31 August 2020

What are the 5 things every employment solicitor needs to know about SARs?

Many employment law cases now begin with a Subject Access Request (SAR).

The reason is that it’s a useful way for an employee or former employee to gain information for their case.

Dealing with SARs is a specialised field of law for one excellent reason: it’s extremely complicated.

Get it right, and there can be a great benefit to employment lawyers and their clients, whether they’re individuals or businesses and organisations.

Get it wrong, and there could be missed opportunities or problems further down the line.

Here are the 5 basic things every employment lawyer should know…

1. Verifying the identity of the person making a Subject Access Request, and the authority of any third-party agent, is vital.

In GDPR, SARs can be made by the person themselves or by a third party.

You must verify the identity of any subjects making their own request.

If a third party is making the request, you must ask for evidence of the third person’s authority to act for the subject and obtain evidence of the identity of the data subject. 

Without this verification, you might put personal data in the wrong person’s hands.


2. People making an SAR are not just entitled to all their data, they are entitled to know where it has been shared and for what purpose.

For example, one employer would perhaps share information about an employee just with HMRC and the pension provider, while others may also share information with businesses which provide wellbeing schemes or offers for employees, such as money-off vouchers for eye care.

Your corporate clients need to ensure they can provide this information when replying to an access request.


3. SARs must be complied with in a month, or three months if the request is complex and provided you have told the individual making the request you will need more time.

So, any clients who receive an SAR need to act swiftly.


4. Organisations cannot refuse to deal with an SAR or charge for it unless it is “manifestly unfounded or excessive”. What does this mean? The ICO says a request may be seen as manifestly unfounded if the person has no clear intention to access the information or there’s malicious intent and the SAR is being used to disrupt and harass an organisation.

This could be because that’s stated in the request or communications from the subject, there are unsubstantiated accusations made by them, they are targeting a fellow employee against whom they hold a grudge, or they frequently send different requests to cause disruption. Each situation must be considered individually. Read more here.


5. There is no blanket ban on releasing third-party data when replying to an SAR. Despite the way many people interpret GDPR, the situation is not straightforward and there ARE situations where third-party information would be disclosed in an SAR.

A balancing test must be applied to each individual situation. A precedent for this was set In the case of Rudd v Bridle, where a business which received an SAR was told by a court it must not apply a blanket policy of withholding the identities of other individuals in the response. It was instructed to assess each individual issue.

GDPR says any data released “shall not adversely affect the rights and freedoms of others.” What about situations where that information does not adversely affect the third party? You can read more on this subject in our in-depth blog.

Does your firm need our specialist support? Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Does your UK business need a mediator or support with data protection and GDPR? Tell us how we can help you.

Call us to start the conversation on 029 2000 2339 or email contact@iolis-legal.com

Contact us
25 September 2020
Five Reasons you should not use WhatsApp in your business
As a business, it is very convenient to use WhatsApp to communicate with your staff and to allow staff teams to communicate with each other. But could this easy and flexible communication tool land you in hot water? In short, the answer is yes, let’s look at some of the…
Read More
31 August 2020
What are the 5 things every employment solicitor needs to know about SARs?
Many employment law cases now begin with a Subject Access Request (SAR). The reason is that it’s a useful way for an employee or former employee to gain information for their case. Dealing with SARs is a specialised field of law for one excellent reason: it’s extremely…
Read More
24 August 2020
How can junior sports teams stay on the right side of the data protection rules?
Helping children follow their passion for sport can be wonderful. Sports teams have a duty of care to their young players or athletes, though, and a legal duty to deal with their data in the correct manner. Here’s our data protection guide for junior sports teams… What…
Read More
17 August 2020
Using Works Email for Personal Business May Get you Fired! Don’t become a cautionary tale…
A Case Study You’re busy in work and you need to drop someone a line about a non-work matter. It’s fine to do that from your work email account, right? Wrong… In fact, you could find that it’s a very career-limiting thing to do! Take the case we undertook recently of Mrs…
Read More
3 August 2020
How should your organisation handle a leak to the media?
Finding out that the media has confidential information about your organisation from a leak can feel devastating. The fall-out can include significant reputational damage and serious legal problems, as one professional sport governing body has recently discovered.…
Read More
20 July 2020
Mediation could be a quicker, less costly solution than an employment tribunal.
As the UK opens up again after the COVID-19 lockdown, many public services will face dealing with substantial backlogs. For the already under pressure employment tribunal system, it’s yet another major problem. The system has been under significant strain since…
Read More
© 2020 IOLIS Ltd. Reg. in England & Wales Num.11968202 For reg. address see contact details | Website designed, hosted, and maintained by Jötnar Systems