Skip to content
LegalVision UK

When Can My Company Refuse to Action a Subject Access Request in the UK?

Avatar photo

By Thomas Sutherland

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Table of Contents

Your company may receive Subject Access Requests (SARs) which have become increasingly common since the General Data Protection Regulation (GDPR) came into force. A SAR is a request by an individual for personal information that your company holds on them. Complying with SARs regularly can be inconvenient and time consuming. As such many business owners wonder whether there is a way to avoid complying, or fully complying, with SARs. Usually the answer is ‘no’; however, a few exemptions may allow your business to limit its response to a SAR. This article will explore the potential exemptions available which you might use to refuse or limit your response to an SAR. 

What is a Subject Access Request?

A SAR is a request, generally in written form, by an individual for information held about them. The most common SARs are submitted by employees, followed by individuals and customers. Since most SARs come from staff members, this article will focus on employee-derived SARs. Here, an employee may request all personal data relating to them. This includes information concerning their:

  • appraisals;
  • sickness or absence records;
  • disciplinary records or grievance copies;
  • holiday request forms and annual leave records;
  • pension information;
  • employment contracts;
  • payslips; and
  • relevant emails and letters.

In most cases, your company has one calendar month from receiving the SAR to find, process and provide the information. These compliance requirements can be time-consuming and stressful for some companies. This is especially true for smaller businesses that lack the resources to respond quickly. 

The following section will detail exceptions where your business can limit its response to a SAR.

Exemption 1: Manifestly Unfounded SAR

A manifestly unfounded SAR is one that our data protection rules determine is not worthy of legal protection. This is usually because the individual’s motivation is contrary to the intention and purpose of the GDPR and our data protection laws.

There are two main ways to label a SAR manifestly unfounded. These include the individual:

  • has no genuine intent or interest in the results of the SAR and is using it as a negotiating tactic i.e., where an employee complains about a lack of pay rise and warns that they will ‘spam’ their employer with constant SARs; and
  • is acting maliciously, using the SAR in bad faith to disrupt the business, or with the express purpose of harassing a particular individual, such as sending repeated SARs to cause disruption or back up malicious allegations against the individual they are harassing.

These reasons are not mutually independent and often overlap,

While these reasons appear broad, the test is relatively strict. Many business owners obtain legal advice before rejecting a SAR on the basis that it is ‘manifestly unfounded’.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Exemption 2: Manifestly Excessive

An organisation may be exempt from complying with a SAR if they cannot reasonably deal with it without putting the business under significant strain in terms of time or cost. This exemption will usually apply to small businesses, while medium and large businesses will struggle to rely on this. If your business is very small (with nine employees or less), you may consider a substantial SAR to be ‘manifestly excessive’. Thus, you may demonstrate that the request is disproportionate when balanced against the burden or costs of complying with the request.

The Information Commissioner’s Office (ICO) recommends your business should note the following when considering this exemption:

  • your company’s available resources;
  • whether the SAR is a repeat of prior requests or overlaps with previous SARs;
  • whether refusal would negatively impact the applicant; and
  • the nature of the requested information and the relationship between your business and the applicant.

Seeking a ‘manifestly excessive’ exemption can be more difficult than a ‘manifestly unfounded’ exemption. Hence, you should consider legal advice if your company wishes to use it.

Example

In the below scenario, the ICO may not expect your business to provide documents in response to a SAR.

Suppose you have an employee who has worked for you for eight years. They have a poor relationship with you since you promoted someone they dislike as their new manager. Upon being told that the new manager is staying, they have become vindictive and petty in the workplace.

The employee has provided you with a SAR. It is their third SAR in a fortnight and overlaps with the previous requests. The motivation is to bury your organisation in paperwork and cause time and cost implications by requesting information that is several years old. Clearly, the employee has no interest in the information. Rather they are using the SARs as a threat to secure a settlement to exit the company. In this situation, your organisation may be able to use both of the above exemptions to reject the SAR. 

Any letter refusing to deal with a SAR must explain the reasons for not actioning the SAR and should also inform the individual of their right to make a complaint to the ICO if they are unhappy. Templates are unsuitable as the letter needs to be drafted to the unique facts of the situation. Given the legal ramifications of refusing a SAR, most business owners will obtain legal assistance in drafting a suitable letter. 

Key Takeaways

Refusing to provide complete documentation in response to a SAR can be risky for your business from a legal perspective. If you are considering using an exemption in response to a SAR, it is worth considering expert legal advice on whether to proceed and to finalise any documentation to that effect. 

If you need help with data protection requirements and the processing of SARs, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Can I refuse to carry out a SAR because the employee is threatening an Employment Tribunal action?

No, this does not come under the manifestly unfounded or manifestly excessive exemptions. A SAR to assist with a potential tribunal claim will have a real purpose and is not malicious in intent.

Are there any documents I can routinely refuse to provide in response to SARs?

A typical example includes documents protected by legal privilege, such as emails containing advice between you and your company’s lawyer, even if they mention that individual by name. You can sometimes refuse to provide documents relating to other individuals to protect their confidentiality or redact parts of documents referring to other employees.

Register for our free webinars

Corporate Governance 101: Responsibilities For Directors

Online
Learn key responsibilities for new directors to avoid legal risks. Join our free webinar to learn more.
Register Now

Business Divorces: Exiting Directors and Shareholders From Your Company

Online
Removing a board director is not simple. Join our free webinar to understand your options. Register today.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

Five GDPR-Related Cybersecurity Mistakes Business Owners Make in the UK

How Does GDPR Affect My Business?

When Could Your Business Face a Fine From the ICO for Breaching the GDPR in the UK?

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times