Back

Search Members Login Become a Member
Search Members Login Become a Member

Dear Denise – Your HR Agony Aunt | Edition 7: What to Do When a Subject Access Request Lands

Date Posted: 19 May, 2026

Filter Results:

All BusinessMember NewsChamber News

Workplace disputes, grievances, disciplinaries, and even resignations can often lead to one thing employers dread receiving, a Subject Access Request (SAR). While many business owners know they must respond, few fully understand just how much information an employee can legally request, or the mistakes that can create far bigger problems down the line.

That’s why this month’s Dear Denise – HR Agony Aunt column focuses on how employers should handle Subject Access Requests carefully, legally, and without making costly errors. Senior HR Consultant Denise from BeyondHR, who brings 20 years of hands-on HR experience, has seen a sharp rise in SAR-related queries from employers unsure what employees are entitled to access and how to protect themselves when tensions are already high.

Dear Denise,

We’ve recently received a Subject Access Request from an employee following a grievance situation, and honestly, I’m worried about what they might ask for.

I know we need to comply, but I’ve heard employees can request years of emails, messages, meeting notes, and all sorts of internal discussions. I’m also concerned because managers are now nervous about what they’ve written in emails and Teams chats over the years.

What exactly can employees request access to, how far back can they go, and what should employers avoid doing once a SAR comes in?

Anxious Employer, Glasgow

Dear Anxious Employer,

You’re certainly not alone. Subject Access Requests (SARs) have become increasingly common, particularly during workplace disputes, disciplinary processes, grievances, redundancies, or after an employee leaves the business.

The important thing to remember is this: once a SAR is received, how you respond matters just as much as the information itself. Poor handling can quickly escalate legal and reputational risks.

Here are some key things every employer should know:

Employees can request far more than people realise
A Subject Access Request allows an employee to request copies of personal data a company holds about them. This can include emails, meeting notes, HR files, performance reviews, disciplinary records, Teams or Slack messages, CCTV footage, and even handwritten notes if the individual can be identified.

Requests can go back years
There is no strict limit on how far back an employee can request information. If the organisation still holds the data and it relates to that individual, it may fall within scope. In practice, many SARs cover several years’ worth of records.

Avoid deleting or “cleaning up” information
One of the biggest mistakes employers make is panicking and trying to delete emails, messages, or documents after receiving a SAR. This can create serious legal issues and may be viewed as deliberate destruction of evidence. Once a request is received, preserve everything relevant.

Don’t create unnecessary commentary after the request arrives
Managers sometimes begin discussing the SAR internally through emails or messages that later become disclosable themselves. Keep communication factual, professional, and limited to those handling the process.

Informal messages may still need to be disclosed
Many employers are surprised that casual Teams chats, work-related WhatsApp messages, and even internal jokes about employees can fall within the scope of a SAR. A sensible rule is to avoid writing anything you would not want to read aloud in a tribunal.

Some information can be withheld,  but carefully
There are exemptions around legally privileged advice, confidential references, and third-party data in certain circumstances. However, deciding what can legitimately be withheld should always be handled carefully and ideally with HR, legal guidance or data protection.

You usually have one month to respond
Under UK GDPR rules, employers generally have one calendar month to respond, although this can sometimes be extended for particularly complex requests.

Most importantly, employers should always view SARs as a reminder of the importance of good record-keeping and professional communication, not just when problems arise. In many cases, it’s not the existence of records that creates risk, but the tone, language, or unnecessary commentary within them.

Handled correctly, a SAR is manageable. Handled poorly, it can quickly become evidence in a wider dispute.

Warm regards,
Denise
Your HR Agony Aunt at BeyondHR

Have an HR dilemma you’d like Denise to answer?

We’d love to hear from you. Email your question to denise@wegobeyondhr.com and it could be featured in an upcoming Dear Denise column. All questions remain anonymous.

If you’d prefer a private conversation about your HR challenge, call us on 0800 111 4461  our team is here to help.

You may also be interested in

United Airlines Launches Nonstop Daily Seasonal Service Between Glasgow and Newark/New York

Find out more

Workwear Made Easy delighted to have John Marshall & Son as a valued customer

Find out more

Fèis Phàislig 10-Year Anniversary Concert – Raffle Prizes Sought

Find out more