Subject Access Requests from former employees are among the most common — and most consequential — data subject requests that employers face. They frequently arrive alongside settlement negotiations, employment tribunal claims or grievance appeals. The timing is rarely accidental.
But whatever the motive, your legal obligation is the same as it would be for any other SAR: respond fully, accurately and within one calendar month. Failing to do so adds a data protection breach to whatever employment matter is already in play — and rarely improves your position.
Do Former Employees Have the Right to Submit a SAR?
Yes — without qualification. The right of access under Article 15 of UK GDPR belongs to any individual whose personal data you hold, regardless of their relationship with your organisation. There is no employment status requirement and no time limit on when a former employee can submit a request after leaving.
If you hold personal data about them, they are entitled to a copy of it. The only question is what that data includes — and what, if anything, can lawfully be withheld.
A former employee SAR carries exactly the same legal obligations as a current employee SAR. The one-month response deadline, the scope of disclosure and the redaction rules are identical.
What Data Must You Disclose?
You must search all systems, locations and data sources where the former employee's personal data may exist and disclose everything you find — unless a specific exemption applies. This typically includes:
- HR files — employment contracts, offer letters, performance reviews, pay records, disciplinary files, absence records, references given
- Email correspondence — any email where the individual is the subject of discussion, not just emails they sent or received
- Internal communications — Slack, Teams, internal memos or notes that mention them personally
- Management notes — informal notes made by line managers, notes from one-to-ones or informal discussions where their personal data was recorded
- Payroll and benefits records — salary history, bonus records, pension contributions, benefits information
- Training and development records — courses attended, assessments, certifications
- CCTV or access logs — if your systems record individual movement or access, this may also fall within scope
The scope of a former employee SAR is often broader than organisations anticipate. Years of email threads, manager notes and HR correspondence can generate thousands of documents. Each one needs to be reviewed.
Limiting the search to the HR folder. Former employee SARs require a comprehensive search across email systems, shared drives, messaging platforms, payroll software and any other system that may hold their personal data — including archived or backed-up data that is reasonably accessible.
How Far Back Does the Search Go?
There is no legal time limit on the scope of a former employee SAR. If you hold data from five years ago — because your retention policy permits it — that data is in scope and must be disclosed unless an exemption applies.
However, data that has been lawfully deleted in accordance with your documented retention schedule does not need to be recovered. This is why having and following a clear data retention policy matters: it limits your exposure to historical searches without creating a compliance gap.
Where data has been deleted but may still exist on archived backups, the position is more nuanced. If recovery is reasonably practicable, the ICO expects organisations to make the effort. If it would require disproportionate effort, you may be able to confirm that the data is not reasonably accessible — but you should document this decision carefully.
What Can Be Redacted?
Not everything that surfaces in a former employee SAR must be disclosed as-is. Several categories of information may be withheld or redacted, provided the legal basis is properly documented:
- Third-party personal data — if a document contains personal data about another individual (a colleague's name, a customer's details), that information may be redacted to protect the third party's privacy, unless it is reasonable to disclose it or the third party has consented
- Legally privileged material — communications between the organisation and its legal advisers that attract legal professional privilege are exempt. This is particularly relevant in former employee SARs where legal advice about the individual's employment may have been sought
- Confidential references — references given in confidence about the individual are exempt under Schedule 2, Part 3 of the Data Protection Act 2018
- Management forecasts and negotiations — information about settlement negotiations or management planning that would prejudice the conduct of those discussions may be withheld in certain circumstances
- Information about other ongoing investigations — where disclosure would prejudice a separate investigation, a limited exemption may apply
Every redaction must be documented with its specific legal basis. A redaction log — recording what was withheld and under which provision — is essential if the response is ever challenged by the individual or reviewed by the ICO.
The Tribunal Connection: What You Need to Know
A significant proportion of former employee SARs arrive either alongside or shortly before employment tribunal claims. This is entirely lawful — individuals are entitled to use SARs to understand what evidence exists about them, and many solicitors advise clients to submit one as a matter of course before proceedings begin.
The temptation in this situation is to respond narrowly — to give as little as possible in the hope that it limits what can be used against you. This approach is almost always counterproductive.
First, an incomplete or evasive SAR response is itself a breach of UK GDPR, which can become a separate complaint or enforcement matter. Second, employment tribunals take a dim view of organisations that fail to comply with data protection obligations — it can affect how your credibility is assessed across the whole case. Third, if the individual later discovers through disclosure in proceedings that data was withheld from their SAR without valid justification, your position becomes significantly more difficult to defend.
The right approach is to respond fully and accurately, apply redactions only where the legal basis is clear and documented, and let your legal advisers deal with the employment claim on its own merits.
Received a SAR from a former employee?
We handle the complete process — document collection across all your systems, AI-assisted review, defensible redaction with a full audit trail, and a disclosure pack ready to send. Fixed fee, on your case within 24 hours.
Get a Free Quote →Step-by-Step: Responding to a Former Employee SAR
Acknowledge promptly
Confirm receipt in writing as soon as possible. State the deadline by which you will respond (one calendar month from receipt). If you need to verify the individual's identity, do so quickly — the clock runs from the date of the request, not the date identity is confirmed.
Map every data source
Identify all systems, inboxes, archives and physical files where the individual's personal data may exist. This includes email (including manager inboxes), HR systems, payroll software, shared drives, Teams or Slack, any third-party platforms that held their data, and archived or backed-up data.
Collect and review all documents
Gather everything in scope and review each document. Identify what can be disclosed as-is, what requires redaction, and what can be withheld entirely. If volume is large, AI-assisted review can significantly reduce the time involved.
Apply and document all redactions
Redact third-party data, privileged material and other exempt content. Record each redaction in a log with the specific legal provision relied upon. Do not redact simply because content is uncomfortable — only where a valid exemption exists.
Prepare and send the disclosure pack
Compile the redacted documents with a covering letter confirming what has been provided, what (if anything) has been withheld and under which exemption, and the individual's right to complain to the ICO if they believe the response is incomplete.
Frequently Asked Questions
Does a former employee have the right to submit a SAR?
Yes. UK GDPR gives any individual the right to access personal data held about them, regardless of whether they are a current or former employee. There is no time limit on when this right can be exercised after employment ends.
How far back does a former employee SAR go?
There is no legal time limit — the SAR covers all personal data you currently hold about the individual, regardless of when it was created. Data lawfully deleted under your retention policy need not be recovered, but data that still exists in your systems or accessible archives is in scope.
Can we refuse a former employee SAR if it is linked to a tribunal claim?
No. The motive behind a SAR is legally irrelevant. You cannot refuse to respond because you believe the request is tactical. Refusal would itself be a breach of UK GDPR and would compound your legal exposure — not reduce it.
What if complying with the SAR would reveal our legal strategy?
Communications between your organisation and its legal advisers are protected by legal professional privilege and are exempt from disclosure. You can redact privileged material — but the privilege must genuinely apply and must be documented in your redaction log.
Can we charge a fee for a former employee SAR?
In most cases, no. UK GDPR requires organisations to respond to SARs free of charge. A fee can only be charged where a request is manifestly unfounded or excessive — a high bar that requires careful assessment and clear documentation before relying on it.