Cookie consent

This site uses cookies that need consent. Learn more

Skip to content
Facit Data Systems
Insights

What to do if your Subject Access Request is Refused

If you’ve faced a subject access request refusal, don’t worry, you have rights, and ways and means to challenge the decision if necessary. Here we look at grounds for SAR refusal and the steps you can take to continue and advance your request.
Posted in: Articles, Compliance, DSARs

Have You Had a Subject Access Request Refused? Here’s What You Need to Know

As compliance experts, we often hear about individuals who have had their Subject Access Request (SAR, sometimes DSAR) refused and are left wondering what to do next. If you’ve faced this situation, don’t worry, you have rights, and there are steps you can take to challenge the decision if necessary. Let’s break it down step by step.

What is a Subject Access Request (SAR)?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, individuals have the right to access personal data that an organisation holds about them. This is known as the right of access, and it allows individuals to:

  • Confirm whether an organisation is processing their personal data.

  • Obtain a copy of that data.

  • Understand how and why their data is being used.

To exercise this right, individuals submit a Subject Access Request (SAR) to the organisation holding their data. The organisation must respond within one month, although this can be extended by up to two additional months for complex requests.

Can an Organisation Refuse a Subject Access Request?

Yes, but only in specific circumstances. An organisation can refuse to comply with a SAR if:

  • The request is manifestly unfounded or excessive (e.g., repeated requests with no legitimate purpose).

  • The requested data contains third-party personal data, and disclosing it would infringe on another person’s rights.

  • The request falls under certain exemptions in the Data Protection Act 2018 (e.g., legal privilege, crime prevention or national security concerns).

  • The organisation is legally prohibited from disclosing the data (e.g., owing to court orders or confidentiality agreements).

If an organisation refuses a SAR, the organisation must:

  • Inform you of the refusal without undue delay and within one month.

  • Explain their reasons for refusal.

  • Advise you of your right to complain to the Information Commissioner’s Office (ICO) and seek a judicial remedy.

Although you may be informed about what sound like justifiable reasons for an organisation to refuse a request for data, they are not hard-and-fast grounds for refusal.

For example, a blanket refusal to fulfil subject access requests on the grounds of third-party data is unacceptable and would not bear legal scrutiny.

You will need to assess whether an organisation is simply side-stepping your subject access request by citing elements such as third-party data or lack of resources. Regrettably, the default position of some organisations is that they do not respond to SARs.

Subject access request refusal DSAR SAR how to respond.

Is Third Party-Information Grounds for Refusing a Subject Access Request?

While data containing third-party information does raise complexities in responding to a subject access request, it is not grounds for outright refusal.

Organisations must still comply, but with the caveat that they need to balance the requester's right of access with the rights and freedoms of the third party involved.

The organisation to which you have submitted a request should be able to redact (mask or remove) third-party data in documents, emails or video in order to meet your request to supply your personal data without compromising the privacy of others. The ICO recommends the use of redaction to fulfil SARs.

Refusal on the Grounds of Manifestly Unfounded or Excessive Requests

The Information Commissioner’s Office (ICO) provides useful guidance on what constitutes a manifestly unfounded or excessive Subject Access Request. One example of an unfounded request is when an individual attempts to leverage their SAR for financial gain by offering to withdraw it in exchange for payment.

When it comes to excessive requests, the ICO illustrates this with a scenario involving a small business with only four employees. Suppose the business receives a SAR that would require reviewing 3,000 emails. The ICO suggests a practical approach, which includes: Asking the individual to clarify and refine their request to focus on specific data

Legal precedent suggests that the reasonableness and proportionality of SAR-related efforts depend on the size and capabilities of the data controller. While a condensed summary might be suitable for micro-businesses, larger companies may still be expected to conduct more thorough searches and disclosures.

If your subject access request is refused on the grounds of being unfounded or excessive, and you know that it is reasonable and proportionate, be prepared to continue your request by refining it to reduce complexity, or persisting with the original request.

Redaction/Withholding Other People’s Personal Data

The latest guidance from the ICO clarifies the Data Protection Act (DPA) exemption that protects the privacy rights of others, often called the “mixed personal data” exemption. This exemption allows data controllers, including employers, to decide whether it is reasonable to disclose or withhold information that contains details about multiple individuals.

The ICO provides a practical example involving salary review data. If an employer conducts a salary review comparing multiple employees, they would typically provide an individual with details of their own pay review. However, any comparison data relating to colleagues would likely be withheld to protect their privacy.

Ultimately, organisations have discretion in determining what is appropriate based on the circumstances, balancing transparency with the need to safeguard third-party personal information.

However, “mixed personal data” does not stack up as an excuse for refusing a SAR when it is likely that your personal data can be supplied without compromising the privacy rights of others. Either extraction or redaction is usually practicable.

How to Make CCTV Footage Subject Access Requests

ICO guidance reminds employers that CCTV footage can contain personal data relating to members of staff or the public, and as such it may be necessary to search CCTV recordings when responding to a SAR.

In our experience, this is only necessary when the individual specifically requests CCTV footage as part of their SAR, and in our view, it is reasonable to ask the requester to clarify dates and times of the footage they are seeking.

A request for clarification makes sense because it can be particularly laborious to locate and extract an individual’s personal data from still photographs or video footage (potentially including audio too) while redacting third parties’ images.

