Skip to content

What Documents Should My Business in England Disclose Following a Subject Access Request?

Table of Contents

In recent years, organisations in the UK have faced an increasing number of Subject Access Requests (SARs). However, many business owners dislike SARs due to the administrative time they take up and the complexity of the relevant rules within the General Data Protection Regulation (GDPR). Pressure also results from the Information Commissioner’s Office (ICO) having the power to issue fines of up to £17.5m on any organisation that fails to deal with a SAR correctly. 

This article will explore the main types of documents your business should disclose following receipt of a Subject Access Request. Accordingly, this should help your business avoid committing a UK GDPR breach and any subsequent financial penalty from the ICO.

What is a Subject Access Request?

A SAR is a (usually written) request from an individual for a copy of all personal information relating to them. The SAR usually states whether the individual wishes for digital or printed copies of the data. Some individuals will label them as a Data Subject Access Request or DSAR, which is the same thing.

There are two main types of SAR:

  1. targeted SAR: one in which an individual asks for specific pieces of information (e.g. all emails between them and a specific manager within a period); and
  2. general SAR: an individual simply asks for all personal data relating to them during their lifetime.

The rules for dealing with both are the same, albeit you will likely disclose fewer documents in response to a targeted SAR.

What Rules Should My Company Comply With?

The core rules include the following:

  • confirm receipt of the SAR (usually in writing);
  • provide the individual with a digital or printed copy of the documents sought (verbally confirming the contents of a document down the phone is not sufficient);
  • provide the information within one calendar month of receiving the SAR (with limited exceptions where the SAR is exceptionally complex or broad); and
  • inform the individual whether any other third party has received the relevant documents, for example, you may have provided limited health records to an Occupational Health provider to assist a report.

Now we know the nature of a SAR and the core rules, let us consider which documents your organisation should disclose in response to a Subject Access Request.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

1. Only Disclose the Documents Requested

This is where the difference between targeted and non-targeted SARs comes into play. For example, if an individual has only asked for a copy of their sickness absence records, you should provide this document rather than sending their entire HR records.

If your company is in doubt about which documents the individual is interested in, you should write to them and ask them to describe the records sought and the purpose behind the request.  This can simplify matters considerably as, if an employee told you that they wanted documentation to help a pension appeal, you would know that payslips and pension emails were relevant personal data (but disciplinary records were not).

2. Redact Confidential or Irrelevant Information

This is step two for a reason.  Step one aims to get all relevant documents together, whilst this step involves a review of those documents and redacting any confidential or irrelevant information.

Redaction is a method of covering up specific sections of information within documents, so the recipient cannot view them. The traditional way, on printed copies, was to strike parts of the text with a thick black marker. Nowadays, there are digital methods of striking out information, so recipients cannot view it. Additionally, it guards against someone simply trying to copy and paste it into another document to read it.

It is essential to avoid misuse of redaction. Your business should not use this method to cover up the information it does not want to disclose but, instead, use it to protect personal data relating to others.

So, for example, if an email mentions the pension-related earnings of three different staff members, you would redact the parts of that email relating to the other two individuals. This is because disclosing that information to the SAR author would breach the privacy of those other staff members.

3. Avoid Disclosure of ‘Closed’ Documents

The first follow-up question here is obvious: what is a ‘closed’ document? The simple answer is that there are two main types of closed documents:

  • any document recording legal advice between your company and its legal advisors (which is covered by ‘legal advice privilege’); and
  • any correspondence marked ‘without prejudice’ and sent between your company and the relevant individual to negotiate a confidential deal.

Legal advice privilege only applies to genuine legal advice between a company and a lawyer, so any emails between you and an HR manager are not covered. For this reason, many business owners disclose sensitive matters by phone or in a meeting room rather than by email to avoid sensitive topics falling within the scope of a SAR.

Without prejudice correspondence covers materials that aim to explore a potential deal. Your business cannot simply mark documents ‘without prejudice’ and expect them to remain confidential. Instead, these documents must also evidence at least one party aiming to progress negotiations. If so, these documents can be protected from disclosure even if the parties fail to achieve a deal.

Key Takeaways

Dealing with Subject Access Requests will take time and effort. Unfortunately, this is unavoidable, given the need to search, compile and deliver documents to the SAR author.  However, another potential stress is failing to deal with the SAR correctly and risking a fine from the ICO.  The good news is that the above steps can help your organisation handle SARs efficiently and in line with GDPR principles.

If you need help complying with Subject Access Requests, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page

Frequently Asked Questions

Does the ICO regularly deliver high fines to companies for SAR breaches?

No, financial penalties in the millions are unusual. However, the ICO is open to handing out fines in the thousands or tens of thousands of pounds for GDPR breaches, so your business should handle SARs safely.

Can my business refuse to carry out a SAR if it believes the individual is considering an Employment Tribunal claim?

No, the reason for the SAR is mostly irrelevant in the ICO’s eyes. If a disgruntled employee lodges a genuine SAR, any failure to process it in the same way as for any other person will likely be viewed as unfair by the ICO or any Employment Tribunal. 

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards