When Can You Refuse a Subject Access Request (SAR)?
When you can refuse a Subject Access Request, including ‘manifestly unfounded/excessive’ requests, third-party data, and legal privilege.
Understanding When You Can Refuse a Subject Access Request (SAR)
Subject Access Requests (SARs) are a powerful tool for individuals. This grants them the right to access their personal data held by organisations. Yet, compliance with SARs can be challenging for organisations, particularly when requests are burdensome or potentially abusive. While it’s essential to respect individual privacy rights, there are legitimate situations where an organisation can lawfully refuse a SAR. This guide delves into the question when can you refuse a subject access request (SAR)? and the circumstances under which an organisation can deny access and the considerations needed to ensure compliance with the UK GDPR and the Data Protection Act 2018.
“Manifestly Unfounded or Excessive” Requests
The UK GDPR allows organisations to refuse SARs that are “manifestly unfounded or excessive,”. But what does this mean in practice? Let’s break down these terms to understand when a SAR may qualify for refusal under these conditions.
What Makes a Request “Manifestly Unfounded”?
A SAR may be considered “manifestly unfounded” if it’s clear that the requester has no genuine desire to exercise their rights. This could involve situations where the SAR is filed purely to disrupt operations, harass the organisation, or attempt to exert leverage. For example:
- Example: An ex-employee submits repeated SARs to their former employer with no legitimate need for the data. They do this solely to disrupt the company’s operations. If they demand compensation or a “settlement” in exchange for retracting their SAR, the request may be considered manifestly unfounded.
- Key Consideration: Simply exhibiting anger or hostility does not automatically make a SAR unfounded. It’s up to the organisation to demonstrate that the individual’s intentions are not genuine.
When Is a Request Considered “Manifestly Excessive”?
A request is “manifestly excessive” if it’s clearly unreasonable in scope or frequency, especially when compared to the benefit or purpose of the request. Factors to weigh include:
- Repetition: Has the requester already submitted recent SARs that cover the same data?
- Effort Required: Would the amount of work required to process the SAR far exceed its utility?
- Example: An individual submits a SAR every two weeks, even though the data held has not changed. This would likely qualify as manifestly excessive.
Potential Changes in SAR Refusal Standards: “Vexatious or Excessive” Requests
As part of ongoing data protection reform, the UK government is considering updating the criteria for refusing SARs from “manifestly unfounded or excessive” to “vexatious or excessive.” This new standard would broaden the range of refusals and potentially offer more protection to organisations:
- Vexatious Requests: Under the proposed standard, organisations could decline SARs that are designed to harass or cause distress, particularly if they appear to abuse the SAR process.
- Resource Allocation: Organisations would have more flexibility to refuse SARs based on available resources.
Although the government has not finalised these changes, understanding the current standard allows you to prepare should they take effect.
Legal Exemptions for Refusing a Subject Access Request (SAR)
If a SAR does not meet the “manifestly unfounded or excessive” criteria, there may still be a basis for lawful refusal via exemptions. The UK Data Protection Act 2018 provides a variety of specific exemptions in Schedule 2, which can be used to withhold certain data. It’s essential to apply each exemption thoughtfully to ensure compliance and transparency.
Most Common Exemptions to Consider
- Prejudice to Law Enforcement or Regulatory Purposes: If fulfilling a SAR could interfere with a police investigation or regulatory enforcement, data may be withheld. For example, an organisation might need to withhold details of an investigation to avoid tipping off the data subject.
- Confidential Information: Some data is considered confidential due to its context, such as personal references or sensitive communications. For example, confidential references given to an organisation can be exempt from SARs to maintain privacy.
When using exemptions, bear in mind that each data item in the SAR must be evaluated separately. If the majority of the data can be shared without issue, it should be, with any exempt information clearly redacted.
Protecting Third-Party Privacy
The UK GDPR and the DPA 2018 mandate that third-party data is protected when responding to SARs. This requirement is based on the principle that individuals have a right to their own data but not to the data of others unless they have appropriate consent. Here’s how to handle third-party data in a SAR:
- Identify Third-Party Information: Determine if any documents or communications contain data about individuals other than the data subject.
- Redact Carefully: Redact all third-party data that isn’t directly relevant or legally permissible to disclose.
- Balancing Confidentiality and Disclosure: If the data subject already possesses information about the third party or their involvement, this context should be considered before making redactions.
Legal Privilege: When Confidentiality Takes Priority
Legal privilege is a powerful exemption that protects communications made in the context of seeking legal advice or related to ongoing or anticipated legal proceedings. SARs cannot compel the disclosure of privileged information, including:
- Legal Advice Privilege: Communications between a client and legal advisor for legal guidance.
- Litigation Privilege: Communications created in anticipation of litigation, which could include records of conversations, emails, and even notes relevant to a potential legal case.
Management Information: Internal Planning and Forecasting
Management information related to strategic planning, such as restructuring efforts or redundancy plans, can often be withheld under the DPA 2018 if disclosing it would compromise organisational goals.
- Example: If an employee submits a SAR while the organisation is planning redundancies, you may lawfully withhold information related to their potential redundancy as long as revealing this data would jeopardise organisational planning.
Confidential References and Other Employment-Related Information
SARs commonly target information in HR records. Confidential references, however, are typically exempt from disclosure to protect the integrity of employment references.
- Example: If a former employee submits a SAR requesting a copy of a confidential reference given to a new employer, the organisation can withhold this information.
Exam Scripts and Educational Records
Another specific exemption relates to exam scripts and academic assessments. Students are entitled to their exam results and examiner comments. However, they are not automatically entitled to copies of the exam scripts themselves.
- Timeframe Considerations: If a student submits a SAR before the results are announced, the organisation has additional time—up to five months or 40 days after the results are released—to respond.
Best Practices for Handling Subject Access Request Refusals
Responding to SARs, particularly when using exemptions, requires a careful and transparent approach. Here are best practices to ensure compliance and minimise risk:
- Document Decision-Making: Keep detailed records of your reasons for refusing or partially withholding data. This documentation will be essential in case of regulatory scrutiny.
- Apply Exemptions Selectively: Each piece of data within the SAR should be reviewed to determine if it qualifies for disclosure or exemption.
- Provide Clear Explanations: If you withhold information, provide a clear but general explanation for each redaction without compromising confidentiality or legal privilege.
- Consider Your Resources: If facing an exceptionally large or complex SAR, you may reach out to a data protection consultant to ensure compliance and efficient handling.
Lawfully refusing a SAR can be complex. Requiring a solid understanding of GDPR, UK data protection laws, and your organisation’s data handling policies. By carefully assessing each request wisely, you can meet compliance obligations while protecting organisational resources.
Need Expert Help with SARs?. We are here to guide you through SAR responses and when to refuse a subject access request (SAR). Reach out to simplify your data protection strategy today.