Data subject access requests have become a burden to HR teams and are often being used as a ‘first strike’ in disputes. However, write Claire Brennan and Catherine Gage, HR has gained several tools to manage DSARs effectively, thanks to the Data (Use and Access) Act 2025.
From 1 January 2027, under the Employment Rights Act 2025, the qualifying period for ordinary unfair dismissal will drop from two years to six months, triggering a surge in tribunal claims. With that increase will come a predictable explosion of pre-litigation data subject access requests (DSARs) under the UK GDPR and the Data Protection Act 2018.
In recent years, DSARs have evolved from a genuine transparency right into a pre-action litigation tactic, deployed to obtain early disclosure, testing an employer’s case. Inevitably, they burden HR teams with extensive searches. In the employment context, DSARs are now routinely used as a first strike, not a data protection exercise.
The Data (Use and Access) Act 2025 (DUAA) has handed HR professionals a range of lawful tools that recalibrate the balance allowing organisations to manage DSARs proportionately, defensibly, and strategically.
1. Reasonable and proportionate searches – including managers’ inboxes
The DUAA amends the UK GDPR to make it clear that organisations are only required to conduct reasonable and proportionate searches. Updated Information Commissioner’s Office guidance confirms that the scope must be reasonable and defensive rather than exhaustive – with reasoning well-documented.2. Enhanced protection of third-party data rights and litigation misuse
HR teams have often felt compelled to over-disclose, fearing ICO criticism if redactions were challenged. Witness anonymity, whistleblower confidentiality and grievance protections were regularly eroded by litigation-driven DSARs.The DUAA does not remove the right of access but rather it restores confidence that protecting third-party rights, confidentiality and process integrity is not only lawful, but expected.
Redaction of names and identifying details can be applied confidently and proactively where disclosure would cause harm or undermine confidential processes. Summarisation and anonymisation are clearly legitimised as lawful methods of meeting the right of access without enabling tactical misuse and provide the substance of the personal data without exposing party identities.
3. Legal professional privilege – clarified and reinforced
Legal professional privilege (LPP) remains a complete exemption from the right of access where it applies. When relying on LPP, HR must be transparent by informing the data subject that information has been withheld, the basis for doing so (so far as possible without waiving privilege) and their rights to complain to the ICO. This exemption covers both advice privilege (confidential solicitor – client communications for legal advice) and litigation privilege enabling HR department to include legal advisers in processes such as disciplinary investigations.4. Manifestly unfounded or excessive requests
The DUAA retains the UK GDPR Article 12 (5) test allowing data controllers to refuse or charge a fee where a DSAR is manifestly unfounded or excessive. The ICO confirms this is a high threshold requiring clear evidence and case-by-case assessment.5. Pseudonymisation – a strategic safeguard, not an exemption
The DUAA does not alter the established UK GDPR rule that pseudonymised data remains personal data where the controller holds the re-identification key. The right of access therefore continues to apply in full: you must retrieve the key, re-identify the data where necessary, and respond lawfully within the statutory framework.
How SARs can be made and privacy policy requirements
Under UK data protection law, a DSAR can be made in writing or verbally, including by e-mail, social media, by post or in person. There are no formal requirements; a valid DSAR exists whenever an individual clearly requests their own personal data.
Organisations are required to provide a privacy notice under UK GDPR that explains data subject rights including how to make a DSAR. The ICO guidance indicates that providing a standard form for making requests can be helpful for organisations to recognise and process SARs efficiently, but such forms must explicitly say that this is not the only means a DSARs can be made.
Response times: one month, extendable to three
The DUAA clarifies that this can be extended by a further two months (giving a total of three months) where the request is complex or where the controller receives numerous requests from the same individual. To rely on an extension, the HR department must inform the requester within the first month and explain why the extension is necessary.
‘Stop the clock’ clarification
Interestingly, the DUAA introduces a lawful pause mechanism: the one-month response deadline may be paused while the controller seeks necessary clarification from the individual. The clock may also be paused while legitimately awaiting clarification of identity verification (but only where the request is not yet “sufficiently clear” or you genuinely cannot proceed without it). You cannot pause the DSAR clock because you are considering charging the requester a fee under Article 12(5) – here you must still respond without undue delay.
The DUAA does not eliminate tactical DSARs. However, it equips HR teams with lawful tools to manage them effectively. The appropriate response is not resistance, but a documented, defensible and proportionate strategy, put in place well before certain Employment Rights Act 2025 changes take effect on 1 January 2027. In practice, that means applying these measures now to employees engaged from 1 July 2026 onwards.
Take tactical control
Unrestricted e-mail systems are far more likely to receive a request than well-managed, structured records. HR teams should discourage unnecessary use of e-mail for sensitive matters such as disciplinary discussions, instead directing managers towards controlled formats (for example, standard HR forms or formally retained notes). Personal notes that are genuinely private and not part of structured set of records used by HR may fall outside the scope of the UK GDPR; however, where such notes are structured, e-shared (via scanning) or used in decision-making, they are likely to be in scope. The focus should be on consistent, necessary, thoughtfully created data and controlled record-keeping – not avoidance.
Information relating to confidential workforce planning may be withheld where disclosure would prejudice the business; similarly, data relating to ongoing negotiations or matters around the effective date of termination (EDT) may be restricted where necessary to protect the employer’s position.
Risk is best controlled upstream through data minimisation, clear retention policies, effective HR systems, trained managers and documented search processes. DSARs are litigation adjacent exercises and should be handled accordingly.
Originally published by Personal Today.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]
