Responding to a Personal Data Request Using GDPR Language.
English for Office Administrators. Lesson 8.
A colleague asks you to share personal information quickly: a home address, a date of birth, or a contract document. You want to help, but you also need to follow the correct process and share only what is permitted. In this lesson you practise responding to a sensitive request with careful, non-dramatic wording. You will work with a short data request message, a simple confidentiality notice, and a process step list. You will practise the language of permissions, secure channels, and minimum-necessary information. You will also practise offering a helpful alternative: directing the person to the correct request route, suggesting what you can share instead, or explaining what proof is needed. By the end, you will be able to protect confidentiality while staying professional and supportive, and you will be able to write a brief internal note that records the request and your response for traceability.
1. A colleague asks for personal data on Teams.
Imagine you are at your desk and a colleague pings you on Teams with a “quick one”. They want someone’s home address and date of birth right now, so they can “sort something out”. In real admin work, this is exactly where you need calm, non-dramatic language. You don’t want to sound like you’re accusing them of anything, but you also can’t just copy and paste personal data into chat.
In this lesson, we’ll keep one continuous situation: you are the admin contact and you’ve received a request for personal information. Across the next blocks, you’ll practise three key moves: first, pause and protect confidentiality; second, ask for the reason and authorisation; and third, offer a helpful alternative route, like the approved request channel or a secure way to share documents.
For now, let’s start with the initial message and identify what’s missing. Then you’ll draft a short Teams reply that stays supportive while keeping the organisation safe and compliant.
Situation.
You’re an office administrator. A colleague has messaged you on Teams asking for personal data (for example: a home address, date of birth, or a contract document). They want it quickly.
Your goal is not to “block” them. Your goal is to help safely:
share only what is permitted;
keep the request traceable (in the right channel, with a record);
use calm, neutral wording (no drama, no blame).
The incoming Teams message (model).
Read this as if it just popped up on your screen:
> Jamie (Operations): Hey! Quick one. Can you send me Alex Patel’s home address and date of birth? I need it for a form and it’s a bit urgent.
What’s the risk here?.
This message is vague. It doesn’t tell you:
reason for access (what form? why do they need it?);
authorisation (are they approved to see it? who is the data owner?);
secure channel (Teams is not the right place to send personal data);
minimum necessary information (do they really need both address and date of birth?).
A safe, helpful structure you can reuse.
When you receive a request like this, you can follow a simple routine:
Acknowledge (be human and cooperative)
Boundary (confidentiality / correct process)
Clarifying question(s) (reason, authorisation, what is the minimum needed)
Alternative route (approved channel, secure method)
Traceability line (keep it in a logged thread)
Useful phrases (you will reuse these all lesson).
“Thanks for checking with me.”
“I’m not able to share that directly due to confidentiality.”
“We need to follow the correct process for personal data.”
“Can you confirm your reason for access?”
“Do you have approval from the data owner?”
“Please avoid sending personal data in Teams.”
In the next activity, you’ll write your first reply. Aim for calm, firm, and helpful.
Practice & Feedback
Write your first Teams reply to Jamie.
Requirements:
3–5 short sentences (Teams style).
Start with a cooperative line (for example: “Thanks for checking with me”).
Say you can’t share it directly on Teams (confidentiality) without sounding angry.
Ask two clarifying questions: (1) the reason for access, and (2) whether they have authorisation / approval.
Add one helpful alternative (for example: the approved request channel, or a secure method).
Keep the tone friendly and professional. Use at least two phrases from the list on the screen.
> Jamie (Operations): Hey! Quick one. Can you send me Alex Patel’s home address and date of birth? I need it for a form and it’s a bit urgent.
2. Using a confidentiality notice without sounding dramatic.
Now let’s add a tool you can lean on: a short confidentiality or data-handling notice. The key is how you use it. If you copy policy text with lots of legal language, you can sound defensive, even if you’re right. Instead, you want to summarise the rule in plain English and connect it to a helpful next step.
In this block, you’ll read a simple internal notice and we’ll pull out a few reusable sentences. Notice how the strongest versions don’t say “You’re not allowed” or “This is against GDPR”. They say, “We need to use the approved process” and “Please use a secure channel”. That keeps the conversation professional and practical.
After you read the notice, you’ll do a quick task: rewrite two policy-heavy sentences into natural Teams English. This is a very real admin skill: translating policy into calm workplace language.
Why a short notice helps.
