• 13 Dec 2024
• •
• 3 min read

Do we have to provide all information and documents requested in a subject access request (SAR)?

The simple answer to this is ‘no’ but the application of the rules allowing organisations to exclude information from a SAR response is one of the most complex parts of dealing with a SAR.
 
As explained in a previous article, individuals have the right to request from an organisation a copy of their personal data together with other information about how their personal data in processed. However, this doesn’t mean the individual has the right to receive all of their personal data or full copies of any documents which contain their personal data. This is particularly important to bear in mind if the documents also contain commercial information which does not relate to the individual and which you do not want to disclose.

Exemptions

There are several exemptions to the requirement under data protection law for organisations to provide an individual with a copy of their personal data requested via a SAR. However, these must be considered carefully and on a case by case and often on a document by document basis. You should record in writing your reasons for relying on a particular exemption, so that you can demonstrate your compliance with data protection law should the need arise.

The most common exemptions are:

1. Information that relates to other individuals. The individual making the SAR is only entitled to their own personal data. If, for example, there are documents which include information identifying other individuals, then you will have to redact any information in the documents which relates to those other people unless either they have agreed to their information being disclosed or it is reasonable to disclose the information without their consent. In deciding what is reasonable you will need to consider all the relevant circumstances, including the type of information you propose to disclose, what steps you have taken to seek consent (if appropriate for you to do so), whether you owe the other individuals a duty of confidence and what information the individual making the SAR already knows.  If you don’t go through this process, then you may end up disclosing the other individuals’ personal data unlawfully.

2. Legal professional privilege. You may withhold information that is covered by legal professional privilege, which includes any confidential correspondence with your lawyers where you are seeking legal advice about the individual.

3. Management information. You may exclude information processed for the purposes of management forecasting or management planning for your organisation, where disclosing such information would be likely to prejudice the conduct of your business. So, if the individual making the SAR is an employee and you were planning to make redundancies, then you would not need to disclose information relating to your plans if to do so would be prejudicial to your business.

4. Ongoing negotiations. You may withhold any information relating to negotiations with, for example, an employee where disclosure of the information would be likely to prejudice negotiations with that individual. So, for example, if you were in the middle of pay or promotion negotiations with the employee, you would not need to disclose any information about the negotiations if doing so would be likely to prejudice the negotiations.

If it is an employee who has made the SAR, then the confidential reference exemption may also relevant. You can withhold confidential references that you receive or provide about the employee for certain purposes although it is important to note that this exemption only applies to references given in confidence.

These exemptions may mean that entire documents can be withheld from the individual, or that certain information within a document needs to be redacted before it is provided to the individual. In some cases, it may be easier to copy the personal data which is going to be provided to the individual into a separate document which is permitted, as the individual only has a right to receive their personal data not the specific documents within which that personal data is held.