EXCEL NEXUS logo
0161 513 2735
hello@excelnexus.co.uk

EXCEL NEXUS

Document Redaction Service

The SAR Triage Guide: How to Reduce Your Redaction Costs

Subject Access Requests don’t mean handing over every email and spreadsheet in your company. Many employers disclose far more than legally required, increasing costs and exposing sensitive business information unnecessarily.

Our guide helps you identify what is actually personal data requiring disclosure versus routine business records that can be excluded. Follow these practical filters to reduce your document pile, protect company information and significantly lower redaction fees.

Understanding Email Disclosure

There’s confusion about company email disclosure, but it’s straightforward once you understand the distinction between email records (who sent/received) and email content (what was said).

The Law:
The requester is entitled to know their name and email address exist in your systems as a sender or recipient.

The Interpretation:
They are NOT entitled to every email where they appear in the headers if the content reveals nothing about them personally.

Simple Test:
If the email is ABOUT the requester (they’re mentioned in the content):
A. Disclose the email and redact any third-party information

If the requester is just the sender/recipient (NOT mentioned in the content):
A. Exclude the email, provide a summary instead

The Summary Approach:
Create a one-page Word document:

“In response to your request, we confirm we hold the following information regarding you in our email records:

Mailbox 1 : john.smith@yourcompany.co.uk
Mailbox 2 : sharedmailbox@yourcompany.co.uk
Total sent emails : 2,365
Total received emails : 986”

This satisfies the legal requirement (confirming you hold their contact details) without disclosing thousands of irrelevant business emails.

A close-up view of a keyboard with the "Enter" key replaced with "Data Entry," symbolising EXCEL NEXUS's commitment to optimised data entry processes.

Handling Spreadsheets & Databases

Every company has a database—payroll, employee lists, customer records. When a requester appears in a spreadsheet, you must disclose their data, not the entire document.

“Data Disclosure” vs. “Document Disclosure”
You don’t have to provide the original spreadsheet. You only have to provide their specific information.

Example: Payroll Spreadsheet
Instead of redacting a massive payroll file containing everyone’s salaries (nightmare and error-prone), create a simple Word summary:

“In response to your request, we confirm we hold the following information regarding you in our payroll records:

Employee ID : 12345
Salary : £35,000
Bonus Grade : B
Start Date : 01/01/2000
Address : 10 Downing Street, London
Mobile : 012345678910″

This provides everything the law requires (their data) without exposing everyone else’s sensitive information.

If They Insist on the Document:
If the requester challenges the data integrity and demands the actual spreadsheet:

  1. Make a copy of the Excel file
  2. In the copy, delete all rows except the requester’s
  3. Turn off version history (very important) and save
  4. Provide the “sanitised” version

 

Managing Generic Documents (Meeting Minutes, Teams Chats, Project Plans)

Not every document mentioning the requester contains personal data. Use these filters:

Question 1: Is it purely business-related?
(Attendance records, meeting notes about company decisions, project plans)
A. Exclude

Question 2: Is it a professional opinion?
(Their view on office relocation, budget proposals, team restructuring)
A. Exclude

Question 3: Does it reveal private life, health or sensitive personal circumstances?
(Caring responsibilities, health issues, personal grievances, disciplinary matters)
A. Include and redact any third party information

Example:
Meeting minutes discussing office relocation where the requester happened to be present.
A. Exclude (general business record)

Meeting minutes discussing the requester’s flexible working request due to childcare.
A. Include (reveals personal circumstances)

ExampleContentIs it Personal Data?Action
Attendance“John was present.”No.Exclude. It’s a business record of attendance, not personal data about John.
Business Opinion“John agreed with the move.”No.Exclude. This is a professional opinion, not personal information.
Personal CircumstanceJohn said ” I don’t agree with this relocation as I’m a single dad, my daughter Mary is 8 years old and this would adverse me directly”YES.Include. This is highly sensitive personal data, but redact any third party information.

The Bottom Line

The law requires you to provide personal data, not a mirror image of your company’s internal files.

If you can answer the request accurately using summaries or specific extracts, you meet your legal obligations while protecting sensitive business information from unnecessary exposure.

Need Help with Your Redaction?

Smart filtering reduces your document pile, but Subject Access Requests still require careful handling to ensure compliance while protecting third-party information.

Our professional document redaction services handle the entire workflow – email consolidation, format conversion, secure redaction and compliant delivery. We eliminate the technical burden so you can focus on running your business.

Transparent SAR pricing from £300.

Get a free quote today:
Email: hello@excelnexus.co.uk
Phone: 0161 513 2735
View Our Document Redaction Services →