DSARs: DO WE REALLY HAVE TO GIVE THEM THAT AGAIN?

Written By Rachel Rigg

One of the most common frustrations for HR teams handling DSARs is the request for documents the employee already has, or could easily obtain themselves.

But, DSARs are about access, not duplication. It seems to be little known that employers are not required to provide personal data again where the individual already has direct access to it.

So what does access mean in practice?

1. If they can still access it, you don’t have to resend it

This applies where the employee:

  • has a functioning login to the HR system or payroll portal;

  • can retrieve documents from their own mailbox;

  • can download information from an internal platform;

  • already holds the document in their personal possession.

Pointing them to where the information sits is enough.

2. If they previously received it but don’t have it anymore

The legal test under the Act is about present accessibility, not whether they had access before.

If the employee previously received a document (like onboarding materials, historic payslips, an employment contract), but cannot reasonably access it now, this is still within the scope of the DSAR and should be provided separately.

A few indicators the employee no longer has access:

  • they are a former employee;

  • accounts have been disabled;

  • systems were off‑boarded;

  • the original document was issued years ago.

In those cases, the information generally should be provided.

3. If they created the document themselves

Even if they authored it (e.g., a Word document, an internal note, a presentation), you need to provide it again if:

  • you still hold it, and

  • they can’t access it through any other route.

This avoids unnecessary trawling for documents that the requester likely holds already.

4. If they can access it but want it in a different format

DSAR rights include the right to receive personal data in an intelligible format, but not necessarily in a different format.

  • If they can view the payslip on the portal, you don’t need to supply it as a PDF.

  • If they can read the email in their mailbox, you don’t need to extract and convert it.

However, you should still explain why you aren’t re‑providing it.

5. Be transparent about what you are and aren’t sharing

Even when signposting instead of disclosing, transparency obligations apply. Your DSAR response needs to:

  • state which categories of information they can already access;

  • confirm where that information is located;

  • explain why you are not supplying duplicates; and

  • offer to assist if there is a genuine barrier to access.

And any DSAR response must still be accompanied by the supplementary information required under a good Privacy Notice.

Practical steps for HR and DSAR handlers

  • Assess actual access: Does the individual currently have the ability to retrieve the information themselves?

  • Signpost clearly: Include screenshots or navigation steps for payroll or HR systems if helpful.

  • Record your rationale: Capture your reasoning in case the ICO asks why certain documents weren’t provided.

  • Ensure departing employees know what to save: Encourage individuals to download payslips or key documents before deactivation.

  • Tailor templates: Build in standard wording explaining the “already accessible” principle.

Need support?

We can help you refine your DSAR process and advise on tricky access‑vs‑duplication questions. From quick queries to full outsourced review, our DSAR support service keeps you compliant and efficient.

Rachel Rigg https://www.horsfieldmenzies.com/rachel-rigg
Next

GOVERNMENT FUNDS TRAINING