Navigating DSAR Reforms: Key Employer Takeaways from the Data (Use and Access) Act 2025

If, like many employers, you have to deal with data subject access requests (DSARs) on a regular basis you will want to know about recent changes to how employers have to deal with them as a result of the new Data (Use and Access) Act 2025 (‘DUAA’) - not least given that DSARs are often raised in the context of a workplace dispute and so can be one of the most challenging workforce issues that employers face.   

Against this background, employers will doubtless be pleased to learn that the DUAA introduces some welcome clarifications, particularly regarding the timeframes for responding to DSARs and the scope of the search required. These changes provide greater certainty and help reduce some of the administrative burden associated with complex or high-volume requests. 

We set out below a summary of the key reforms relating to DSARs.

Confirmation on time limits for responding to the DSAR 

Employers continue to have one month to respond to a DSAR (and in some circumstances a further two month extension) - that hasn’t changed - however, if the employer has had to request further information or clarification from the data subject in order to respond to the DSAR, the DUAA confirms that the deadline is paused pending receipt of satisfactory clarification of the scope of the request and the employer does not have to respond to the DSAR until this information is received. 

In practice, this means that the ‘clock stops’ on the deadline to respond to the request until that information is received. Whilst the principle of stopping the clock reflects the ICO’s guidance, the DUAA now codifies this principle and confirms that there is no requirement to respond to the request until such clarification is received.

This provides employers with more flexibility and legal certainty when handling complex or unclear DSARs.

Limits on what the data subject is entitled to receive

The DUAA confirms that data subjects are only entitled to personal data and other information that the employer can provide based on a reasonable and proportionate search.

In line with current ICO guidance (which is currently subject to further review by the ICO), when considering what a reasonable and proportionate search looks like, employers should consider;

• the circumstances of the request;
• any difficulties involved in finding the information; and 
• the fundamental nature of the right of access. 

This is helpful as in many cases employees raise requests for a significant volume of information, for example a request for all their personal data. It would be a considerable exercise to search and identify all personal data, not least where the employee has been employed for some time, and the DUAA provides welcome confirmation that the extent of an employer’s obligation is to undertake a “reasonable and proportionate” search only. This means it will be unlikely that requests for ‘all personal data’ will be considered reasonable and an employer can, therefore, look to clarify the request further and identify what it considers to be a reasonable scope to respond to the request.

New requirement to inform the data subject of exemptions relied upon

Whilst individuals have a right to access their personal data, this right is not absolute. There are a number of exemptions which may apply in certain circumstances which would entitle the employer to withhold personal data in some circumstances. For example, information may be withheld where it is subject to legal professional privilege, where disclosure would prejudice ongoing negotiations, or where it relates to confidential management planning. 

However, the reforms confirm that if the employer is going to withhold data by relying on an exemption, they must inform the individual of the exemptions relied on. Specifically in relation to the exemptions of legal professional privilege and client confidentiality, the DUAA requires employers to inform data subjects why this exemption has been relied on and employers will have to specifically inform the data subject of their right to make a request to the ICO to review the application of the exemption, the right to lodge a complaint and the right to apply to a court to challenge the employer’s use of the exemption.

Next steps

As a result of these reforms, it will be important to review your processes and take steps to update them not only to ensure compliance with the new legal requirements, but also to streamline your organisation's approach to handling DSARs so they are efficient and consistent. In particular,

• Ensure your DSAR team is briefed and trained on these changes so that you have consistency in approach 
• Update template clarification letters to reflect ‘stop the clock’ changes 
• Ensure searches are carried out on a ‘reasonable and proportionate’ basis (and that this approach is communicated in the letters responding to DSAR requests) 
• Update letters responding to DSARs to include the prescribed information when exemptions are applied

Need help navigating your DSARs or figuring out how these changes affect your organisation? If you would like to discuss managing your DSARs or implementing the required changes, please contact me or Helen Haworth. 

For a broader overview of the Act and its wider implications see our From Parliamentary Ping-Pong to Policy Pillar: The Data (Use and Access) Bill Becomes Law in the UK - Burges Salmon which provides an overview of all the changes that this new Act will bring.