeframes. Still, employers should consult the ICO’s guidance to understand the full scope of these rules and determine if they apply to a specific SAR request. There are also rules concerning notifying the relevant data subject if any time extensions. 

Should Employers Have a DSAR Policy?

In practice, navigating a SAR and its timeframes can be challenging. 

Your business should implement a clear and practical SAR policy to help you handle SARs efficiently and consistently. This policy is particularly important for helping you understand when you need to respond and when you can extend a response deadline following legal rules. 

A well-drafted DSAR policy will help by providing a key framework and guidance for logging SAR requests. It will also ensure that you take other appropriate steps, such as verifying identities, clarifying unclear submissions, and securely delivering the relevant data. 

Your business should train staff to follow the policy to help ensure compliance with UK GDPR requirements and reduce the risk of errors.

GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

What Other Steps Should Employers Take to Prepare for SARs?

Preparation is critical to managing SARs effectively. Your business should, therefore, consider creating a straightforward internal process, assigning responsibilities to team members, and documenting every step of the response. 

For complex SARs (such as those involving third-party data or where an exemption may apply, which means you may not be able to provide the data), your business should seek legal advice to manage risks appropriately. By planning ahead and seeking legal advice, your business can handle SARs efficiently and avoid non-compliance risks.

Key Takeaways 

Given the high volumes of personal information an employer processes, they may receive SAR requests from employees. Employers should act quickly to respond to SARs within one month unless a legitimate extension of time is necessary and the employer notifies data subjects of the reasons for the delay in accordance with data protection law rules. Implementing a practical DSAR policy, training staff to handle requests confidently, and keeping detailed records and logging dates can help employers comply with their DSAR obligations. 

If you need help handling employee SARs, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions