Data subject access requests (DSARs) have long been a significant administrative burden for Human Resources teams, increasingly weaponised as a "first strike" tactic in employment disputes rather than a pure exercise of data transparency. However, a significant legislative shift, spearheaded by the Data (Use and Access) Act 2025 (DUAA), is set to recalibrate this dynamic, providing HR professionals with a suite of robust tools to manage DSARs more effectively, proportionately, and defensibly. This rebalancing comes at a critical juncture, preceding profound changes in employment law that are anticipated to drive a surge in litigation.
Background: The Evolution of Data Subject Access Requests (DSARs) and Emerging Challenges
Originally conceived under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 as a fundamental right for individuals to understand what personal data organisations hold about them, DSARs have, in recent years, morphed into a potent pre-action litigation tactic. Employees and former employees frequently deploy these requests not merely to exercise their data rights, but to gain early disclosure of information, test an employer’s case, or even to exert pressure during disputes. This strategic misuse has placed an immense strain on HR departments, compelling them to undertake extensive, often disproportionate, searches across myriad data sources, from structured HR systems to individual email inboxes and informal notes.
The administrative overhead associated with DSARs is substantial. Industry reports, reflecting trends observed before the DUAA, indicated that the average cost of handling a single DSAR could range from hundreds to thousands of pounds, depending on complexity and scope. Furthermore, the sheer volume of requests, particularly those linked to grievances, disciplinary actions, or dismissals, diverted significant HR resources away from core strategic functions. HR teams often found themselves in a precarious position, navigating the tightrope between compliance with data protection laws and the risk of over-disclosure that could prejudice ongoing or anticipated legal proceedings, or compromise the confidentiality of third parties. The pre-DUAA landscape was characterised by a perception that the scales were heavily weighted in favour of the data subject, leaving organisations vulnerable to expansive and often unmerited demands for information.
The Impending Shift: Employment Rights Act 2025 and its Catalytic Effect
The urgency for effective DSAR management is further amplified by the impending changes introduced by the Employment Rights Act 2025 (ERA 2025). From 1 January 2027, the qualifying period for ordinary unfair dismissal will be reduced significantly, dropping from the current two years to just six months. This legislative amendment is widely expected to trigger a substantial surge in employment tribunal claims. A lower barrier to entry for unfair dismissal claims inevitably means a broader pool of potential claimants and, consequently, a predictable explosion of pre-litigation DSARs.
This confluence of legislative changes – the DUAA providing new tools and the ERA 2025 creating a greater demand for them – marks a pivotal moment for HR and legal compliance. The DUAA’s introduction, therefore, is not merely a technical adjustment but a strategic imperative, designed to equip organisations to manage this anticipated increase in claims and the associated data requests efficiently and fairly. It aims to restore a sense of balance, ensuring that the right of access remains robust for genuine data protection purposes, while mitigating its misuse as a litigation discovery tool.
The Data (Use and Access) Act 2025 (DUAA): A New Toolkit for HR
The Data (Use and Access) Act 2025 represents a thoughtful legislative response to the challenges posed by DSARs. It hands HR professionals a range of lawful tools that recalibrate the balance, allowing organisations to manage DSARs proportionately, defensibly, and strategically.
1. Reasonable and Proportionate Searches, Including Managers’ Inboxes
One of the most significant amendments introduced by the DUAA is the clarification that organisations are only required to conduct reasonable and proportionate searches in response to a DSAR. This crucial distinction, now explicitly embedded within the UK GDPR framework by the DUAA, is reinforced by updated guidance from the Information Commissioner’s Office (ICO). The ICO guidance confirms that the scope of any search must be reasonable and defensible rather than exhaustive, with the reasoning behind the search parameters well-documented.
This provision is a direct antidote to the "fishing expedition" approach often seen in tactical DSARs. HR teams are no longer compelled to undertake boundless searches across every conceivable data repository. Instead, they can define and justify a search scope that is proportionate to the nature of the request, the data subject’s relationship with the organisation, and the context of the data held. This includes data held in managers’ inboxes; while such data remains in scope if it constitutes personal data, the extent of the search within these inboxes can now be governed by proportionality. This reduces the administrative burden significantly, allowing HR to focus resources where they are most needed and justified, while simultaneously reducing the risk of inadvertently disclosing irrelevant or overly sensitive information.
