‘Rights of Access’ refer to the right of individuals to request and receive a copy of their personal data, along with other supplementary information. The process for doing this is usually referred to as a ‘Data Subject Access Request’ (DSAR).
To assist Data Protection Officers or those who have responsibility for data protection in larger organisations, guidance on DSAR’s is available from the Information Commissioners Office. However, in practice, the guidance is useful for anyone dealing with DSARs within their business. It also contains illustrative examples which can assist employers in dealing with more complex requests.
As well as providing a general overview of rights of access, it includes information on:
- How to prepare for and recognise a DSAR
- How to respond to a DSAR
- Refusal to comply with DSARs
- Dealing with 3rd party information and other exemptions
- Special category data and special cases
Common DSAR challenges employers should be aware of:
What does a DSAR look like?
An individual can make a DSAR verbally, or in writing, including through social media. An individual doesn't need to use a specific form or wording to make a valid request, but their request must relate to their own personal data.
A request can be made by a third party on behalf of the individual that the data relates to. Before responding to such a request, you must be satisfied that the third party has been given authority to make the request. It is for the third party for provide evidence of their authority.
If you are unsure of the identity of the requester, you can ask for information to verify their identity.
Can the time limit for responding be extended?
The DSAR should be responded to without undue delay, and within 1 calendar month.
This can be extended by a further two months where the request is complex, or the employer is dealing with a number of requests from the same person. What amounts to a ‘complex request’ will depend on the facts and circumstances of each case but can include situations involving:
- Technical difficulties in retrieving the information – for example electronically archived data.
- Applying an exemption that involves large volumes of particularly sensitive information.
- Any specialist work involved in obtaining the information or communicating it in an intelligible form.
- Needing to obtain specialist legal advice. (But if the employer routinely obtains legal advice, it is unlikely to be complex.)
A request for a lot of information does not automatically mean it is ‘complex’. Employers should be prepared to demonstrate why the request is complex in the circumstances.
Can an employer ask for DSARs to be clarified and what impact does this have on time limits?
If the employer processes a large amount of information about the individual, they can ask for them to specify the information or processing activities their request relates to before responding.
Where an employer does so, this ‘stops the clock’ on the time limit for responding to the request. Employers should only do this when genuinely required to respond to the DSAR and where they process a large amount of information about the individual. Whether or not the employer holds a ‘large’ amount of information will depend on their size and resources.
Situational examples of complying with requests and clarification are provided in the guidance and are a useful reference point.
Can employers charge a fee for DSARs?
It is not normally permissible to charge a fee to respond to a DSAR, unless the request is manifestly unfounded or excessive, or an individual requests further copies of their data following a request. In such cases, employers may charge a ‘reasonable fee’ for their administrative costs. This can include costs of:
- photocopying, printing, postage and any other costs involved in transferring information;
- equipment and supplies (e.g. discs, envelopes or USB devices); and
- staff time.
If there is any duplication in effort, the individual should not be charged twice. If routinely dealing with large requests, employers should consider putting in place criteria for charging fees. In all cases, employers should be prepared to justify the cost.
When can an employer refuse to comply with a DSAR?
If a DSAR is ‘manifestly unfounded’ or ‘manifestly excessive’ an employer can refuse to comply.
Manifestly unfounded requests can be when the individual clearly has no intention to exercise their right of access. For example, they offer to withdraw the request in return for some form of benefit. It can also include malicious requests such as systematic requests as part of a campaign of harassment. Manifestly excessive requests can be requests that are clearly or obviously unreasonable.
The context and circumstances of the request should be taken account of when considering if a request is unfounded or excessive.
If you refuse to comply with a request, you should inform the individual of:
- Your reasons for refusal
- Their right to make a complain to the ICO or another supervisory authority; and
- Their ability to seek to enforce this right through the courts
What if requests contain information about other people?
There is an exemption to complying with a DSAR, if doing so would disclose information which identifies a third party, except where they have consented, or it is reasonable to comply without consent.
To help decide whether to disclose information relating to a third party, the ICO guidance recommends following a three-step process:
- Does the request require disclosing information that identifies another individual? If so, is it possible to comply with the request without revealing that information by redacting it? If it is impossible to do this, move on to Step 2.
- Has the third party provided consent to the disclosure? This is usually an appropriate issue to consider but you are not obliged to ask for consent. If it isn’t appropriate to do so, move on to Step 3.
- Is it reasonable to disclose without consent? Depending on the type of information and duties of confidentiality it may be reasonable to disclose information without seeking or obtaining consent. The guidance contains a non-exhaustive list of factors that the employer may consider in such a case.
Whichever decision the employer reaches in the circumstances regarding information about other people, it should be communicated to the individual who has made the request.
The full guidance is available here.
This article is provided for general guidance only and employers with specific queries are encouraged to get in touch with a member of our Employment team.
Published 19 September 2025
