January 24, 2025
Personal data is incredibly valuable and individuals across the UK have the right to access their personal data held about them by organisations. This is a right that is enshrined in the UKs General Data Protection Regulation (GDPR) and allows individuals to make a Subject Access Request (SAR) to access information held by their employer, service provider or any other data controller.
However, the scope of an SAR is broad which means that there are certain pieces of information that can be excluded. In this article, we’re going to explore what can be excluded from an SAR and why these exclusions are in place. We’re also going to cover some common misconceptions about what you can exclude from a subject access request.
Subject Access Request Exclusions
Data Relating to Other Individuals
One of the most common exclusions from a subject active request is personal data relating to other individuals. If the requested data includes information that could identify another person, this information does not have to be shared.
Why It Can Be Excluded
The GDPR protects not just your personal data, but the data of others. If releasing information could breach another person’s privacy, the data controller does not have to disclose it. If a subject access request asks for a full record of an employee’s communications, and those records include feedback or references to other employees, this information can be excluded or redacted.
Confidential Commercial or Legal Information
Subject access requests cannot demand the disclosure of information that is commercially sensitive or confidential. This is in particular the case if it would compromise business interest. This can include anything from internal communications to trade secrets.
Why It Can Be Excluded
Organisations need to be able to protect their commercial interests. If sensitive information is disclosed that could negatively impact the operations or give an unfair advantage to someone else, this information can be redacted.
Legal Proceedings or Ongoing Investigations
If data that has been requested is related to an ongoing investigation or a current legal process, this information can be excluded from a subject access request. If an individual is under investigation for fraud or misconduct, then releasing documents related to the investigation could hinder the process.
Why It Can Be Excluded
Fairness and preserving integrity of legal proceedings must be ensured through every case.
Data Processed for Managed Planning
If there is data that relates to management planning, this data can be excluded. This includes personal data that has been processed for internal management or for forecasting purposes.
Why It Can Be Excluded
Data used for internal strategic planning or decision making is not intended for public disclosure. Releasing it could harm the business’ operational effectiveness or decision making autonomy and therefore can be excluded.
Excessive or Irrelevant Information
If data that has been requested is excessive or not relevant to the individual request, a company has the right to exclude or redact the information. If an individual requests all emails related to their employment and the request includes irrelevant emails, these can be excluded.
Why It Can Be Excluded
The GDPR allows for data to be processed in a way that is proportionate for the purpose for which it was requested. Excessive or irrelevant information would go against the principle of data minimisation.
Data that cannot be shared but is commonly asked for includes:
- Performance Evaluations: Personal data related to performance can be disclosed, but information that pertains to other employees or confidential strategies may be excluded.
- Emails: Any emails containing personal opinions about other employees or confidential business matters may be partially redacted.
- Medical Information: If medical records pertain to other individuals or they involve confidential information not directly related to the subject access request, it can be excluded.
Subject access requests are an essential tool for employees and individuals seeking transparency about the data that is held on them. There are specific exclusions under the GDPR as listed above to protect the privacy of other people. It’s important for both employers and employees to understand these exclusions to avoid any misunderstandings or disputes.
If you are navigating a SAR, whether as an employee or an employer, understanding what can and cannot be shared is crucial. For more information on how to handle data protection and employment law, you can contact us at Premier Legal.
If you are looking for specific guidance on employer or employee rights, visit our pages on employers and employees.