Employee Data Subject Access Requests (DSARs) have a bit of a reputation.
They usually show up at the worst possible time — during a redundancy, after a grievance, or when someone’s already frustrated. They come with a legal deadline, can be wide in scope, and they tend to make everyone slightly nervous.
But here’s the thing: an employee DSAR doesn’t have to feel dramatic.
If you understand what’s required (and what isn’t), responding to an employee DSAR becomes much more manageable.
Under UK GDPR, employees have the right to access their personal data. An employee DSAR is simply the formal way they exercise that right.
When someone submits a DSAR, they are asking for:
That’s it.
The regulation is clear. The complexity usually comes from the context — not the law itself.
In practice, employee DSARs often arise during:
While emotions may run high, the compliance task remains the same: Identify the employee’s personal data and provide it, alongside the required supplementary information.
There are a few reasons these requests tend to feel heavier than other types of data subject access requests.
A common question is what actually needs to be disclosed in an employee DSAR.
Under UK GDPR, personal data is any information relating to an identifiable individual. In an employment context, that can include:
It’s not limited to formal HR records. If the information relates to the employee and they can be identified from it, it may fall within scope.
That said, disclosure isn’t unlimited. Third-party personal data must be protected, and legally privileged advice can be withheld. The aim is to provide the employee’s personal data in a way that is accurate and proportionate.
The easiest way to approach an employee DSAR is to break it into stages.
Confirm the identity of the requester and, if applicable, the authority of any solicitor acting on their behalf. If the request is unclear or unusually broad, it’s entirely reasonable to seek clarification before proceeding.
You are required to carry out a reasonable and proportionate search. That means reviewing systems where personal data about the employee is likely to exist. HR platforms, email accounts, collaboration tools and shared drives are the obvious starting points.
If work-related decisions or discussions about the employee have taken place via messaging apps or AI tools, those sources should be considered as well. The deciding factor isn’t the platform — it’s whether personal data was processed there in the course of business activity.
This is often the most time-intensive stage. Personal data within scope must be gathered and reviewed carefully. Third-party information may need to be redacted, and any exemptions should be applied consistently and documented.
Over-redaction can cause issues, but so can disclosing too much. The key is balance.
Your response must also explain the purposes of processing, categories of data, retention periods and, where relevant, any automated decision-making.
Approached step by step, the process is methodical rather than overwhelming.
One of the biggest areas of confusion with employee DSARs is scope.
Employees are entitled to their personal data. That doesn’t automatically mean every document that they’re mentioned in needs to be disclosed in full.
In scope will generally include information that relates to the employee and from which they can be identified, such as performance reviews, redundancy scoring, internal communications discussing their role or conduct, and meeting notes about them.
Out of scope, or potentially exempt, may include:
Draft documents can fall within scope if they contain the employee’s personal data. The fact that something is “internal” doesn’t automatically exclude it.
The test is always the same: does this information constitute personal data about the individual, and are there lawful grounds to withhold it?
Being clear about scope at the outset can significantly reduce over-disclosure and unnecessary anxiety.
In some cases, yes.
Under UK GDPR, you can extend the response deadline by up to two additional months if the request is genuinely complex. But it’s worth being clear about what “complex” actually means.
A long or wide-ranging DSAR isn’t automatically complex. Volume on its own isn’t enough. What matters is the nature of the work involved in responding properly.
Complexity is more likely where particularly sensitive personal data needs careful review, where specialist legal advice is required to assess what can be disclosed, where information about a child is being requested by a parent or guardian, or where extensive redaction or accessibility adjustments are needed before the data can be shared.
If you do rely on an extension, you must inform the individual within the original one-month period and explain clearly why additional time is needed.
Extensions are there to ensure a careful and compliant response. They’re not a fallback for internal delays or disorganisation.
This comes up frequently.
If work-related personal data about the employee has been processed via WhatsApp, Slack, Teams, email or AI meeting software, it may fall within scope of an employee DSAR. The question isn’t which platform was used; it’s whether the organisation processed personal data about the individual there.
This is why governance around collaboration tools and AI usage is increasingly important. The clearer your internal rules are, the easier it is to respond confidently.
Often, the stress around employee DSARs reveals something broader — unclear ownership, outdated data registers, inconsistent retention practices, or processes that aren’t quite as structured as they could be.
And sometimes, the hardest part isn’t gathering the data, it’s knowing how to respond.
That’s exactly why Trust Keith has put together a set of DSAR response email templates, designed to help you respond confidently whether a request is completed in full, completed in part, or refused with proper explanation.
If you’d like a clearer starting point for your next employee DSAR, you can download the templates below.