Home / News / Subject Access Requests (SARs), Grievances & Appeals

Subject Access Requests (SARs), Grievances & Appeals

subject access request image
August 7, 2025|

Why They’re Increasing and How Employers Should Respond

At HR:4UK, we’ve recently seen a noticeable rise in the number of Subject Access Requests (SARs) submitted by employees—often closely followed by grievances or appeals after disciplinary action has been taken. While SARs are a legitimate legal tool under the UK GDPR and Data Protection Act 2018, it’s important that employers understand both their obligations and the wider context in which these requests are being used.

It’s worth acknowledging that this increase may not always be driven by a genuine concern about personal data. In some cases, SARs appear to be used tactically—intended to delay internal processes, build a counter-narrative, or simply frustrate the employer.

A well-known comedian recently went viral after suggesting that if someone had a gripe with a local business, they should “fire off a Subject Access Request” just to make life difficult for them. Unfortunately, this sentiment is beginning to trickle into the workplace.

Coupled with the rise of AI tools like ChatGPT, which employees can easily consult for advice, we believe many disgruntled individuals are now being guided—accurately or not—on how to use SARs to challenge or complicate disciplinary action.

For employers, this can feel frustrating—but it’s important to separate your emotional response from your legal obligations. A well-handled SAR can actually support your case by demonstrating that the organisation has acted transparently and within the law.

Mishandling a SAR, on the other hand, can lead to complaints to the Information Commissioner’s Office (ICO), reputational damage, and even claims for compensation.

Understanding the Link Between SARs, Grievances, and Appeals

We are increasingly seeing a pattern where an employee is subject to a disciplinary process, and a SAR is submitted shortly thereafter. This is often followed by a grievance about the process or an appeal against the outcome. While some of these may be legitimate, others appear to be part of a more strategic attempt to undermine or delay internal procedures. For employers, this can feel frustrating—but it’s important to separate your emotional response from your legal obligations.

A well-handled SAR can actually support your case by demonstrating that the organisation has acted transparently and within the law. Mishandling a SAR, on the other hand, can lead to complaints to the Information Commissioner’s Office (ICO), reputational damage, and even claims for compensation.

What is a Subject Access Request (SAR)?

A SAR allows an individual to request access to the personal data that an organisation holds about them. This can include emails, notes, messages, performance reviews, absence records, and even internal correspondence where the individual is identified or identifiable. Employers are legally obliged to respond to these requests within one calendar month, though this can be extended by a further two months for complex requests. Importantly, there is no cost to the employee for making a SAR, and employers cannot refuse simply because the request feels obstructive or is made in bad faith.

How Should Employers Respond to a SAR?

When a SAR is received, it’s essential to treat it seriously and act promptly. The clock starts ticking as soon as the request is received. Employers should:

  1. Acknowledge the request as soon as possible, confirming the date of receipt.
  2. Clarify the scope of the request if needed. If the request is overly broad (e.g. “all data you hold on me”), you can ask the employee to narrow it down, but you cannot delay your response while waiting.
  3. Locate all relevant data—this may include emails, messages, reports, and handwritten notes across various platforms and devices.
  4. Redact third-party information—you must protect the privacy of other individuals whose personal data may appear in the documents.
  5. Ensure transparency—your response should be clear, structured, and include an explanation of where the data was sourced from and how it has been used.

Employer Obligations and Best Practices

Staying compliant and should be internal read for such requests. Employers should ensure they have appropriate processes and training in place to deal with SARs efficiently. This includes:

  • Designating a responsible person or team (e.g. HR or Data Protection Officer) to manage requests.
  • Keeping clear records of how and when requests are received and responded to.
  • Using redaction tools and templates to manage third-party data lawfully.
  • Reviewing internal communications regularly—remind managers that anything they put in writing could one day be disclosed as part of a SAR.
  • Communicating professionally at all times during disciplinary or grievance procedures—remember, tone and language matter and could be scrutinised later.

Final Thoughts

While SARs are a legal right, their increasing use as a tactical tool rather than a data protection measure is a trend employers should be aware of. Managing them correctly—by understanding your obligations, acting promptly, and maintaining a calm, process-driven approach—can help protect your organisation and uphold fair procedures.

If you are facing a SAR or expect one to follow disciplinary action, we recommend seeking professional advice early on to ensure you are fully compliant and well-prepared.

If you have any concerns or would like support in handling a SAR or related grievance, our team at HR:4UK is here to help.

Angela Clay

A qualified employment law solicitor and our managing director, Angela has unparalleled legal expertise and decades of experience and knowledge to draw from. She’s a passionate speaker and writer that loves to keep employers updated with upcoming changes to legislation, and is a regular guest speaker on BBC Leicester Radio.

Want more practical HR insights?