What Employers Can Withhold in Subject Access Requests: A Guide for UK Businesses

Subject access requests (SARs) are a vital feature of UK data protection law and one that every business owner and employer needs to understand. If you’ve ever received that email from an employee saying “I’d like to see all the personal data you hold on me”, you’re not alone - and you’re probably wondering exactly what you’re legally required to hand over.

The rules around responding to subject access requests are strict, but they aren’t as straightforward as “hand over everything.” There are circumstances where employers can withhold certain information in response to a subject access request, providing you do so lawfully and for the right reasons. So how do you draw the line? What can and can’t be disclosed? And how long should you keep information in the first place?

In this plain-English guide, we’ll walk you through when it’s appropriate to withhold information, common pitfalls to avoid, and the essential steps to ensure your business complies with UK law on subject access requests.

What Is a Subject Access Request (SAR)?

Under the UK GDPR and Data Protection Act 2018, individuals (including employees) have the right to know what personal data organisations hold about them, how it’s used, and who it’s shared with. This right is exercised through a subject access request - also known as a 'SAR.'

If an employee, customer, or job candidate makes a subject access request, you are legally required to respond, typically within one month. Your response should include:

• Confirmation you're processing their data
• Access to the specific personal data you hold
• Information about how and why you process that data

However, not every single piece of information needs to be disclosed, and there are situations where you can (or must) withhold certain data.

For a step-by-step overview of responding to SARs, see our guide on Essential Steps for Responding to Subject Access Requests.

When Can Employers Withhold Information in Subject Access Requests?

While the general rule is to be open and transparent, the law recognises a few important exceptions that allow - or require - employers to withhold information in a subject access request.

• Personal data about someone else (third party data): You must not provide personal data that identifies another individual (such as a co-worker or reference) unless you have their consent or it is reasonable to do so without consent.
• Data subject to legal privilege: Information that is protected by legal professional privilege (such as confidential communications with your solicitor) is exempt and can be withheld.
• Management information: Notes of confidential management planning, such as redundancy plans or salary negotiations (if not yet communicated) can sometimes be withheld if disclosure would prejudice the business’s operations.
• Data relating to crime and taxation: Very limited exemptions might apply where sharing the data would prejudice the prevention or detection of crime or the assessment of taxes.
• Negotiations or negotiations in progress: If disclosure would prejudice ongoing negotiations (for example, in the context of business restructuring), some information can be withheld.

The key is that these exemptions are narrow. For most requests, you will need to provide access to the individual's data, but not information that would unduly impact others or harm your business’s legal rights.

If an Employee Makes a Subject Access Request, What Cannot Be Requested?

It’s a common misconception that subject access requests give employees full access to all documents or all business records relating to them. But there are clear boundaries:

• General business documents: The request only covers personal data - that is, information identifying the individual, not commercially confidential business info.
• Purely personal thoughts: Information that isn’t stored in a “filing system” or processed as part of business activities may fall outside the scope of a SAR. However, most employment records will be covered.
• References provided by a previous employer: In many cases, confidential references given (but not received) are exempt from disclosure.
• Other employee data: Data relating solely to other people cannot be requested by an individual - except where their data is intertwined with the requester’s, in which case it must be redacted or withheld appropriately.

If you’re unsure about the boundary between personal data and business data, check out our article on what counts as personal data in UK employment.

What Are the Main Exemptions When Withholding Information?

Let’s break down the most common exemptions UK employers can rely on when deciding what to withhold in a subject access request:

1. Third Party Information

If complying with a SAR means handing over information that would identify another individual, you must consider their rights. You have the option to:

• Seek consent from the third party before disclosure
• Redact (black out) their identifying details
• Withhold the information entirely if it can't be reasonably anonymised

For example, you cannot disclose allegations made by a colleague if it would reveal the identity of the person making them, unless you have consent or a strong reason to disclose.

2. Legal Professional Privilege

Any communications between you and your legal advisers, relating to legal advice or litigation, are protected by privilege. This means you are not required to disclose those documents in response to a SAR.

3. Confidential References

If you give a confidential reference about an employee to another employer, you are generally protected from having to disclose the content of that reference (even if the employee requests it).

4. Management Forecasts and Negotiations

Certain employment management planning documents - think succession planning, redundancy options, or preliminary salary negotiations - can be withheld where providing them would prejudice the business’s commercial interests.

It’s wise to assess whether the disclosure would genuinely harm the business or whether it relates to events and decisions already communicated to the individual.

