News and Publications

Data subject access requests (DSARs): an invaluable tool for employees?

Posted: 15/12/2023

DSARs are, depending on who you speak to, an invaluable tool for individuals seeking access to the personal data held by their employers. 

DSARs can be made for various reasons, although they are often used to elicit critical information that may be hidden beneath the surface in the vast array of databases controlled by companies. They are undoubtedly useful when considering whether to issue an Employment Tribunal claim. 

This article considers the practicalities of submitting a DSAR to an employer or former employer, and their use as a tactic in settlement negotiations, or getting a claim off the ground. 

What is a DSAR?

A data subject access request is a legal right granted by data protection legislation, namely the General Data Protection Regulation (GDPR) and Data Protection Act 2018, which permits individuals to request access to the personal data that organisations, including their employers and ex-employers, hold about them. 

Often, an employer will store thousands of pieces of data about employees on multiple databases, including email, instant messaging and online conferencing software. If you are involved in a dispute with your employer, submitting a DSAR can be a tactical move to uncover important information that can make a real difference to a case.

Pros and cons of making a DSAR

It is relatively simple to submit a DSAR – there is no prescribed form, and they do not need to be in writing (although this is advisable for clarity). There is also no longer a cost to making a DSAR, and there is, therefore, little disadvantage in doing so, either at the pre-claim stage or as part of settlement negotiations.

Employers must respond to a DSAR ‘without undue delay’ and at the latest within one month, although this deadline can be extended by up to two months in the case of complex requests, or if multiple requests have been made. This sets a clear timeframe for obtaining necessary information and can be invaluable in helping an employee prepare a case. However, employers may attempt to delay sending the data or dispute the complexity of the request, leading to potential delays in receiving the information. 

You should factor any possible delays into your timetable and not rely on the employer or former employer providing the information sought before the deadline for submitting the claim, which is typically within three months from the date of the act you are complaining about. Employers are wise to this strict timeframe and will often delay their response for tactical reasons, citing one of the reasons above (among other reasons; see more below). A word of advice: don’t leave a DSAR until the last minute. 

An employer can refuse to respond to a DSAR if it believes the request is ‘manifestly unfounded’ or ‘manifestly excessive’. These terms are not defined anywhere in the legislation, although guidance can be found on the Information Commissioner’s Office (ICO) website. A request can be manifestly unfounded if it is clear that it is being made maliciously, or that there is no intention to do anything with the information provided. Manifestly unfounded exceptions are rare, but you should take care not to phrase a DSAR in such a way or accompany it with threats/comments that could lead the employer to seek to rely on this ground for refusal. A manifestly excessive DSAR could be when it is clearly unreasonable and disproportionate. This does not mean, however, that a request for a wide range of information will be excessive. 

When making a DSAR, and to avoid it being challenged, it is important to strike a balance between requesting solely the information that is relevant and helpful to the case and ensuring nothing is missed, and that the employer is doing an extensive search. Beware, however, that if the employer provides too much information, this may not be helpful, as finding the ‘smoking gun’ may be like finding a needle in a haystack. The employer can also ask to narrow down a request or be more precise about what you are looking for. And remember that the more complex the request, the greater the delay may be in receiving that information.

One drawback of a DSAR is that you cannot directly take action against an organisation if it fails to respond, or does not respond to a DSAR within the required response time. You do, however, have the option to escalate the matter to the ICO if you do not receive a response to the DSAR, and the ICO may take enforcement action and other remedial steps against an organisation, including issuing a fine. From experience, the ICO tends to focus on the bigger fish. Therefore, be warned that this threat may sound good in theory, but unless the employer is already in the ICO’s firing line, in practice, a complaint might amount to next to nothing.

Privacy rights

When responding to a DSAR, employers must balance the right to access personal data, the right to privacy and confidentiality of other individuals, and the employer's need to protect its confidential information. In practice, this means that employers may choose to redact or withhold certain information to protect ‘sensitive’ data. Relevant evidence may not be disclosed or disclosed in full, leaving you to piece together information. 

But all is not lost; these scraps or data gaps may provide more information than expected, as they may direct you to areas to focus on. The good news is that if you proceed to issue a claim, this redacted information can be challenged as part of the disclosure process, which is much more rigorous and demanding than any DSAR process.  

Organisations must justify redactions and demonstrate that they are necessary to protect the privacy of individuals or the company’s confidential information. If you think the redactions are unjustified, you can challenge them through the ICO in the first instance but also, more importantly, during Employment Tribunal or court proceedings, where it will be much more difficult for the employer to resist. 

Deploying a DSAR

DSARs are a powerful tool, both at the pre-claim stage and also during settlement negotiations. Submitting a DSAR can reveal internal communications, performance reviews, emails, and other documents that shed light on the employer's actions or motivations, strengthening a case and making it harder for the employer to mount a defence. 

The threat of the ‘smoking gun’ that could be revealed by a DSAR may push employers into negotiating a settlement rather than defending a claim and facing any potential reputational damage from the information that is disclosed in response. 

Even where employers are confident, rightly or wrongly, that they have nothing to hide, a DSAR, whether actual or threatened, can put pressure on them to settle, if only to avoid the considerable work and costs in time and money involved in responding to such requests. Employers will be well used to employees ‘trying it on’ and making empty threats of court proceedings to extract a settlement – submitting a DSAR is a simple and cost-effective step that can show the employer that you do, in fact, mean business.

In conclusion

Submitting a DSAR can be a strategic and powerful move for employees considering issuing proceedings against an employer or former employer, or attempting to negotiate a fair settlement. The information revealed by a DSAR could be the ‘smoking gun’ that gets a case off the ground and, at the very least, may encourage the employer to enter settlement negotiations rather than deal with the request.  

While there are limitations in the DSAR process, including response time, possible redaction of information, and privacy concerns, the potential to uncover critical evidence and the pressure put on the employer will generally outweigh any drawbacks. 

A DSAR can be a powerful weapon in your arsenal and can make all the difference in achieving a satisfactory resolution of a dispute.

Arrow GIFReturn to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority under number 419867.

Penningtons Manches Cooper LLP