Data Subject Access Requests: when is it appropriate for an employer to refuse to reply to an employee’s request?

  • Post author:
  • Post category:News

According to the Court of Appeal in its decision in the case of Ittahadieh v 5-11 Cheyne Gardens RTM Company Ltd & Others, when the scope of the request would result in disproportionate effort on the part of the employer to respond.

The Court of Appeal in this case has issued welcome guidance to employers that find themselves landed with a subject access request (SAR) from a disgruntled employee (or former employee) seeking reams of information, largely useless and obsolete, to cause trouble and aggravation.  This is seemingly happening with increasing regularity much to the consternation and cost of employers.  The judicial guidance is all the more useful given the ICO’s published view that the employer’s obligation to reply is absolute, even if the motive of the data subject making the request is questionable.

To some extent employers can now rest easy that if they receive a tactical SAR they may, on advice, decide to take an equally tactical approach in their response relying on this new test of proportionality.  Nevertheless, it remains a difficult line to tread and any reply should be carefully considered.  Also be aware that the timeframe for responding to SARs is due to change with the introduction of the GDPR in May next year from, latest, 40 calendar days from the date of receipt of a valid SAR to within a month of the date of receipt, and therefore it’s an area that you may want to be reviewing to ensure that current systems and processes can be relied on to enable you to provide a reply within the shorter timeframe.

For now, the ICO Code of Practice in this area is still essential reading for anyone with responsibility for replying to SARs and this can be accessed via their website:  For further expert assistance in this field please do not hesitate to get in touch with us at or call 01904 520160.