As employment lawyers, we frequently advise clients on how to handle data subject access requests (DSARs) made under the UK GDPR and the Data Protection Act 2018. These requests to access data are a common tactic used in contentious employee exits, grievances, and tribunal claims. While DSARs are intended to promote transparency, they often catch employers off guard, particularly where external HR consultants or other third party advisers have been involved.
Recent case law and guidance confirms a critical and often misunderstood point: communications between an employer and a third party HR consultant may be disclosable in response to a DSAR if they contain personal data about the individual making the request. In practice, this means that routine correspondence regarding disciplinary procedures, performance reviews or dismissal discussions, unless considered legally privileged, may be open to scrutiny by the very employee whose conduct is under review.
What must be disclosed?
Under UK GDPR, an individual is entitled to receive a copy of their personal data, is broadly defined as information that relates to and identifies them. Examples include:
- Internal emails and meeting notes discussing the employee’s performance or behaviour.
- Advice from external HR consultants, including notes or summaries of meetings.
- Correspondence referencing or discussing the individual whether internally or with third parties.
The key test is whether the information relates to the individual in a way that makes them identifiable. Whilst employers are only required to undertake a “reasonable and proportionate” search, this still covers a broad range of material.
A common pitfall is the assumption that advice from HR consultants is automatically protected from disclosure by legal privilege. This is not the case.
Unless the HR consultant is a qualified solicitor or is acting under the direct instruction of a solicitor, or the advice is given in contemplation of litigation, the communications will not be covered by legal professional privilege. Consequently, such records are likely to be disclosable in response to a DSAR.
Legal professional privilege, the key exemption
The main exemption available in these circumstances is legal professional privilege. This applies if the advice:
- Is given by a solicitor or barrister acting in their legal capacity (legal advice privilege), or
- Relates to anticipated legal proceedings (litigation privilege)
Where either form of privilege applies, the information does not need to be disclosed in response to a DSAR.
However, this exemption does not extend to HR consultants giving general employment advice, even if that advice concerns dismissal, disciplinary procedures, or grievance handling.
Why early legal involvement matters
A recurring issue we see is employers contacting legal advisers only after a data subject access requests has been submitted. By that stage, it is too late to structure communications in a way that might attract legal privilege.
The most effective approach is to involve legal advisors at the earliest stage of any high-risk employment issue. At Moore Barlow, we often work alongside internal HR teams and external HR consultants to structure communications strategically, helping to ensure that legal privilege is preserved where appropriate. This might involve routing sensitive advice through legal channels, or ensuring that legal input is embedded throughout the decision-making process.
By taking these steps, employers can reduce the risk that routine HR correspondence inadvertently becomes disclosable evidence in any dispute.
The role of HR Consultants in Handa
Recent case law has also provided clarification on the status and potential liability of external HR consultants, particularly in the context of whistleblowing and disciplinary investigations.
In the case of Handa v The Station Hotel (Newcastle) Ltd and Others [2025] EAT 62, the Employment Appeal Tribunal (EAT) considered whether HR consultants involved in grievance and disciplinary investigations could be treated as agents of the employer and whether they could be liable for whistleblowing detriment under section 47B(1A)(b) of the Employment Rights Act 1996.
The EAT confirmed that external HR consultants can, in some circumstances, act as agents of the employer when carrying out key employment functions such as disciplinary or grievance investigations. However, this agency relationship does not automatically make them decision makers, nor does it mean that they are personally liable for the employer’s actions.
The Tribunal held that where HR consultants are engaged to provide independent investigative support, for instance to conduct interviews, gather evidence, or make recommendations, they are not liable for whistleblowing detriment as agents, provided they do not take or influence the final decision. Liability for such detriment rests with the employer and those directly responsible for the adverse action.
At the same time, the judgment emphasised that the existence of an agency relationship for certain purposes such as carrying out investigations, means that communications between employers and HR consultants may still be treated as part of the employer’s record for data protection purposes. Although HR consultants may be protected from whistleblowing liability and not personally be liable, their correspondence and notes are unlikely to be privileged and can be disclosable under a data subject access requests.
This case reflects the importance of both clarity of role and careful communication management when external consultants are involved.
Main takeaway with regards to data subject access requests
The Handa decision provides reassurance for HR consultants that they will not generally be personally liable for whistleblowing detriment where they act purely as independent investigators or advisers. However, it also highlights a broader risk for employers; agency for one purpose (such as investigations) may extend to data disclosure obligations, even where liability for whistleblowing does not.
Handled incorrectly, data subject access requests can create significant exposure at a critical time in an employment dispute. Employers relying solely on HR consultants to manage dismissals or other sensitive workplace issues, may inadvertently generate documents that they are later legally required to disclose.
The lesson from both practice and case law is clear that early, proactive legal involvement is essential. Engaging HR consultants does not automatically confer confidentiality or protection. Employers should involve legal advisers early, define consultants’ roles precisely, and ensure communications are structured with disclosure risks in mind.
Proactive legal involvement remains the most effective way to ensure data subject access requests compliance, preserve privilege where possible, and manage whistleblowing and disciplinary risks.
How Moore Barlow can help
Our Employment Law solicitors provide expert advice and support to help businesses navigate the complexities of employment law and ensure compliance with regulations.
Understanding employee data and GDPR: A guide to data protection compliance in the UK workplace.
