Subject Access Requests and Internal Conflicts of Interest: Navigating the Grey Areas
When it comes to Subject Access Requests (SARs), few are more complex, or more sensitive, than those submitted by employees and ex-employees. Unlike customer SARs, which are often straightforward, staff-related requests are frequently wrapped up in wider disputes, grievances, or pending legal claims. At Data Protection People, we see it time and again: an employee leaves under difficult circumstances, then shortly afterwards, a SAR lands in HR or Legal’s inbox. It’s no coincidence. These types of requests are often tactical, designed to uncover evidence, test procedural fairness, or support an employment tribunal claim. That’s perfectly within the rights of the data subject but it raises real challenges for employers, especially when conflicts of interest are involved. This blog is about Subject Access Requests and Internal Conflicts of Interest.
Why Internal SARs Are So Tricky
Employee SARs don’t just trigger administrative effort — they often force organisations to walk a tightrope between transparency and risk. You’re being asked to hand over information that may include:
-
Emails between managers
-
Notes from disciplinary meetings
-
Internal chats or instant messages
-
Performance reviews
-
Legal advice (potentially exempt)
All of this might involve opinions, judgements, or allegations made by other staff members — sometimes senior managers, sometimes HR personnel. And when the very people handling the SAR are involved in the subject matter, conflicts of interest can quietly undermine the integrity of the process.
What Is a Conflict of Interest in SAR Handling?
A conflict of interest occurs when someone involved in responding to a SAR has a personal stake, consciously or not, in the outcome. This could be the HR officer who issued the warning the requester is contesting. Or the manager whose conduct is under scrutiny. Or even an internal investigator who has exchanged emails about the subject.
When these individuals are responsible for locating, reviewing, or redacting data, impartiality is compromised. There’s a risk of information being withheld, over-redacted, or delayed, not necessarily out of malice, but due to unconscious bias or protective instincts.
And that’s a problem. Because if the data subject suspects foul play or receives an incomplete response, they can escalate to the ICO, lodge a complaint, or use it to strengthen their legal case.
Practical Steps to Manage Subject Access Requests and Internal Conflicts of Interest
Organisations should assume that internal SARs will be scrutinised more heavily and act accordingly. Here are practical steps to manage them with confidence and compliance:
1. Separate the People from the Process
Ensure that anyone directly involved in the dispute does not participate in locating, reviewing, or approving the SAR response. Where possible, assign SAR handling to someone independent, ideally within your data protection or legal team.
2. Document Everything
Keep a clear record of:
-
Who handled the request
-
What searches were conducted
-
What redactions were applied and why
-
What exemptions were used
This is your audit trail, invaluable if the decision is challenged or reviewed by the ICO.
3. Be Transparent About Exemptions
If you’re withholding data under an exemption (e.g., legal privilege or management planning), be upfront about it in your response. You’re not required to give full detail, but clarity fosters trust.
4. Use a SAR Triage Approach
Have a process in place to flag SARs that involve:
-
Internal disputes or grievances
-
Legal proceedings or tribunal claims
-
High volumes of emails involving senior staff
These should be prioritised and escalated to senior data protection personnel, not left to junior HR or admin staff.
5. Treat SARs as More Than Admin
A SAR isn’t just a compliance exercise, it’s an insight into how your organisation handles people, transparency, and power. Even when there’s legal protection to withhold certain content, always consider the human context and reputational risk.
The Legal Landscape: Don’t Cut Corners
There’s a temptation in contentious SARs to protect the organisation first. But the law is clear: SARs are a right, not a favour. Employers cannot ignore, delay, or heavily redact responses purely to protect internal politics.
Yes, exemptions under the Data Protection Act 2018 may apply, such as:
But these must be applied fairly and justifiably. Misuse of exemptions can lead to enforcement action or reputational damage.
Final Thoughts: Integrity is Everything
When a SAR becomes part of a wider conflict, the stakes are higher, for both the data subject and the organisation. Mishandling the process, whether intentionally or through poorly managed conflicts of interest, risks turning a manageable issue into a major liability.
At Data Protection People, we support organisations with complex and high-risk SARs, especially those involving internal dynamics. From independent reviews to redaction support and strategic advice, our goal is to help you handle even the toughest SARs with clarity, consistency, and compliance. To find out more about Subject Access Requests and Internal Conflicts of Interest listen to our podcast episode here.
Need help with a sensitive SAR?
Get in touch with Data Protection People, the UK’s leading data protection consultancy. Our experts are on hand to help you manage requests professionally, fairly, and legally.