When someone asks for personal data, it’s easy to get pulled into their urgency. A short notice gives you neutral authority: you are not refusing “because you feel like it”, you are following the process.
However, you do not need to paste long legal text. In day-to-day admin English, your aim is:
plain language (clear and simple),
minimum necessary (only what is required for the task),
secure channel (don’t send personal data in open chat),
traceability (a request route that creates a record).
Internal confidentiality notice (simple version).
Read this short extract:
> Internal reminder: handling personal data
>
> - Do not share personal data (home address, date of birth, ID numbers, contract documents) via Teams chat.
> - Personal data must be shared only via approved, secure channels and only with authorised recipients.
> - Where possible, share the minimum information necessary to complete the task.
> - If you receive a request for personal data, ask for the reason for access and confirmation of authorisation.
> - Keep requests and responses traceable (ticket, case log, or approved mailbox).
Turning policy into workable English.
Here are two examples of “policy-heavy” sentences and a more natural admin alternative.
Policy-heavy wording
Calm, workable alternative
“This request cannot be fulfilled due to GDPR restrictions.”
“I’m not able to share that directly due to confidentiality, but I can help you with the next step.”
“Disclosure is prohibited in non-secure communication channels.”
“Please avoid sending personal data in Teams. If you submit it via the approved channel, we can action it.”
Mini checklist before you respond.
Before you share anything, check:
Who is asking? Are they an authorised recipient?
Why do they need it? Is it a genuine business reason?
What’s the minimum necessary information?
What’s the approved route or secure method?
In the activity, you’ll practise rewriting. This helps you sound confident, not apologetic, while still being supportive.
Practice & Feedback
Rewrite the two policy-heavy sentences below into natural, calm workplace English.
Rules:
Write two separate rewritten sentences (label them 1 and 2).
Keep each one to one sentence (Teams-friendly).
Include one helpful next step (for example: asking them to use the approved channel).
Avoid dramatic language like “illegal”, “breach”, or “against GDPR”. Keep it neutral.
Imagine you’re replying to Jamie in the same situation as before.
“This request cannot be fulfilled due to GDPR restrictions.”
“Disclosure is prohibited in non-secure communication channels.”
3. Listening for permissions and the minimum-necessary idea.
Next, let’s train your ear for the language that matters in a sensitive request. You’re going to hear a short Teams-style exchange. Your job is to notice three things: first, how the admin person sets a boundary without sounding aggressive; second, which questions they ask to check permissions; and third, how they reduce the amount of data shared by focusing on the minimum necessary.
As you listen, don’t try to catch every single word. Instead, listen for phrases like “I’m not able to share that directly”, “Can you confirm your reason for access?”, and “Do you have approval from the data owner?”. These are the kinds of phrases you can reuse again and again.
After the audio, you’ll answer a few comprehension questions. Then we’ll use the same language in your own message in the next block.
Listening task: a realistic exchange.
In the audio, you’ll hear a short conversation between:
Jamie (Operations), who wants personal data quickly, and
You (Admin), who needs to follow the correct process.
What to listen for.
Focus on these three listening goals:
Boundary (confidentiality + channel)
Do you hear a line that clearly says you can’t send personal data on Teams?
Permissions (authorisation + reason)
Do you hear a question about why they need it?
Do you hear a question about approval / authorisation?
Minimum necessary (reduce the ask)
Do you hear the admin person narrowing the request (for example, offering to share something else, or asking what is strictly required)?
Language you are likely to hear.
Here are some phrases from the lesson chunk bank. Use them as anchors while listening:
“Thanks for checking with me.”
“I’m not able to share that directly due to confidentiality.”
“We need to follow the correct process for personal data.”
“Can you confirm your reason for access?”
“Do you have approval from the data owner?”
“I can share the minimum information needed for this task.”
After listening.
You will answer these questions:
What is the main reason the admin person gives?
What are the two questions they ask Jamie?
What alternative route do they suggest?
These are exactly the building blocks you need for confident, compliant communication.
Practice & Feedback
Listen to the short exchange and answer the questions.
Write your answers in 4–6 lines total.
Q1: What is the main reason the admin person gives for not sending the data directly?
Q2: Write the two permission-check questions you hear (or very close to them).
Q3: What alternative route or next step do they suggest?
Tip: It’s fine if your wording isn’t 100% exact. Focus on the meaning and key phrases (confidentiality, correct process, approved channel, authorisation).
