What Documents Should My Business in the UK Disclose Following a Subject Access Request?

Summary

• A Subject Access Request (SAR) is a request from an individual for a copy of all personal data held about them, and businesses must respond within one calendar month, providing digital or printed copies of the relevant documents.
• Businesses should only disclose documents specifically requested, redact personal data relating to third parties, and avoid disclosing legally privileged documents or correspondence marked “without prejudice” that evidences genuine settlement negotiations.
• Failure to handle a SAR correctly can result in an ICO fine of up to £17.5 million, making it essential for businesses to have clear internal processes for identifying, reviewing, and disclosing personal data in response to SARs.
• This article explains what businesses must disclose in response to a Subject Access Request for organisations operating in the UK.
• LegalVision, a commercial law firm specialising in advising clients on data protection and UK GDPR compliance, outlines the key rules and document types involved in responding to a SAR.

Tips for Businesses

Respond only to what is requested and redact third-party personal data before disclosure. Do not disclose legally privileged communications or genuine without prejudice correspondence. Confirm receipt promptly and track the one-month deadline carefully to avoid ICO scrutiny.

Summarise with:

ChatGPT Gemini Perplexity Microsoft Copilot

Open now

---

On this page

• What is a Subject Access Request?
• What Rules Should My Company Comply With?
• 1. Only Disclose the Documents Requested
• 2. Redact Confidential or Irrelevant Information
• 3. Avoid Disclosure of ‘Closed’ Documents
• Key Takeaways
• Frequently Asked Questions

A Subject Access Request (SAR) gives individuals the legal right to obtain a copy of their personal data held by an organisation. Under the UK GDPR, businesses must handle these requests carefully or risk significant fines from the Information Commissioner’s Office (ICO). Many organisations find SARs administratively burdensome and the rules surrounding them complex. This article will explore the main types of documents your business should disclose following receipt of a SAR.

Personal Data Breach Notification Factsheet

This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.

Download Now

What is a Subject Access Request?

A SAR is a (usually written) request from an individual for a copy of all personal information relating to them. The SAR usually states whether the individual wishes for digital or printed copies of the data. Some individuals will label them as a Data Subject Access Request or DSAR.

There are two main types of SAR:

1. targeted SAR: one in which an individual asks for specific pieces of information (e.g. all emails between them and a specific manager within a period of time); and
2. general SAR: an individual simply asks for all personal data relating to them during their lifetime.

The rules for dealing with both are the same, though you are likely to disclose fewer documents in response to a targeted SAR.

What Rules Should My Company Comply With?

The core rules include the following:

• confirm receipt of the SAR (usually in writing);
• provide the individual with a digital or printed copy of the documents sought (verbally confirming the contents of a document down the phone is not sufficient);
• provide the information within one calendar month of receiving the SAR (with limited exceptions where the SAR is exceptionally complex or wide); and
• inform the individual whether any other third party has received the relevant documents you may have provided e.g. limited health records to an Occupational Health provider to assist a report.

Now we know the nature of a SAR and the core rules, let us consider which documents your organisation should disclose in response to a SAR.

1. Only Disclose the Documents Requested

This is where the difference between targeted and non-targeted SARs comes into play. For example, if an individual has only requested a copy of their sickness absence records, you should provide this document. Avoid the quicker option of sending their entire HR records.

2. Redact Confidential or Irrelevant Information

Step one aims to collate all relevant documents. The subsequent step involves a review of those documents and redacting any confidential or irrelevant information.

Redaction is a method of covering up specific bits of information within documents, so the recipient cannot view them. The traditional way on printed copies was to strike parts of the text with a thick black marker. Nowadays, there are digital methods of striking out information, so recipients cannot view it. Furthermore, it can guard against someone simply trying to copy and paste it into another document to read it.

It is essential to avoid misuse of redaction. Your business should refrain from using this method to cover up the information it does not want to disclose. Instead, use it to protect personal data relating to others. 

So, for example, if an email mentions the pension-related earnings of three different staff members, you would redact the parts of that email relating to the other two individuals. This is because disclosing that information to the SAR author would breach the privacy of those other staff members.

3. Avoid Disclosure of ‘Closed’ Documents

The first follow-up question here is obvious: what is a ‘closed’ document? The simple answer is that there are two main types of closed documents:

• any document recording legal advice between your company and its legal advisors (which is covered by ‘legal advice privilege’); and
• any correspondence marked ‘without prejudice’ and sent between your company and the relevant individual to negotiate a confidential deal.

Legal advice privilege only applies to genuine legal advice between a company and a lawyer, so any emails between you and an HR manager are not covered. For this reason, many business owners disclose sensitive matters by phone or in a meeting room rather than by email (to avoid sensitive topics falling within a SAR).

Without prejudice correspondence covers materials that aim to explore a potential deal. Your business cannot simply mark documents ‘without prejudice’ and expect them to remain confidential. Rather, those documents must also evidence at least one party aiming to progress negotiations. If so, these documents can be protected from disclosure even if the parties fail to achieve a deal.

Key Takeaways

Dealing with SARs will always take time and effort. Unfortunately, this is unavoidable given the need to search, compile and deliver documents to the SAR author. However, another potential stress is failing to deal with the SAR correctly and risking a fine from the ICO. The good news is that the above steps can help your organisation handle SARs efficiently and in line with GDPR principles.

If you need help complying with SARs, LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced data, privacy and IT lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.

Frequently Asked Questions