< Back

Share |

Use of subject access requests in employment disputes

November 2013

A weapon for employees?

Despite the Court of Appeal case of Durant v FSA making it clear that employees should not use Subject Access Requests (SARs) to embark on "fishing expeditions", it would appear that employees are continuing to do just that. SARs are often used as a mechanism for pre-action disclosure by current or former employees for the purposes of actual or intended litigation. Whilst the Civil Procedure Rules and the Tribunal Rules require employees to demonstrate the relevance of documents disclosed, no justification is required to submit a SAR. Plus at a cost to the employee of just £10 (which many employers choose to waive), it is a relatively easy and cheap tactic for employees to use.

DataIn contrast, employers face the time consuming, costly and complex process of searching through large amounts of computerised and non-computerised data.  If an employee insists that they want all personal data relating to them, subject to the exemptions outlined below, there is little the employer can do other than to undertake an exhaustive search. When made in the midst of a dispute or with a dispute on the horizon, along with the threat of enforcement by the ICO, the pressure on employers can be intense. 

The Code

Given that enforcement of SARs is largely in the hands of the ICO, its new Code published in August 2013 is proving to be a helpful resource for employers in ensuring compliance, whilst minimising the impact on the business.

Its key practical tips include:

  • having a written policy which identifies where data is located, how it is processed and the company's approach to SARs;
  • managing expectations by acknowledging receipt of SARs and informing the employee of the date by which they will receive a response. Negotiating the scope of the request and asking for additional details to help locate specific information is also good practice;
  • maintaining a system which tracks the progress of applications, the steps taken to locate data, and the reasons for redactions or the use of exemptions (which can all be relayed to the employee in the response). Having a specific individual or team responsible ensures that SARs are dealt with efficiently and within the 40 day limit; and
  • ensuring data is organised (indexes, contents pages and clear descriptions etc can make it easier to deal with SARs quickly).

What are the exemptions?

Employers should also be aware of the range of exemptions on which they can rely to avoid disclosure of particular data, including:

  • MalletLegal professional privilege: any data regarding the giving or receiving of legal advice, by solicitors or barristers, will not be disclosable. However, there are greyer areas, for example where in-house counsel is copied in on emails as a matter of course, the data is unlikely to be exempt, unless they are being consulted specifically for legal advice.
  • Management forecasting or planning: disclosure is not required where it would prejudice the conduct of the business. For example, an employer does not have to disclose a staff redundancy programme in advance of it being formally announced to the workforce. 
  • Health records: are not required to be disclosed where this would cause serious harm to the physical or mental health of the employee or another person. Employers should consult with appropriate professionals before assessing this.
  • Information relating to a third party who can be identified from the information: does not need to be disclosed unless that third party consents or it is reasonable to comply without consent. It may be reasonable, for example, where the third party is the employee's supervisor or line manager. However, whilst third party information should be redacted where appropriate, the employee's personal data should be disclosed if it does not fall within any of the exemptions.
  • Confidential references:  these sometimes need to be given about an individual, for example an employee reference. Whether an exemption applies to the reference will depend on whether it is a reference that has been given by an employer or received by them.  References that are given, where these are confidential and for purposes such as employment, are exempt but this is not the case for references that are received from a third party.

Practical tips for employers

Although the Code provides practical guidance and some glimmers of hope about how the ICO will exercise its discretion, it does not reduce the burden on employers in complying.  Employers should therefore also consider the following practical tips:

  • be careful what is sent in written form (e.g. by email).  It is sensible to discuss sensitive information in person or by telephone, so that it is not documented and therefore disclosable;
  • simply copying a lawyer into an email will not necessarily mean that it attracts legal privilege.  For the privilege exemption to apply, the lawyer must be giving legal advice or litigation must be reasonably contemplated.  Note that even if an email attracts legal privilege, this can be lost when forwarded;
  • keep a list of systems, devices and locations where personal data may be found.  This will assist both with an efficient response and with other data privacy issues, such as responding to data security breaches; and
  • seek legal advice about the commercial reality of the situation. 

HandshakeIt does not look like SARs are going to reduce in number any time soon so employers should do what they can to ensure they are prepared to deal with SARs in the most timely and cost effective manner.   


If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Amy Sinclair

Amy Sinclair      

Amy looks at the use of SARs by employees in employment disputes and how best employers can manage the headache.

"SARs are often used as a mechanism for pre-action disclosure by current or former employees, for the purposes of actual or intended litigation. "