2. Enhanced Protection of Third-Party Data Rights and Litigation Misuse
Prior to the DUAA, HR teams often felt compelled to over-disclose information, driven by a pervasive fear of ICO criticism if redactions were challenged. This led to situations where the anonymity of witnesses, the confidentiality of whistleblowers, and the integrity of grievance protections were regularly eroded by litigation-driven DSARs, which sought to unmask individuals or processes.
The DUAA addresses this directly. While it does not remove the fundamental right of access, it fundamentally restores confidence that protecting third-party rights, confidentiality, and process integrity is not only lawful but actively expected. HR teams can now apply redaction of names and other identifying details confidently and proactively where disclosure would cause harm to an individual, prejudice an ongoing investigation, or undermine confidential internal processes. Furthermore, the Act explicitly legitimises summarisation and anonymisation as lawful methods of meeting the right of access. These techniques allow organisations to provide the substance of the personal data requested without exposing party identities or compromising sensitive information, thereby preventing tactical misuse of DSARs to disrupt internal operations or intimidate individuals.
3. Legal Professional Privilege (LPP) – Clarified and Reinforced
Legal Professional Privilege (LPP) remains a complete exemption from the right of access where it applies. The DUAA has provided welcome clarification and reinforcement regarding the application of LPP, offering greater certainty to HR teams. LPP covers both advice privilege, which protects confidential communications between a solicitor and their client for the purpose of giving or receiving legal advice, and litigation privilege, which extends to communications created for the dominant purpose of litigation.
This clarity means that HR departments can now include legal advisers in sensitive processes, such as disciplinary investigations, complex grievance procedures, or strategic workforce planning discussions, with increased confidence that these communications will remain privileged and exempt from DSARs. When relying on LPP, HR must remain transparent, informing the data subject that information has been withheld, stating the basis for doing so (without waiving privilege itself), and advising them of their rights to complain to the ICO. This provision is crucial for organisations to obtain candid legal advice and conduct robust internal investigations without fear of premature disclosure.
4. Manifestly Unfounded or Excessive Requests
The DUAA retains the critical safeguard provided by UK GDPR Article 12(5), which allows data controllers to refuse a DSAR or charge a reasonable fee if the request is deemed "manifestly unfounded or excessive." The ICO has consistently confirmed that this remains a high threshold, requiring clear evidence and a meticulous case-by-case assessment.
This tool is not a broad license to dismiss requests, but rather a vital defence against vexatious, repetitive, or disproportionately burdensome demands that serve no genuine data protection purpose. HR teams must ensure they have robust documentation to support any decision to refuse or charge a fee, demonstrating, for example, that the request is intended to harass the organisation, is repetitive without new information, or places an unreasonable burden on resources. Proper application of this provision can significantly alleviate the pressure from truly abusive DSARs.
5. Pseudonymisation – A Strategic Safeguard, Not an Exemption
It is important to note what the DUAA does not change. The Act does not alter the established UK GDPR rule that pseudonymised data remains personal data where the controller holds the re-identification key. Consequently, the right of access continues to apply in full to such data. This means that if an organisation holds pseudonymised data and also possesses the means (the key) to re-identify the individual, it must retrieve that key, re-identify the data where necessary, and respond lawfully within the statutory framework.
This clarification reinforces that pseudonymisation is primarily a data security and privacy-enhancing technique, not a method to circumvent data subject access rights. HR teams should understand that while pseudonymisation enhances data protection, it does not exempt data from DSARs if the data subject can still be identified by the controller.
Operational Adjustments: Managing DSARs Effectively Post-DUAA
Beyond the specific tools, the DUAA also brings further clarity to the operational aspects of DSAR management.
How SARs Can Be Made and Privacy Policy Requirements: Under UK data protection law, a DSAR can be made in writing or verbally, including via email, social media, post, or in person. There are no formal requirements for making a valid DSAR, which exists whenever an individual clearly requests their own personal data. Organisations are required under UK GDPR to provide a privacy notice that explains data subject rights, including how to make a DSAR. While the ICO guidance indicates that providing a standard form can be helpful for organisations to recognise and process SARs efficiently, such forms must explicitly state that this is not the only means by which a DSAR can be made.
