Welcome New Guidance on Refusing SARs

The ICO have updated their guidance on refusing Subject Access Requests (SARs).

Anyone working within the field of data protection will be aware how painful dealing with SARs can be. This welcome guidance provides further information on when organisations can refuse or partially refuse a SAR under the UK GDPR.  Assistance for assessing whether to disclose information relation to third party is also included.

Further details here.

Key take aways:

1. A number of exceptions may apply to the right to access which need to be considered carefully in relation to each SAR – document decisions case by case.
2. Exemptions may apply because of the nature of the personal information (e.g. confidential references), others apply because disclosing the data could prejudice your purpose or function such as comprising a person’s position in a negotiation, or legal privilege.
3. A request is not necessarily excessive just because the person requests a large amount of information; consider all the circumstances of the request.
4. There remains a high threshold for relying on the manifestly unfounded or excessive provisions. You can demonstrate that the provision generally applies by referencing supporting factors.
5. A 3 step guide is provided by the ICO to assist when deciding whether to disclose information that identifies another person, including information known generally.
6. Consider third party disclosure about another for example, a member of staff acting in the course of their duties whom the data subject knows well through their previous dealings, is more likely to be disclosed than information relating to an anonymous person.

Contact our data team if as an organisation you need assistance in navigating this area, or if as an individual you need assistance in making a successful request.