Employee DSARs are the hardest to get right. A departing employee's request can generate thousands of pages spanning years of email, HR records, performance reviews, grievance files, and internal chat messages. Every document contains PII belonging to managers, colleagues, clients, and other staff — all of which must be identified and redacted before disclosure.
This guide is written for HR managers, DPOs, and compliance teams handling employee access requests. It covers what makes employee DSARs uniquely challenging, which exemptions apply, how to handle common document types, and how to reduce processing time from weeks to days.
Why employee DSARs are different
Customer DSARs typically involve structured data: account records, transaction history, support tickets. The data is relatively contained and the PII patterns are predictable. Employee DSARs are an entirely different challenge.
An employee's personal data is scattered across every system in the organisation: email, HR information systems, payroll, performance management, project tools, instant messaging, shared drives, and physical files. A single employee's data footprint might include thousands of emails where their name appears in headers, body text, CC fields, and signatures — alongside the names and details of dozens of colleagues, clients, and external contacts.
Employee DSARs also carry higher stakes. They frequently arrive in the context of workplace disputes: disciplinary proceedings, grievances, redundancy situations, discrimination complaints, or unfair dismissal claims. The requester may be building a case for litigation. The documents you disclose (and how you redact them) may later be scrutinised by employment tribunals, judges, and opposing counsel.
Common triggers for employee DSARs
Understanding why employees submit DSARs helps you anticipate the volume and complexity of the response. The most common triggers are disciplinary proceedings (the employee wants to see all records and communications about the process), grievance investigations (seeking evidence of how the grievance was handled internally), redundancy or restructuring (looking for evidence that the selection process was fair), performance improvement plans (wanting to see manager notes, emails about their performance, and who was involved in decisions), and pre-litigation intelligence (a solicitor advises the employee to submit a DSAR before filing a tribunal claim).
In each scenario, the employee already knows much of their own data exists. What they're seeking is the context — what was said about them internally, who made decisions, what reasoning was applied. This context is personal data they're entitled to, but it's deeply intermingled with other people's information.
Document types and redaction challenges
Emails
Email archives are typically the largest component of an employee DSAR. Each email thread contains sender and recipient addresses, CC/BCC fields, display names, signatures with phone numbers and titles, and forwarded content with embedded third-party information. A single email chain about a performance review might contain PII for the employee, their manager, the HR business partner, and three colleagues mentioned in the discussion.
HR records
Personnel files, contracts, benefits enrolment, absence records, return-to-work notes, occupational health referrals, and payroll data. These are highly structured and contain dense PII. Payroll records may include bank account details for the employee (disclose) alongside payroll administrator details (redact).
Performance reviews and appraisals
These contain the employee's personal data (their review) but also reference other employees' performance, contain manager opinions that may reveal the manager's identity, and may include calibration discussions comparing the employee to named colleagues.
Disciplinary and grievance files
Investigation notes, witness statements, panel decisions, and appeal outcomes. Witness statements present a particular challenge: the employee may be entitled to know what was said about them, but the witness may have provided information in confidence.
Instant messaging and chat
Slack, Teams, and WhatsApp messages are increasingly part of DSAR responses. These contain rapid-fire exchanges with minimal structure, making automated PII detection essential. Group channels may contain hundreds of participants' names and contact details.
Key exemptions for employee DSARs
Confidential references (DPA 2018, Schedule 2, Part 3, Para 24)
References given or received in confidence for employment, education, or training purposes are exempt from disclosure. This applies to references your organisation gave about the employee to another employer, and references you received about the employee during recruitment. Note: this exemption protects the reference itself, not the fact that a reference was provided.
Management forecasting (Schedule 2, Part 3, Para 22)
Personal data processed for management planning can be withheld if disclosure would prejudice the business — for example, redundancy planning documents that reveal which roles are at risk before a formal announcement.
Negotiations (Schedule 2, Part 3, Para 23)
Records of the organisation's negotiating intentions can be withheld if disclosure would prejudice the negotiations. This covers settlement discussions, salary negotiation strategy, and similar internal planning.
Legal professional privilege
Communications with lawyers for the purpose of obtaining legal advice, and documents created for the dominant purpose of litigation. Internal emails between HR and legal about the employee's case may qualify. Internal emails between HR managers that don't constitute legal advice generally do not.
Important: Exemptions are not blanket permissions to withhold. Each must be applied on a document-by-document, data-item-by-data-item basis. You must still disclose any non-exempt personal data within an otherwise-exempt document. And you must document your reasoning for every exemption applied.
Handling third-party data in employee DSARs
The ICO's balancing test is particularly nuanced for employee DSARs. Consider a performance review written by the employee's manager. The manager's name, opinions, and writing style are all potentially identifiable — but the employee may already know who their manager is. Redacting the manager's name when the employee had a single reporting line is arguably futile and may render the document unintelligible.
The ICO advises considering whether the third party would reasonably expect their data to be disclosed in this context. A manager conducting a formal appraisal might reasonably expect the employee to see the review. A colleague who provided confidential input during a grievance investigation would not.
Practical approach: redact by default, then apply the reasonableness test to determine where disclosure is appropriate. Document every decision. When in doubt, redact — a regulator is more likely to criticise accidental disclosure than over-redaction.
The employee DSAR workflow
Day 1–2: Acknowledge receipt. Verify identity (use HR systems, not additional ID requests). Log the request in your DSAR tracker with the deadline date. If the request is very broad, consider contacting the employee to discuss scope — but you cannot require them to narrow it.
Day 3–10: Conduct data searches across all systems. Email archive searches should use the employee's name, email address, employee ID, and known aliases. Don't forget paper files, shared drives, and system logs.
Day 10–15: Deduplicate results. Organise by document type. Flag documents likely to require exemption review (legal correspondence, management forecasting, references).
Day 15–25: Apply automated PII detection. Review flagged items for selective redaction. Apply exemptions with documented reasoning. Quality-check a sample of redacted output.
Day 25–28: Compile the response package. Draft the covering letter with supplementary information (processing purposes, retention periods, recipients, rights). Package for secure delivery.
Day 30: Deliver the response securely. Log completion. Retain the audit trail.
SafeRedact Enterprise processes employee DSAR document sets at scale. Upload the collected documents as a batch, name the data subject, and the AI identifies all PII across the package — flagging which items belong to the requester and which to third parties. Your team reviews and approves. Processing time drops from weeks to hours. Learn more →
Frequently asked questions
Can an employee submit a DSAR?
Yes. Current employees, former employees, contractors, temps, and job applicants can all exercise the right of access. Employment status is irrelevant to the right.
Do I have to disclose performance reviews?
Yes. Performance reviews are the employee's personal data. You must disclose them, redacting other employees' PII and applying relevant exemptions (such as management forecasting for calibration data).
Can I refuse a DSAR from a disgruntled employee?
Only if the request is manifestly unfounded or excessive — a very high threshold. The employee's motivation is generally irrelevant. The CJEU confirmed in Case C-307/22 that organisations cannot refuse access based on the requester's purpose. Document your reasoning if you believe the threshold is met, and seek legal advice before refusing.
What about former employees?
Former employees retain their right of access. You must search all systems where their data may still exist, including archived email, backup systems, and paper records. Your data retention policy determines what you should still hold — but if you hold it, you must search it.