Response Times: One Month, Extendable to Three: The DUAA clarifies the existing provision that the standard one-month response deadline can be extended by a further two months (giving a total of three months) where the request is genuinely complex or where the controller receives numerous requests from the same individual. To legitimately rely on such an extension, the HR department must inform the requester within the initial one-month period and provide a clear explanation as to why the extension is necessary.
‘Stop the Clock’ Clarification: Interestingly, the DUAA introduces a lawful pause mechanism for the response deadline. The one-month response clock may be paused while the controller seeks necessary clarification from the individual to fulfil the request. The clock may also be legitimately paused while awaiting clarification of identity verification, but only where the request is not yet "sufficiently clear" or where the organisation genuinely cannot proceed without this verification. Crucially, HR cannot pause the DSAR clock simply because they are considering charging the requester a fee under Article 12(5); in such cases, the response must still be provided without undue delay. This provides HR teams with greater flexibility in managing complex or unclear requests, provided the conditions for pausing are strictly met and documented.
Strategic Safeguards and Tactical Control for HR Teams
The DUAA does not eliminate tactical DSARs, but it equips HR teams with lawful tools to manage them effectively. The appropriate response is not resistance, but a documented, defensible, and proportionate strategy, put in place well before the Employment Rights Act 2025 changes take effect on 1 January 2027. In practice, that means applying these measures now to employees engaged from 1 July 2026 onwards.
Proactive Data Management: Unrestricted email systems are far more likely to receive a request than well-managed, structured records. HR teams should actively discourage unnecessary use of email for sensitive matters, such as disciplinary discussions, instead directing managers towards controlled formats like standard HR forms or formally retained notes. Personal notes that are genuinely private and not part of a structured set of records used by HR may fall outside the scope of the UK GDPR. However, where such notes are structured, shared (e.g., via scanning), or used in decision-making, they are likely to be in scope. The focus should be on consistent, necessary, thoughtfully created data and controlled record-keeping, rather than avoidance.
Withholding Sensitive Business Information: Information relating to confidential workforce planning, for example, may be legitimately withheld where disclosure would prejudice the business’s strategic interests. Similarly, data relating to ongoing negotiations or matters around the effective date of termination (EDT) may be restricted where necessary to protect the employer’s legal or commercial position. These decisions must, of course, be carefully justified and documented.
Upstream Risk Control: Ultimately, risk is best controlled upstream through robust data minimisation practices, clear retention policies, effective HR information systems, comprehensive training for managers on data handling, and meticulously documented search processes. DSARs are, in the modern employment context, "litigation adjacent exercises" and should be handled with the same level of legal rigour and strategic foresight.
Timeline and Forward Planning for HR
The DUAA, having come into effect in 2025, provides immediate tools for HR. However, the true test and increased demand for these tools will coincide with the ERA 2025 changes on 1 January 2027. This means that HR departments have a critical window to review, update, and implement their DSAR policies and procedures. Proactive steps, such as manager training on data handling, revising privacy notices, establishing clear internal guidelines for reasonable searches, and documenting decision-making processes, are paramount. Organisations that embed these measures now, particularly for new hires from mid-2026, will be far better positioned to navigate the anticipated increase in employment claims and associated DSARs.
Broader Impact and Expert Commentary
The Data (Use and Access) Act 2025 represents a significant legislative effort to modernise data protection in the context of employment, acknowledging the evolving landscape where data rights intersect with employment disputes. It reflects a nuanced understanding that while transparency is vital, it must not come at the expense of organisational efficiency, the protection of third parties, or the integrity of internal processes.
The rebalancing act achieved by the DUAA empowers organisations to manage DSARs proportionately while upholding the fundamental rights of data subjects. It provides the necessary legal backing for HR teams to make defensible decisions regarding search scope, redaction, and response times. The challenge for HR, therefore, is to embrace these new tools responsibly, ensuring robust internal policies, continuous training for all relevant personnel, and meticulous documentation of every step in the DSAR process. The era of unrestricted data disclosure is giving way to a more sophisticated, defensible, and strategic approach, safeguarding both individual rights and organisational integrity in a complex and evolving regulatory environment.
