Subject Access Request

(17 Posts)
chocolateworshipper Wed 05-Jun-19 20:42:38

Has anyone submitted a SAR to their employer and have any tips on do's an don'ts? I am thinking about leaving anyway, so not worried that it might upset management or whatever.

OP’s posts: |
daisychain01 Wed 05-Jun-19 23:02:27

I wouldn't put in a SAR unless you have a valid reason to do so. If you're intending to leave, what is the purpose of your SAR?

They are normally submitted in conjunction with a grievance, because the goal of an SAR is to find out information held about you.

AlwaysCheddar Thu 06-Jun-19 06:09:27

Give clear parameters, such as what dates to cover, is it your hr record you want or all references to you in whatever format held by your boss, joe blogs and a n other.

AgnesNaismith Thu 06-Jun-19 06:19:45

They don’t need to know the purpose and you don’t have to be specific. It also doesn’t have to be in relation to a grievance.

You have the right to request all data on file. The best way to do this is reference GDPR, call it a DSAR (data subject access request) and remind them they have 30 days. It may take longer depending on how long you’ve been there, they will let you know - but you should get all HR files, Finance files, all emails (with others names redacted) and instant messages referencing you.

Cuppa12345 Thu 06-Jun-19 06:23:14

If you request all data on file then depending on how big a job it'll be, they may be able to say its not possible for them to collate it all.

Being specific is going to help you. Do you want emails between. Particular people over the last year, say your manager and their manager since June 2018? They are unlikely to refuse that.

Think about the purpose of your request and then ask for that information only, so they can't say its disproportionate effort

daisychain01 Thu 06-Jun-19 10:27:20

Here is a letter template recommended by the ICO. They state it is helpful to keep the SAR limited to specific dates because if it is deemed to be a vexatious request or one that could be deemed ' manifestly unfounded or excessive ’ they may decline the request citing that reason. Hence my point upthread to be clear why you want it. You have the right, but you also have responsibilities.

Letter template

[Your full address]

[Phone number]

[The date]

[Name and address of the organisation]

Dear Sir or Madam

Subject access request

[Your full name and address and any other details to help identify you and the data you want.]

Please supply the data about me that I am entitled to under data protection law relating to: [give specific details of the data you want, for example:

my personnel file
emails between ‘person A’ and ‘person B’ (from 1 June 2017 to 1 Sept 2017)
my medical records (between 2014 and 2017) held by ‘Dr C’ at ‘hospital D’
CCTV camera situated at (‘location E’) on 23 May 2017 between 11am and 5pm
copies of statements (between 2013 and 2017) held in account number xxxxx.]
If you need any more data from me, or a fee, please let me know as soon as possible. It may be helpful for you to know that data protection law requires you to respond to a request for data within one calendar month.

If you do not normally deal with these requests, please pass this letter to your DataProtection Officer, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is or it can be contacted on 0303 123 1113.

Yours faithfully


FFSeverynameisused Thu 06-Jun-19 11:02:04

could an organisation just dismiss any request as vexatious or excessive though?

And does 'excessive' depend on the size of the organisation?

eg my employer has over 5000 employees so would they be less justified in calling a request for all data held on me 'excessive' than a wee 50 employee organisation?

Sorry to hijack the thread!

Cuppa12345 Thu 06-Jun-19 12:02:06

If they have a single staff member doing these and someone says I want everything ever - emails, files, etc. The org could decline but would have to justify this if the person complained to the ICO. They could say: "we did a search, 10000 emails came up for the last 15 years employment, we don't have the resource as a company to begin to verify whether these are relevant or contain sensitive or personal information of others.

If you say I want emails between 2 specific people for 5 years and 100 come up, and you have a team of people working on SAR, the ICO would probably agree with the employee is wasn't disproportionate effort.

The more specific you can be, the harder the org can say its too much work.

daisychain01 Thu 06-Jun-19 12:48:02

And does 'excessive' depend on the size of the organisation?

A very relevant question! Company size and set up is indeed important. What ICO is controlling against is a disgruntled member of staff/customer/service consumer bombarding a small company with an impossibly time consuming activity that saps their limited resource.

So, yes, a giant blue-chip company with 30 staff allocated to activities that might include SAR processing, is a very different proposition to a 1 woman and her dog SME, where the dog has to do the SARs grin and make the tea

FFSeverynameisused Thu 06-Jun-19 13:54:45

thanks - in my company there is only one person with the specific title of DPO but he is a 'trainee' DPO so there must be others. Its a big organisation.

I put in a SAR for 2 specific documents and also everything held on file about me.

I have a very good reason to request the latter, but I have been working there for 16 years so it might be considered excessive? However, I need to know if my suspicion about something is correct.

chocolateworshipper Thu 06-Jun-19 15:40:28

Thank you all for the input - I really appreciate it and it's very very helpful.

OP’s posts: |
Cuppa12345 Thu 06-Jun-19 17:47:44

If they say that, then ask that they exclude letters you've already been the recipient of and if they redact it, they can give you a time and date to go and look at the file yourself. It'll mean they can't say it'll be too much work to scan or photocopy it all in advance. You should be given the opportunity to see it and make your own copies as an option.

yummumto3girls Thu 06-Jun-19 21:20:20

Just be sensible with this, if there is something specifically you are seeking then ask for it. Set specific timeframes/people/ subjects etc and you are more likely to get the information you are seeking. If you ask for everything then there is no responsibility to put this in any order and you could just receive hundreds of pages of random information that is of no use to you.

Rosasey Thu 28-Jan-21 18:05:30

@daisychain01@AgnesNaismith is it possible to request GDPR during early conciliation or do we need to request it before it?
Thanks in advance.

AgnesNaismith Thu 28-Jan-21 18:37:26

This is an old thread smile

GDPR is the regulation - general data protection regulation

That covers what I think you’ll be asking for which is a data subject access request, to get all of your data

You can request this at any time - use the template above!

Rosasey Thu 28-Jan-21 19:36:07

@AgnesNaismith thanks. Yes thats what I meant.

AgnesNaismith Thu 28-Jan-21 20:52:48

No worries - good luck flowers

Join the discussion

To comment on this thread you need to create a Mumsnet account.

Join Mumsnet

Already have a Mumsnet account? Log in