The right of access under UK GDPR, often called a Data Subject Access Request (DSAR), is a critical tool for individuals to gain insights into how their data is used. However, there are situations where organisations can withhold some or all of the information requested, as outlined in the law. These exemptions balance transparency and protect other rights, such as privacy and confidentiality.

Businesses must understand when and how to apply for these exemptions, as failing to respond appropriately can lead to regulatory scrutiny. Let’s explore some critical scenarios in which information can be withheld.

1. Information about Other Individuals

If the requested data involves details about another person, businesses must take care before disclosing it. The Data Protection Act (DPA) 2018 permits organisations to withhold this data unless the third party consents to the disclosure, or releasing the information without consent is reasonable.

For example, if an employee requests details from their HR file mentioning other team members, any information regarding those colleagues should be redacted unless it’s deemed reasonable to release. A similar principle applies to witness statements in disciplinary or investigative contexts. If confidentiality was assured to the witnesses, disclosing their identities might breach that agreement.

2. Confidential References

Confidentiality is critical regarding references provided for employment or volunteering purposes. UK GDPR excludes confidential references, meaning organisations are not obliged to disclose them when responding to a DSAR. This applies to references given by the organisation and those received about an employee. Businesses should ensure that their policies define references as confidential to avoid ambiguity and potential disputes.

3. Legal Professional Privilege

Any communication between a business and its legal counsel can be withheld under the legal professional privilege (LPP) exemption. This covers advice sought from lawyers or documents prepared for litigation purposes. For instance, if a company seeks legal advice regarding a potential employee dismissal and the employee submits a DSAR, the company may rightfully withhold correspondence with its legal advisors.

4. Whistleblowing Reports

Whistleblower protection is critical to ensure transparency and accountability within organisations. If a whistleblower reports wrongdoing, such reports often contain information about third parties, including those accused of misconduct. UK GDPR allows businesses to withhold whistleblower reports if disclosing them would identify the whistleblower or compromise an ongoing investigation. The Public Interest Disclosure Act 1998 (PIDA) also protects whistleblowers, further complicating the situation when responding to DSARs.

5. Manifestly Unfounded or Excessive Requests

Businesses can refuse DSARs that are either manifestly unfounded or manifestly excessive. A request is considered unfounded if there is clear evidence that the requester is acting maliciously, such as using the request to harass the organisation. Meanwhile, an excessive request burdens the business, especially if it involves a large volume of irrelevant or duplicated information.

For example, if an ex-employee repeatedly submits SARs seeking all data related to their employment, a business may determine that providing this information multiple times is excessive. Companies can seek clarification or summarise the data instead of fully disclosing it.

6. Crime and Taxation Investigations

Personal data processed to prevent or detect crime, prosecute offenders, or collect taxes can also be exempt from DSAR disclosure. If releasing information hinders an investigation or risks the safety of individuals involved, businesses are justified in withholding it. For instance, if a worker is under investigation for misconduct and the police are involved, the company can refuse to disclose related information.

Conclusion

Navigating the complex DSAR exemptions requires a deep understanding of the law and careful judgment. Each exemption must be applied case-by-case, with clear documentation supporting the decision. Failure to correctly apply exemptions can result in non-compliance with GDPR, leading to significant financial and reputational risks.

For businesses managing high volumes of DSARs, automated solutions like DSAR.ai can streamline the process by identifying exempt information, reducing the risk of human error, and ensuring compliance. By handling requests efficiently, businesses can protect themselves and all parties’ privacy.