If you have ever been in receipt of a Subject Access Request (SAR) from an employee or, ex-employee, you will know how very resource and time consuming they can be. At HR Champions we have seen more SARs being requested amongst our clients, usually by disgruntled employees. They often arise because the employee is looking for something against which they can make a claim.

The potential impact and effect that a SAR can have is, on its own, a good reason to pay attention to how you handle employee data.

Simply put, on receipt of a SAR an employer (although this could be any organisation that holds data about individuals) is obliged to provide any and all information about, and which identifies the individual in question.

Employee records will of course comprise some of this information, including records and notes regarding any disciplinary actions. You will also have to include any communications that identify or mention the individual, and in the digital and e-mail age this could amount to many thousands of pages.

Additionally, communications across other platforms will have to be included; so text messages, Whatsapp and Twitter, if you use these in your business for communication purposes; all adding to the pile.

To make matters worse, in providing this information, you must also keep private the personal details and information of other individuals. You may therefore find yourself having to redact others’ names and details from the information you collect.

You may have cursed GDPR legislation when it was introduced back in May 2018, but by keeping to some of its principles you may reduce your burden should you ever receive a SAR. To remind you, the six lawful reasons why you might process and retain personal data are:

• Consent: the individual has given clear and informed consent for you to process their personal data for a specific purpose
• Contract: the processing of data is necessary for you to fulfil a contract you have with the individual, or because they have asked you to take certain steps before entering into a contract
• Legal obligation: you are processing the data to comply with the law (not including contractual obligations)
• Vital interests: the processing is necessary to protect someone’s life
• Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
• Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason that overrides this

Therefore, if you only hold onto data for as long as is strictly necessary, you’ll minimise the amount of work you’ll have to do should a SAR ever land on your desk. For example:

Job applicants can enter a claim if they think that they have been discriminated against during the recruitment process but the time period to bring a claim is usually three months. Therefore, safely dispose of information collected during the recruitment process after this time.

Although it varies between companies, disciplinary action should only stay on an employee’s file for twelve months, after which it cannot be taken into consideration. Holding onto this information for any longer therefore holds no purpose so you might consider just getting rid of it. This will also mean any notes and comments are disposed of too.

You might consider following The CIPD’s advice to keep employee records including training and disciplinary records for six years after the employee has left the organisation’s employment. However we think that it would be very difficult to justify why you would need to hold information for that length of time.

Unless e-mails are work critical, keep on top of inboxes and delete anything that is no longer required. Even if e-mail content is innocent, you will still have to provide it if the individual is mentioned and you might then have to redact anyone else’s details, all of which costs time. If you have sensitive information to share about an individual via e-mail, consider using a code for the person concerned. If they can’t be identified, you don’t have to provide the information.

Communication threads on Whatsapp etc; delete regularly so you only keep current discussions and communications. There’s little point holding onto chats that are year’s old and that will only add to the information you must provide.

Payroll data you need to keep for six years for inland revenue purposes and Right to Work information must be held for up to two years after the employee has left to satisfy Home Office rules. Otherwise, after the three months has passed to make a Tribunal claim (six months for redundancy), there’s really no need to hold onto employee information.

Under GDPR, and Data Processors who hold information on your behalf might also need to provide information on the application of a SAR so make sure you are protected with a robust Data Processor Agreement to show that you have taken reasonable steps to keep information protected.

You can’t stop someone applying for a SAR but by following these tips you might just minimise the amount of work you have to do if one ever arises.

For help and guidance with any aspect discussed here, call us on 01452 331331 or e-mail This email address is being protected from spambots. You need JavaScript enabled to view it.