You should not accept a refusal of your subject access request on the grounds of inability to redact. The data-holding organisation is responsible for meeting your access rights as well as for protecting the personal data of others whose data it holds.

What to Do If Your SAR Is Refused?

If your SAR has been refused, here’s a step-by-step approach to challenging the decision:

1. Review the Organisation’s Response

Check the response carefully to understand why your request was refused. Did they cite a valid exemption? Did they explain their reasoning? Were they within the legal timeframe?

2. Clarify Your Request

If your request was deemed excessive or unclear, consider narrowing the scope. This might help the organisation process your request without objections.

3. Challenge the Refusal Internally

Most organisations have a complaints or escalation process. If you believe the refusal was unjustified, write to the organisation asking them to reconsider, referencing GDPR rules and your right of access.

4. Escalate to the Information Commissioner’s Office (ICO)

If internal resolution fails, you can file a complaint with the ICO, the UK’s independent regulator for data protection. The ICO will assess whether the organisation has acted lawfully and may instruct them to comply with your request if necessary. You can contact the ICO using livechat or via email or by telephone on 0303 123 1113.

If the ICO’s intervention doesn’t resolve the issue, you have the right to seek legal action through the courts. This is generally a last resort but can be effective in cases where an organisation has unlawfully denied access to personal data.

What Organisations Must Do When Handling SARs

To remain compliant with GDPR, organisations must:

  • Respond within one month (or inform you of an extension within that timeframe).

  • Provide a copy of your personal data in a commonly used format.

  • Explain how and why your data is being processed.

  • Inform you of your rights, including your right to rectify inaccuracies or request deletion where applicable.

Final Thoughts on Responding to a SAR Refusal

Having a subject access request refused can be frustrating, but you are not powerless. Understanding your rights and following the correct steps can help you challenge an unjust refusal. Whether it’s through internal escalation, regulatory complaints or legal action, you have avenues to ensure your personal data rights are upheld.

If you’re unsure about how to proceed, consulting a data protection specialist or the ICO can help clarify your next steps. Your personal data belongs to you and GDPR ensures that you have a right to access it.

Can Organisations Charge a Fee for DSARs?

Under the UK GDPR, organisations generally cannot charge a fee for responding to a Data Subject Access Request (DSAR). The previous £10 fee that was allowed under the Data Protection Act 1998 was removed when the GDPR came into effect in 2018.

However, there are exceptions where a fee can be charged:

Additional Copies of Data

If a data subject requests multiple copies of the same information, a reasonable charge may apply.

Health Sector Fees

The health sector has specific exemptions under UK GDPR and the Data Protection Act 2018. Medical records are often extensive, require professional redaction and are regulated by additional laws such as the Access to Health Records Act 1990. The NHS and private healthcare providers can charge for physical copies of health records, but digital copies are usually provided free of charge.

Commercial Operations and Fees

Commercial businesses, such as retailers and shopping centres, generally cannot charge for SARs because they do not handle special category data (such as medical records). Instead, their data processing is often limited to transaction history, CCTV footage or loyalty card information, which does not require the same level of effort to retrieve and redact.

Why Do People Submit Subject Access Requests?

People commonly submit SARs to gain insight into and control over their personal data held by organisations, including to verify data accuracy, understand how their data is being used, and potentially request corrections or erasure of inaccurate or outdated information. 

In recent years, an increase in SARs has been driven by several factors. For example, employees seeking information from employers during unsettled times, such as during the COVID-19 pandemic. Also, there are more SARs involving requests for video footage to support insurance claims and other disputes. While most recently, the deployment of more body worn cameras has led to an increase in requests for video and audio.

Common Ways to Submit a Subject Access Request

You have many options when it comes to submitting your subject access request. The most common forms of a SAR are submitted verbally or in writing, including through email, social media or by filling out a form on a website. 

Here's a more detailed explanation:

Verbal Requests
Individuals can make a SAR over the phone, face-to-face, or verbally through other channels. 

Written Requests
SARs can be submitted via email, letter or through social media. 

Online Forms
Many organisations have online portals or forms for submitting SARs, which can be a convenient and efficient way to make a request. 

No Specific Format Required
SARs don't need to follow a specific format or use specific language, and the individual doesn't need to mention any legislation. 

Anyone Can Make a Request
An individual can make a SAR themselves or they can ask someone else (such as a relative, friend or solicitor) to make the request on their behalf. 

Proof of Authority
If a third party makes a request on behalf of an individual, the third party needs to provide evidence that they are entitled to do so. 

The Availability of Advanced Redaction Tools

Facit’s redaction tools for documents, video and audio data masking are designed to help organisations to adhere to privacy laws and, by extension, to help them to fulfil your subject access requests.

Our advanced redaction solutions are fast, accurate and cost effective. Refusal to fulfil your subject access request on the grounds of an inability to remove third-party data is unacceptable. Should you encounter a SAR refusal on these grounds, seek the recommended support and persist with your request.

How an Organisation Fulfils a DSAR

Guide to Data Subject Access Requests

 

Related Insights

What happens when there is a data breach.
Articles

Consequences of a Data Breach?

Read Article
Redaction and privacy: document redaction.
Articles

Document redaction for data privacy: compliant data for approved eyes only

Read Article
Busy pedestrian road crossing.
Articles

5 cool AI trends in Smart Analytics and how they are helping to deliver better services

Read Article