“Do I really have to disclose everything or is there anything I can hold back?”
This is perhaps more often than not the second question we get asked when someone contacts us because they have just received a subject access request.
The first of course being do I really have to comply with this request. The answer to that first question is arguably more straight forward than the answer to the second. So unless it is manifestly unfounded or manifestly excessive “Yes, you really do” have to comply with the subject access request.
And so inevitably we move on to the second question…
First things first though, a “subject access request” (SAR) as we are sure everyone by now knows is a mechanism introduced in the UK under the Data Protection Act 1998 which gives individuals the right to access and receive a copy of any of their personal data held by third parties. Individuals can make SARs verbally or in writing, including via social media.
As we are often asked by clients to advise on what information they are obliged to disclose pursuant to a subject access request and importantly what information they can keep back we thought it would be useful to collate a list of some (not all) of the more useful exemption that we have garnered from different sources to help provide some initial guidance.
Information, which may be exempt from disclosure pursuant to a subject access requests, includes:
- Personal data processed for crime and taxation-related purposes is exempt from the right of access;
- Personal identifiable data (belonging to other natural persons and not the data subject in question);
- Information that could jeopardise the safety of any individual;
- Information that would prejudice the prevention and detection of crime; the apprehension or prosecution of offenders; or the assessment or collection of tax;
- Court documents in specified circumstances;
- information to which a claim to legal professional privilege could be maintained in legal proceedings or in respect of which a professional legal adviser owes a duty of confidentiality to his client;
- personal data that is processed for management forecasting or management planning about a business or other activity;
- a prohibition or restriction from disclosure applies;
- Information containing personal data provided with an expectation of confidentiality e.g. whistleblowing, complaints, safeguarding or fraud referrals;
- Information that would, or would be likely to, prejudice commercial interests of any person or legal entity;
- personal data in relation to negotiations, if it would be likely to prejudice those negotiations; and
- confidential references.
This list is, of course, not exhaustive and there are many more exemptions (and detail as to how they apply) that goes with them.
Contact our Corporate & Commercial Team
If you would like help processing your subject access request or if you have any queries concerning your obligations, please contact Michael Kashis in the Corporate & Commercial team or call on 020 7631 4141 and ask for a member of the team.
The above is accurate as at 01 October 2022. The information above may be subject to change.
The content of this note should not be considered legal advice and each matter should be considered on a case-by-case basis.