31 August 2020

What are the 5 things every employment solicitor needs to know about SARs?

Many employment law cases now begin with a Subject Access Request (SAR).

The reason is that it’s a useful way for an employee or former employee to gain information for their case.

Dealing with SARs is a specialised field of law for one excellent reason: it’s extremely complicated.

Get it right, and there can be a great benefit to employment lawyers and their clients, whether they’re individuals or businesses and organisations.

Get it wrong, and there could be missed opportunities or problems further down the line.

Here are the 5 basic things every employment lawyer should know…

1. Verifying the identity of the person making a Subject Access Request, and the authority of any third-party agent, is vital.

In GDPR, SARs can be made by the person themselves or by a third party.

You must verify the identity of any subjects making their own request.

If a third party is making the request, you must ask for evidence of the third person’s authority to act for the subject and obtain evidence of the identity of the data subject. 

Without this verification, you might put personal data in the wrong person’s hands.


2. People making an SAR are not just entitled to all their data, they are entitled to know where it has been shared and for what purpose.

For example, one employer would perhaps share information about an employee just with HMRC and the pension provider, while others may also share information with businesses which provide wellbeing schemes or offers for employees, such as money-off vouchers for eye care.

Your corporate clients need to ensure they can provide this information when replying to an access request.


3. SARs must be complied with in a month, or three months if the request is complex and provided you have told the individual making the request you will need more time.

So, any clients who receive an SAR need to act swiftly.


4. Organisations cannot refuse to deal with an SAR or charge for it unless it is “manifestly unfounded or excessive”. What does this mean? The ICO says a request may be seen as manifestly unfounded if the person has no clear intention to access the information or there’s malicious intent and the SAR is being used to disrupt and harass an organisation.

This could be because that’s stated in the request or communications from the subject, there are unsubstantiated accusations made by them, they are targeting a fellow employee against whom they hold a grudge, or they frequently send different requests to cause disruption. Each situation must be considered individually. Read more here.


5. There is no blanket ban on releasing third-party data when replying to an SAR. Despite the way many people interpret GDPR, the situation is not straightforward and there ARE situations where third-party information would be disclosed in an SAR.

A balancing test must be applied to each individual situation. A precedent for this was set In the case of Rudd v Bridle, where a business which received an SAR was told by a court it must not apply a blanket policy of withholding the identities of other individuals in the response. It was instructed to assess each individual issue.

GDPR says any data released “shall not adversely affect the rights and freedoms of others.” What about situations where that information does not adversely affect the third party? You can read more on this subject in our in-depth blog.

Does your firm need our specialist support? Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Recent Posts

5 Things to Remember When Meeting Over Video

As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown. There has been a lot of media coverage on […]

Read more
Will monitoring your home-working staff land your business in hot water?

Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits of remote working for their employees. Others had been wary of it and had […]

Read more
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...

I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version of the Monster Mash this Halloween! There are […]

Read more
How could the right to be forgotten affect your amateur rugby or football club?

The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among the new rights it introduced was the right for individuals to ask to have their personal data […]

Read more
What are the 4 common data protection mistakes which could cost your business dearly?

Every business has a duty of care for the personal data of its customers, suppliers, and staff. The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities, generally within 72 hours. In the UK, that’s […]

Read more

Does your UK business need a mediator or support with data protection and GDPR? Tell us how we can help you.

Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Contact us
9 November 2020
5 Things to Remember When Meeting Over Video
As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown.…
Read More
25 October 2020
Will monitoring your home-working staff land your business in hot water?
Large scale working from home happened very quickly at the start of the COVID-19 pandemic, and many organisations didn’t have time to fully explore the impact this could have on working practices. Some businesses and organisations had already embraced the benefits…
Read More
25 October 2020
The 7 easy ways you can avoid data protection in your business becoming a Halloween horror show...
I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version…
Read More
20 October 2020
How could the right to be forgotten affect your amateur rugby or football club?
The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among…
Read More
13 October 2020
What are the 4 common data protection mistakes which could cost your business dearly?
Every business has a duty of care for the personal data of its customers, suppliers, and staff. The law enshrines it in the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and the PECR, and any data breach must be reported to the relevant authorities,…
Read More
25 September 2020
Five Reasons you should not use WhatsApp in your business
As a business, it is very convenient to use WhatsApp to communicate with your staff and to allow staff teams to communicate with each other. But could this easy and flexible communication tool land you in hot water? In short, the answer is yes, let’s look at some of the…
Read More
© 2020 IOLIS Ltd. Reg. in England & Wales Num.11968202 For reg. address see contact details | Website designed, hosted, and maintained by Jötnar Systems