Why What you put in Writing Matters:

Subject Access Requests and Workplace Communications

We are seeing more Subject Access Requests (SARs), and with them a greater spotlight on the everyday messages, emails and notes organisations create about their staff.

This is an important reminder: if something is written down, there is a real possibility it may need to be reviewed and potentially disclosed if an individual makes a SAR under the UK GDPR and the Data Protection Act 2018. That includes not only formal records, but also internal emails, messages and comments that contain a person’s personal data.

The Information Commissioner’s Office (ICO) explains that a SAR gives individuals the right to access a copy of their personal data and other supplementary information. A request can be made verbally or in writing, and organisations usually need to respond without delay and within one month. In practice, this means employers need to be ready to search for relevant personal data across systems and communication channels, including emails where a worker is discussed by name or in a way they can be identified.

We have seen cases where inappropriate or careless emails between colleagues have created unnecessary risk. A throwaway remark, an unprofessional opinion, or a message written in frustration about another employee can become highly significant if that employee later exercises their right of access. Even where an employer is considering exemptions or third-party rights, the existence of that wording can still create legal, reputational and employee relations issues.

The practical lesson is simple: write every note, email and message as though it may one day be read by the person it refers to. Communications should be factual, professional and relevant. Avoid sarcasm, personal criticism, speculation or language that could appear discriminatory, offensive or biased. If a concern genuinely needs to be recorded, it should be expressed clearly, objectively and in a way that can be justified.

For employers, good SAR readiness is not only about handling requests properly when they arrive. It is also about building a culture of careful record-keeping from the outset. Staff training, clear email etiquette, and consistent HR documentation standards can all reduce risk and support better decision-making. In short, appropriate wording is not just a matter of professionalism – it is a matter of compliance.

Now is a good time for you to review your practices. A well-written record can help protect your organisation; a poorly written one can quickly become evidence you wish had never been created.

If you need any support with how to manage subject access requests within your organisations, whether in form of policies, staff communications, managers training or staff training, please contact us on team@hrprime.co.uk