4. Drafting a compliant reply with a helpful alternative.
You’ve now seen the structure and heard it in action, so let’s write. The challenge here is balancing two pressures: someone feels urgent, and you have a confidentiality boundary. If you only say “no”, you create conflict. If you only say “sure”, you create risk. The professional middle is: “not directly, but here is the route, and here’s what I can do next.”
In this block, I’ll give you a model message that is polite, clear, and process-led. Notice the sequencing: acknowledgement, boundary, questions, alternative route, and a line that keeps everything traceable.
Then you’ll write your own version, but with one extra skill: you’ll apply the minimum-necessary idea by asking what they actually need the data for, and whether one piece of information would be enough. That keeps you helpful while reducing exposure.
Write it as if you’re really replying in Teams now: short lines, professional tone, and specific next steps.
A model Teams reply (strong but friendly).
Here is a model you can adapt. Read it as a complete mini-template:
> Thanks for checking with me. I’m not able to share home addresses or dates of birth directly in Teams due to confidentiality.
>
> Can you confirm your reason for access, and whether you have approval from the data owner/HR?
>
> If you email the request via the approved HR mailbox (and include the approval), we can action it. I can help you with the next step.
>
> Also, to keep this minimal, what does the form actually require: address confirmation only, or date of birth as well?
Why this works.
This message does several important things without sounding unfriendly:
It doesn’t accuse. “Thanks for checking with me” frames the colleague as doing the right thing.
It sets a boundary with a reason. “Due to confidentiality” is calm and professional.
It checks permissions. Reason + authorisation are the essentials.
It offers an alternative. You give a route (approved mailbox / ticket) rather than just refusing.
It reduces data. Asking what the form actually needs is the minimum-necessary principle in action.
Optional “firmness ladder” (choose what fits).
Sometimes you need to be firmer. Here are three levels:
Soft: “Just a heads-up, I can’t share that on Teams.”
Neutral (best default): “I’m not able to share that directly due to confidentiality.”
Firm: “Please don’t request or share personal data in Teams. Use the approved channel so we can action it safely.”
Micro-accuracy tip.
Be specific about what you can’t do:
Better: “I’m not able to share that directly on Teams.”
Less clear: “I can’t do that.”
In the activity, you’ll write your reply, using this model but making it your own.
Practice & Feedback
Write a full Teams reply to Jamie in this same situation.
Requirements (aim for 5–7 sentences, Teams-friendly):
Ask for: (1) reason for access, and (2) confirmation of approval/authorisation.
Offer: an alternative route (approved HR mailbox / ticket / secure channel).
Apply minimum necessary: ask what the form actually needs (do they need both pieces of data?).
Add one traceability line (for example: “Let’s keep this in a traceable thread” or similar).
Write as “you” (Admin). Keep it calm and helpful, not legalistic.
You are replying to this message:
> Jamie (Operations): Hey! Quick one. Can you send me Alex Patel’s home address and date of birth? I need it for a form and it’s a bit urgent.
5. Chat simulation: keeping it safe under pressure.
Let’s turn this into a realistic mini-simulation. In real life, when you set a boundary, the other person often pushes back: “It’s urgent”, “My manager told me”, “It’ll only take a second”. Your job is to stay calm, repeat the process, and keep offering a practical next step.
In this block, you’ll write a short chat-style exchange. You will write both sides: Jamie’s messages and your replies as Admin. This helps you practise holding the line politely, not just writing one perfect message in isolation.
As you write, make sure your Admin responses do three things: restate the boundary briefly, ask for the missing permission information, and propose the approved route again. If Jamie insists, you can go one step firmer: “Please avoid sending personal data in Teams.”
Don’t worry about being “too strict”. Professional admin language is about consistency. You are protecting the colleague and the organisation by keeping the process safe and traceable.
Simulation set-up.
You are still in the same Teams thread with Jamie (Operations). Jamie is under time pressure and keeps pushing for a quick answer.
You will write a short chat exchange of 8–10 messages total (short lines), alternating:
Jamie → Admin → Jamie → Admin …
What Jamie might say (typical pushback).
Jamie’s messages may include:
“It’s urgent, I just need it now.”
“My manager asked me to do it.”
“Can you just send it to me and I’ll delete it?”
“It’s only for a form.”
What you need to practise.
Your Admin messages should show these skills:
1) Calm repetition
You don’t need new arguments each time. Repeat the same safe lines, briefly.
2) Permission check
Keep coming back to: reason + authorisation.
3) Approved route
Offer the next step every time: approved mailbox / ticket / secure channel.
4) Minimum necessary
Where possible, reduce the amount of data: “What does the form require exactly?”
