How long does an employer have to respond to an employee SAR?

Employers have one calendar month from the date the SAR is received to respond. This can be extended by a further two months for complex requests, but the employee must be notified of the extension within the original one-month period.

What information must be included in an employee SAR response?

The response must include all personal data held about the employee across all systems — emails, HR files, payroll records, disciplinary notes, performance reviews and any other records where their personal data appears.

Can an employer redact information from an employee SAR?

Yes. Third-party personal data, legally privileged material and certain DPA 2018 exempt categories may be redacted. Every redaction must be documented with a legal justification.

How to Respond to an Employee SAR in 30 Days | SAR Support UK

Employee Subject Access Requests are among the most complex SARs an organisation can receive. They typically span years of data across multiple systems — emails, HR records, payroll, disciplinary files, performance reviews — and they almost always arrive at the worst possible moment: during an active grievance, disciplinary process or employment tribunal claim.

Under UK GDPR, you have one calendar month to respond from the date the request is received. Miss that deadline and you risk an ICO complaint, potential enforcement action and — in a tribunal context — adverse inferences about what you were trying to hide.

This guide walks you through the complete process.

Key Deadline

The one-month deadline runs from the date you receive the SAR — not from when you acknowledge it or when you decide it's valid. Day one is the day it arrives.

Step 1: Confirm the Request is Valid

A Subject Access Request doesn't need to be formal or use specific language. An employee emailing "I'd like to see all the information you hold about me" is a valid SAR. So is a letter, a message via a line manager, or a request submitted through your HR system.

You can ask for clarification if the request is unclear — for example, if it's so broad that it would take excessive time to process — but you cannot refuse to begin processing while you wait for clarification. The clock has already started.

You can ask for ID verification if you have genuine doubt about the requester's identity, but this should be proportionate. For current employees, the identity is rarely in question.

Step 2: Identify Every System That Holds Their Data

This is where most organisations underestimate the task. Employee personal data rarely lives in one place. You need to search across all of the following:

HR system — contracts, appraisals, absence records, personal details
Email — their own sent/received mail and any emails about them in others' inboxes
Disciplinary and grievance files — including notes, witness statements and outcome letters
Payroll system — salary history, deductions, bank details
Performance management tools — reviews, PIPs, meeting notes
Shared drives and document management systems
Line manager's personal files — including notes on their own devices
CCTV footage — if footage showing the individual is still retained
Instant messaging platforms — Teams, Slack, WhatsApp (if used for work)

Common Mistake

Many organisations only search the HR system and overlook email. In employment tribunal cases, failure to disclose relevant emails in a SAR response can lead to adverse inferences and significant legal exposure.

Step 3: Review Every Document

Once you've collected the documents, each one needs to be reviewed to determine what personal data it contains about the requester, what can be disclosed as-is, and what needs to be redacted before disclosure.

For a typical employee SAR this may involve hundreds — sometimes thousands — of documents. Each document needs individual attention. Bulk disclosure without review is not acceptable under UK GDPR and can expose third-party individuals to unlawful disclosure of their personal data.

Step 4: Apply Redactions

Not everything in a SAR response must be disclosed. You are permitted — and sometimes required — to redact certain content before disclosure. The most common categories in employee SARs are:

Third-party personal data — information about other identifiable employees, such as a colleague mentioned in a disciplinary note. Disclosing this would be unfair to that individual under UK GDPR Article 15(4).
Legally privileged material — communications between the organisation and its legal advisers that attract legal professional privilege.
Management forecasts — under Schedule 2, Part 4 of the DPA 2018, management planning information may be exempt where disclosure would prejudice the organisation's operations.
Confidential references — references given or received in confidence are exempt under Schedule 2, Part 3 of the DPA 2018.

Important

Every redaction must be documented with a legal justification. If the employee complains to the ICO or brings a claim, you need to be able to explain precisely why each piece of information was withheld and under which legal provision.

Step 5: Prepare and Send the Disclosure Pack

The disclosure should be clear, organised and accompanied by a covering letter that explains:

What personal data has been included in the response
What, if anything, has been withheld and under which exemption
Their right to complain to the ICO if they believe the response is incomplete or incorrect
Their right to seek rectification of any inaccurate data

There is no set format for a SAR response, but clarity and completeness matter. An organised, well-structured disclosure — with a redaction schedule if items have been withheld — demonstrates that the response has been handled seriously and professionally.

Acknowledge immediately

Send a confirmation that you've received the SAR and state the deadline by which you'll respond. This starts the clock formally and shows good faith.

Map all data sources

List every system, inbox and file location that may hold the employee's personal data. Don't just check HR — check email, shared drives, messaging platforms and manager files.

Collect and review documents

Gather all potentially relevant documents. Review each one to identify what can be disclosed as-is and what needs redaction review.

Apply and document redactions

Redact third-party data, privileged content and exempt material. Record the legal basis for each redaction in a redaction log.

Prepare and send the disclosure

Compile the redacted documents with a covering letter and, where applicable, a redaction schedule. Send securely before the deadline.

What Happens If You Miss the Deadline?

Missing the one-month deadline is a breach of UK GDPR. In practice, the consequences depend on the context:

The employee can complain to the ICO, who may investigate and issue enforcement action
In employment tribunal proceedings, a failure to respond can lead to adverse inferences — the tribunal may assume you were hiding something
The ICO can issue fines of up to £17.5 million or 4% of global annual turnover for serious breaches, though in practice enforcement for SAR delays tends to be less severe for first-time failures with a remediation plan

When to Seek Help

Handling a simple employee SAR with a few hundred records in-house is manageable — if your team has the time and knows what they're doing. But there are situations where bringing in specialist support is the right call:

The SAR involves large volumes of email — typically anything over 500 documents
The request is litigation-adjacent — where legal privilege and disclosure strategy are intertwined
Your HR team is already stretched and the deadline is close
The request involves sensitive content — disciplinary matters, whistleblowing, medical information
You've received similar requests before and struggled to meet the deadline

Need help with an employee SAR?

E2E Integration handles the complete process — from document collection and review through to redaction and disclosure pack preparation. Fixed fee from £495. On your case within 24 hours.

Get a Free Quote →

Frequently Asked Questions

Can an employee submit a SAR to find out what their manager said about them?

Yes. An employee is entitled to see their own personal data wherever it appears — including in communications between managers about them. However, third-party personal data (such as a colleague's name or comments) in those communications may be redacted to protect that individual's privacy.

Can we charge a fee for processing a SAR?

In most cases, no. Under UK GDPR, organisations must respond to SARs free of charge. An administrative fee can only be charged if the request is manifestly unfounded or excessive — and you would need to be able to justify that characterisation to the ICO if challenged.

What if the SAR is clearly designed to gain an advantage in litigation?

The motive behind a SAR is irrelevant to your obligation to respond. You cannot refuse a SAR simply because you believe it's tactical. However, if the request is manifestly unfounded or excessive, you may be able to refuse it or charge a fee — but this is a high bar and should always be reviewed by someone with data protection expertise before relying on it.