5. Crime and Taxation

If providing information would likely prejudice the prevention or detection of crime or matters of taxation, you can refuse (or limit) disclosure. This exemption is interpreted narrowly, so seek legal advice if it applies.

How Should You Handle Redactions?

Often, the best way to comply with a SAR while protecting third-party information or business confidentiality is to redact - or remove - the sensitive data from your disclosure. Redaction should be carried out carefully and consistently to ensure you’re not inadvertently sharing protected information.

Make sure you keep a clear record of what was redacted and why. This can be useful if the requester or the ICO (Information Commissioner’s Office) asks for an explanation of any withholdings.

For practical steps on redaction and SAR responses, see our SAR deadlines and best practices guide.

Can Information Be Kept Indefinitely?

A major area of confusion for employers is how long you’re allowed to retain information - in other words, can information be kept indefinitely?

The simple answer: No, you cannot keep personal data forever without a valid reason.

Data protection law requires organisations to set and follow data retention policies. You should only keep personal data for as long as you need it to fulfil the original purpose for which it was collected, or to comply with legal obligations. After that, it should be securely deleted or anonymised.

• For ex-employees: Most HR records are kept for 6 years after employment ends, to cover typical limitation periods for claims.
• For unsuccessful job applicants: Data should generally be deleted after a short period (e.g. 6-12 months) unless there’s a clear reason to keep it.

If you don’t have a clear policy, now is a good time to review your approach. Our guide on how long to keep ex-employee records has all the practical details you’ll need.

You must inform individuals (usually via your Privacy Policy) how long you keep their data or at least the criteria used to determine retention periods.

What Are the Risks of Withholding Too Much - Or Too Little?

If you get SARs wrong - either by withholding information you shouldn't, or disclosing more than you should - you run practical and legal risks:

• Withholding too much: The data subject (such as an employee) could complain to the ICO. The ICO can require you to disclose the information and, in serious cases, issue fines or enforcement action.
• Disclosing too much: Sharing confidential details about other employees or privileged information can expose your business to employment claims or breach of confidentiality duties.
• Poor redaction: Accidentally revealing third party identities or confidential business information due to incomplete redactions can cause a data breach.

That’s why it’s so important to have a robust process for handling subject access requests and to get advice if you’re ever unsure.

You can learn more about the risks of poor data handling and ICO enforcement by reading our guide to ICO enforcement actions.

What Should Employers Do Before Responding to a Subject Access Request?

Here’s a simple checklist for UK employers facing a subject access request:

• Verify the identity of the requester to prevent data leaks
• Identify all the places personal data may be stored (HR files, emails, chat logs, etc.)
• Carefully review the data for any information that should be withheld (per exemptions above)
• Redact or exclude third party and legally privileged information, giving a reason for any redactions
• Respond within one month (extensions available only in complex cases), outlining what you’ve disclosed and explaining any information you’ve withheld and why
• Keep clear records of all communications and your decision-making process

A well-documented SAR procedure will help protect you from disputes and demonstrate good faith if challenged.

How To Build a Compliant Subject Access Request Policy

Every business that handles employee or customer data should have a clearly documented subject access request (SAR) policy, setting out how you will respond, the exemptions you might apply, and how long you keep data for.

Your SAR policy should cover:

• Reception and logging of SARs
• How you verify identities
• Steps for identifying and compiling relevant data
• Guidance on applying withholding exemptions
• Who within the business is responsible for decision making
• Timescales for response, and when to let the ICO know about complex requests
• Clear retention policy for information - i.e., when to delete, review, or keep records

Looking for a simple way to comply? Sprintlaw can help you put together a tailored GDPR compliance pack including data retention, privacy notices, and subject access request templates suitable for small businesses.

Key Takeaways

• Employers must respond to subject access requests from employees or others, but certain information can lawfully be withheld - including third party personal data, legally privileged advice, and management planning documents.
• If an employee makes a subject access request, not all business documents are covered - the request only applies to their personal data, not general business records or unconnected information about others.
• Redact or withhold data carefully and always provide reasons for any redactions; keep clear records in case of an ICO challenge.
• You must not keep personal data indefinitely - instead, follow a clear data retention policy that’s explained to your staff and customers.
• Having a robust SAR policy and GDPR-compliant privacy documentation will help you avoid legal pitfalls and regulatory scrutiny.
• If you’re ever unsure about how much information to disclose or withhold, seek advice from a legal expert in data protection law.

If you’d like clear, practical advice on handling subject access requests or building your GDPR policies, you can reach us at team@sprintlaw.co.uk or call 08081347754 for a free, no-obligations chat.