IOLIS Legal Services

31 August 2020

5 things every employment solicitor needs to know about SARs

Many employment law cases now begin with a Subject Access Request (SAR).

The reason is that it’s a useful way for an employee or former employee to gain information for their case.

Dealing with SARs is a specialised field of law for one excellent reason: it’s extremely complicated.

Get it right, and there can be a great benefit to employment lawyers and their clients, whether they’re individuals or businesses and organisations.

Get it wrong, and there could be missed opportunities or problems further down the line.

Here are the 5 basic things every employment lawyer should know…

1. Verifying the identity of the person making a Subject Access Request, and the authority of any third-party agent, is vital.

In GDPR, SARs can be made by the person themselves or by a third party.

You must verify the identity of any subjects making their own request.

If a third party is making the request, you must ask for evidence of the third person’s authority to act for the subject and obtain evidence of the identity of the data subject. 

Without this verification, you might put personal data in the wrong person’s hands.


2. People making an SAR are not just entitled to all their data, they are entitled to know where it has been shared and for what purpose.

For example, one employer would perhaps share information about an employee just with HMRC and the pension provider, while others may also share information with businesses which provide wellbeing schemes or offers for employees, such as money-off vouchers for eye care.

Your corporate clients need to ensure they can provide this information when replying to an access request.


3. SARs must be complied with in a month, or three months if the request is complex and provided you have told the individual making the request you will need more time.

So, any clients who receive an SAR need to act swiftly.


4. Organisations cannot refuse to deal with an SAR or charge for it unless it is “manifestly unfounded or excessive”. What does this mean? The ICO says a request may be seen as manifestly unfounded if the person has no clear intention to access the information or there’s malicious intent and the SAR is being used to disrupt and harass an organisation.

This could be because that’s stated in the request or communications from the subject, there are unsubstantiated accusations made by them, they are targeting a fellow employee against whom they hold a grudge, or they frequently send different requests to cause disruption. Each situation must be considered individually. Read more here.


5. There is no blanket ban on releasing third-party data when replying to an SAR. Despite the way many people interpret GDPR, the situation is not straightforward and there ARE situations where third-party information would be disclosed in an SAR.

A balancing test must be applied to each individual situation. A precedent for this was set In the case of Rudd v Bridle, where a business which received an SAR was told by a court it must not apply a blanket policy of withholding the identities of other individuals in the response. It was instructed to assess each individual issue.

GDPR says any data released “shall not adversely affect the rights and freedoms of others.” What about situations where that information does not adversely affect the third party? You can read more on this subject in our in-depth blog.

Does your firm need our specialist support? Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Recent Posts

Sports Photography: A Delicate Dance of Decency and Dynamics

Picture this: you're at the edge of a swimming pool, camera in hand, ready to capture the pinnacle of athletic grace and power. The air is tense with anticipation, the swimmers poised for that explosive start. You've got the green light to photograph the event - consent isn't an issue here. But as the action […]

Read more
Use an independent person to conduct a workplace investigation

There exists in an employment contract an implied obligation to not act in a manner likely to destroy or seriously damage the relationship of confidence and trust without reasonable and proper cause. This relationship can become imperilled when an allegation has been made against an employee and this needs to be investigated. In a recent […]

Read more
Why every toy seller in the UK needs to up their game

These days, internet-connected toys are in huge demand. Children want internet-connected toys such as Mario Kart Live: Home Circuit which allows you to take the online game and recreate it in your own home, setting up circuits and controlling the players via the Nintendo Switch. Or they might ask for Artie 3000, a drawing robot […]

Read more
5 Things to Remember When Meeting Over Video

As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown. There has been a lot of media coverage on […]

Read more
7 easy ways you can avoid your business becoming a Halloween horror show...

I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version of the Monster Mash this Halloween! There are […]

Read more

Does your UK business need support? Tell us how we can help you.

Call us to start the conversation on 0330 043 4812 or email contact@iolis-legal.com

Contact us
10 December 2023
Sports Photography: A Delicate Dance of Decency and Dynamics
Picture this: you're at the edge of a swimming pool, camera in hand, ready to capture the pinnacle of athletic grace and power. The air is tense with anticipation, the swimmers poised for that explosive start. You've got the green light to photograph the event - consent…
Read More
6 October 2021
Use an independent person to conduct a workplace investigation
There exists in an employment contract an implied obligation to not act in a manner likely to destroy or seriously damage the relationship of confidence and trust without reasonable and proper cause. This relationship can become imperilled when an allegation has…
Read More
26 January 2021
Why every toy seller in the UK needs to up their game
These days, internet-connected toys are in huge demand. Children want internet-connected toys such as Mario Kart Live: Home Circuit which allows you to take the online game and recreate it in your own home, setting up circuits and controlling the players via the…
Read More
9 November 2020
5 Things to Remember When Meeting Over Video
As industry and commerce gets used to the ‘new normal’, the use of video conferencing facilities and software is becoming widespread. It is a useful tool and has undeniably been a major factor in bringing teams back together in a virtual way during the pandemic lockdown.…
Read More
25 October 2020
7 easy ways you can avoid your business becoming a Halloween horror show...
I was working as a DPO, late one night,When my eyes beheld an eerie sight.For a monster problem began to riseAnd suddenly, to my surprise,There was a breach, a data breach.How far’d it reach, that data breach?Where did it reach? Don’t be left singing your own version…
Read More
20 October 2020
How could the right to be forgotten affect your amateur sports club?
The General Data Protection Regulation was ground-breaking legislation in several ways. It brought data protection rules to filed paper documents, for example, and gave individuals a standard mechanism to request what data an organisation holds on them. Among…
Read More
IOLIS Legal Services is a trading style of IOLIS Ltd. Regd in England & Wales. Company Number 11968202. Regd office: C5 Business Centre, C5 North Road, Bridgend Industrial Estate, Bridgend, Wales, CF31 3TP. Total paid up share capital £10.
© 2023 IOLIS Ltd. | Website designed, hosted, and maintained by Jötnar Systems