5) Traceability
A simple line helps: “Let’s keep this in a traceable thread.”
Useful sentence starters for your Admin replies.
“I understand it’s urgent, but we need to follow the correct process for personal data.”
“I’m not able to share that directly in Teams due to confidentiality.”
“Can you confirm your reason for access?”
“Do you have approval from the data owner?”
“If you send it via the approved channel, we can action it.”
“Please avoid sending personal data in Teams.”
Mini rubric (self-check).
When you finish, check:
Did you stay polite and supportive?
Did you avoid sharing personal data?
Did you give a clear route and next step?
Did you keep the exchange short and realistic?
Now write your chat exchange.
Practice & Feedback
Write a chat-style simulation with Jamie.
Instructions:
Create 8–10 short messages total.
Label each line clearly as Jamie: or Admin:.
Make Jamie push back at least twice (urgency, “my manager said”, etc.).
In your Admin replies, repeat the boundary calmly, ask for reason/authorisation, and offer the approved route.
Include at least three phrases from the chunk bank (for example: “Thanks for checking with me”, “We need to follow the correct process for personal data”, “Please avoid sending personal data in Teams”).
Do not invent or share any real personal data. Keep it realistic and professional.
Key phrases you can use:
Thanks for checking with me
I’m not able to share that directly due to confidentiality
We need to follow the correct process for personal data
Could you submit the request via the approved channel?
Once we have authorisation, we can action it
I can share the minimum information needed for this task
Can you confirm your reason for access?
Do you have approval from the data owner?
Let’s keep this in a traceable thread
Please avoid sending personal data in Teams
6. Closing the loop with an audit-friendly internal note.
You’ve handled the live interaction. The final skill is what separates confident admin work from risky admin work: you document what happened. A short internal note protects you and helps colleagues understand the status later. It should be factual, dated, and traceable, with no personal opinions.
In this final block, you’ll write an audit-friendly case note about Jamie’s request and your response. The note should record what was requested, what you did, what you refused to do, and the next step you gave. It should also mention the approved route you directed them to.
Think of a case note as a mini timeline. Imagine someone asks in three months, “Why didn’t we send the details in Teams?” Your note answers that calmly: confidentiality, correct process, and authorisation pending.
You’ll write the note in a structured format, and then you’ll add one short closing Teams message to Jamie confirming the next step. That’s your end-to-end performance for this lesson.
Why logging matters.
In GDPR-style situations, your communication should be traceable. A quick internal note:
creates a record of the request and your response,
shows that you followed process,
helps a colleague pick up the case if you’re away.
Your note should be factual and minimal:
record the request (what was asked for),
record your response (what you said and what route you gave),
record what is pending (authorisation / reason / approved channel submission),
avoid copying personal data into the note unless the system is designed for it.
Model case note (template).
Use this as a structure. You can copy the headings and fill them in.
Case note (internal): Personal data request
Date/time: [today’s date + time]
Requestor: Jamie, Operations
Subject data: Alex Patel (employee)
Data requested: home address + date of birth
Channel received: Teams
Reason given: “benefits paperwork” (verbal)
Authorisation: not provided at time of request
Response provided: Advised we cannot share personal data via Teams due to confidentiality; requested reason for access and confirmation of approval from data owner; directed requestor to submit via approved HR mailbox / secure channel.
Next step: Await request via approved channel with manager/data owner approval; then action as per process.
A closing loop message (to Jamie).
After logging, you can send one final Teams line to keep the thread tidy:
“Thanks, once you’ve sent it via the approved HR mailbox with the approval, we’ll pick it up from there.”
Mini rubric (final self-check).
Your note is strong if it is:
Traceable: includes date/time, channel, next step.
Neutral: no blame, no emotional language.
Specific: what was requested, what you advised.
Safe: no unnecessary personal data copied into the note.
Now write your own note and closing message.
Practice & Feedback
Write two things:
Part A: Internal case note (120–160 words)
Use the template headings from the screen.
Keep it factual and traceable.
Do not include any real personal data (no addresses, no dates of birth).
Mention that the request came via Teams and you directed them to an approved channel.
Part B: Closing Teams message to Jamie (1–2 sentences)
Confirm the next step and keep it friendly.
Include one phrase from the chunk bank.
This is your final performance: accurate, calm, compliant, and helpful.
Reminder phrases you can reuse:
We need to follow the correct process for personal data
I’m not able to share that directly due to confidentiality
Could you submit the request via the approved channel?
