Data Subject Access Requests (DSARs)

What is a Data Subject Access Request (DSAR)?

In today’s workplace, where communication is fast, informal, and often done at the click of a button, it is easy for managers to forget that every written word carries weight. Emails, Teams messages, internal notes and even quick “off the cuff” comments shared between colleagues are not as private as they may feel in the moment. Increasingly, I find myself cringing when reviewing internal correspondence during a case, not because of the issue itself, but because of what has been committed to writing. The reality is simple: if an employee submits a Data Subject Access Request (DSAR), those words could come back to haunt you.

A Data Subject Access Request, commonly referred to as a DSAR, is a legal right granted under the UK General Data Protection Regulation (UK GDPR). It allows individuals to request access to the personal data an organisation holds about them. This includes not only formal documents such as contracts, disciplinary letters, and performance reviews, but also emails, internal discussions, handwritten notes, and messaging platform conversations where the individual is identified or identifiable. In practical terms, if you have written something about an employee, there is a strong likelihood they will be entitled to see it.

Why DSARs Matter for Managers and Employers

From an employer’s perspective, the DSAR process can be time-consuming and resource-heavy, but the real risk lies in what is uncovered. Managers often underestimate how informal communication can undermine an otherwise fair and well-managed process. A carefully conducted disciplinary or performance process can quickly unravel if internal emails reveal bias, inappropriate language, or premature conclusions.

It is not uncommon to see messages where a manager has described an employee as “lazy”, “difficult”, or “a nightmare to manage”, or made assumptions about their health, personal circumstances, or intentions. While these comments may have been written in frustration or as part of a candid exchange with HR, they can appear highly unprofessional and, in some cases, discriminatory when disclosed as part of a DSAR response. This is where the risk moves beyond embarrassment and into potential legal exposure.

The Hidden Risk in Everyday Workplace Emails

The key issue with Data Subject Access Requests is not just about tone, but about evidence. In employment disputes, consistency and fairness are critical. If a manager’s written communications suggest that a decision was made before a formal process was completed, or that they had already formed a fixed view of the employee, this can seriously damage the employer’s position.

A DSAR can expose inconsistencies between what was documented formally and what was said behind the scenes. This is often where cases begin to unravel, not because the original issue lacked merit, but because the written narrative tells a different story. Internal emails and messages can unintentionally create a paper trail that contradicts the official process, raising questions about fairness, objectivity, and procedural integrity.

When Informal Communication Becomes a Legal Risk

Another common pitfall is the use of humour or sarcasm in written communication. What may feel like harmless banter between colleagues can read very differently when taken out of context and reviewed by a third party, such as an employment tribunal. Without tone of voice or relationship context, comments can appear harsh, dismissive, or even offensive.

This risk is particularly heightened when discussing sensitive matters such as sickness absence, mental health, or performance concerns. Written communication removes nuance, leaving only the words themselves to be interpreted. What was intended as a light-hearted comment can easily be perceived as insensitive or inappropriate, particularly when disclosed through a DSAR.

Emails to HR Are Not Protected

There is also a tendency for managers to “vent” in emails to HR, using them as a sounding board. While HR is there to support and guide, these communications are not protected from disclosure simply because they are internal. In fact, emails to HR can be some of the most damaging, as they often contain unfiltered opinions or frustrations.

I completely understand why managers do this, it is human nature, but it is precisely these moments that require the most discipline. If you would not be comfortable seeing your words read aloud in a tribunal or reviewed by the employee concerned, they should not be written down. A DSAR does not distinguish between formal and informal communication, it simply looks at whether personal data exists.

Can Employers Withhold Information in a DSAR?

It is important to acknowledge that not all data is automatically disclosable under a Data Subject Access Request. There are exemptions within UK GDPR, such as legally privileged information or data that relates to other individuals. However, these exemptions are limited in scope and must be applied carefully and lawfully.

Employers cannot rely on exemptions as a safety net for poorly judged communication. Attempting to withhold information incorrectly can create further legal risk and damage credibility. The most effective approach is to operate on the assumption that anything written about an employee could be disclosed and to ensure that all communication reflects that reality.

Best Practice for Managers: Writing with DSARs in Mind

Good practice in the context of DSARs is not about avoiding written communication, but about improving its quality. Managers should focus on professional, objective, and evidence-based language. Rather than making subjective statements about an employee’s attitude or behaviour, it is far more appropriate to document specific examples, outcomes, and facts.

For example, describing missed deadlines, incomplete tasks, or measurable performance concerns creates a far stronger and more defensible record than relying on opinion or emotion. This approach not only reduces risk in the event of a DSAR but also strengthens overall HR processes and decision-making.

Why DSAR Training is Essential for Managers

Training and awareness are critical when it comes to Data Subject Access Requests and employee data rights. Many managers are simply unaware of the implications of what they write, particularly in a culture where quick emails and instant messaging are the norm.

Educating managers on DSARs, UK GDPR, and the potential for disclosure can significantly improve standards of communication. When managers understand that their emails and messages could be read by the employee concerned, it naturally encourages a more considered, professional, and compliant approach.

Final Thoughts: Write Every Email as if It Will Be Seen

Ultimately, Data Subject Access Requests are not something to fear if internal communications are handled correctly. They serve as an important reminder of the need for transparency, professionalism, and accountability in the workplace.

However, they also expose a harsh truth: the real risk is rarely in the formal HR process itself, but in the informal commentary that surrounds it. The emails sent in haste, the messages written in frustration, and the casual remarks shared between colleagues are often where the greatest risk lies.

If there is one message to take away, it is this: write every email as though the employee will read it, because one day, they just might.