Can an organisation refuse my SAR because it contains other people's data?

Not entirely. They must still provide your personal data, but they can redact information that identifies other people (third party data) unless those individuals consent or it's reasonable to disclose without consent. They cannot use third party data as an excuse to refuse your entire request.

Can my employer refuse a SAR to protect management information?

There's no general 'management information' exemption. However, employers can withhold data covered by legal professional privilege (advice from lawyers about potential disputes), data that would reveal confidential references, or data where disclosure would prejudice negotiations with you.

What does 'manifestly unfounded' mean for SARs?

A SAR is 'manifestly unfounded' if the requester clearly has no intention of exercising their data protection rights — for example, making a SAR purely to harass staff or disrupt business operations. This is a high threshold and organisations must be able to prove it. A SAR is not unfounded just because it's inconvenient or the person might use the data in litigation.

Can an organisation charge me for a SAR?

SARs are normally free. However, organisations can charge a 'reasonable fee' for requests that are manifestly unfounded or excessive (particularly if repetitive), or for additional copies beyond the first. They must tell you before charging and justify the fee.

SAR Exemptions Explained — When Organisations Can Legally Refuse

Published: December 2025 · 12 minute read

You've made a Subject Access Request and the organisation says they can't — or won't — provide some or all of your data. Are they allowed to do this?

Sometimes, yes. UK GDPR and the Data Protection Act 2018 include specific exemptions that allow organisations to withhold certain personal data. But these exemptions are limited, and organisations often claim them incorrectly or too broadly.

This guide explains the main SAR exemptions, when they legitimately apply, and how to challenge an organisation that's wrongly refusing your request.

The Key Principle

Exemptions should be applied narrowly and specifically. An exemption covering some data doesn't excuse an organisation from providing the rest. They must still respond within one month, explain which exemptions apply and why, and provide all non-exempt data.

Legitimate SAR Exemptions

Legal Professional Privilege

VALID EXEMPTION

Organisations can withhold data that's subject to legal professional privilege — essentially, confidential communications with lawyers for the purpose of getting legal advice or in connection with legal proceedings.

This covers:

Advice from solicitors about potential claims against you
Internal discussions about legal strategy
Documents prepared for litigation

Example: Your employer's HR team emails their solicitor asking "Can we dismiss this employee?" and receives advice back. Both emails are likely privileged and can be withheld.

Third Party Data

VALID EXEMPTION

If your data is mixed with someone else's personal data, the organisation can redact the third party's information — but only if disclosing it would breach that person's privacy and it's not reasonable to disclose without their consent.

Important: They must still provide your data. The third party exemption only covers the other person's information.

Example: You request emails about you. One email says "John complained about Sarah's performance." If you're Sarah, you get the email but John's name might be redacted. If you're John, you'd get it with Sarah's name redacted.

Crime Prevention and Detection

VALID EXEMPTION

Data can be withheld if disclosure would be likely to prejudice the prevention or detection of crime, or the apprehension or prosecution of offenders.

This exemption is often claimed by:

Police forces during ongoing investigations
Fraud investigation teams
Organisations investigating internal misconduct

Example: A bank suspects you of fraud and is investigating. They can withhold data that would tip you off to the investigation or reveal their detection methods.

Confidential References

VALID EXEMPTION

References given in confidence for education, training, or employment purposes can be withheld by the organisation that gave the reference. However:

The organisation that received the reference usually cannot claim this exemption
If the reference was not given in confidence, the exemption doesn't apply

Example: You ask your old employer for the reference they gave to your new employer. They can refuse. But if you ask your new employer for the reference they received, they probably have to provide it (with appropriate redactions).

Negotiations

VALID EXEMPTION

Data consisting of records of the organisation's intentions in negotiations with you can be withheld if disclosure would prejudice those negotiations.

Example: You're in a dispute with your employer about a pay rise. They can withhold internal emails saying "We're prepared to offer up to £5,000 but let's start at £2,000."

Manifestly Unfounded or Excessive Requests

VALID EXEMPTION

Organisations can refuse requests that are "manifestly unfounded or excessive." But this is a high threshold:

Manifestly unfounded: The requester clearly has no genuine interest in their data — e.g., making requests to harass staff
Excessive: Usually means repetitive requests for the same data

A request is NOT unfounded just because:

It's inconvenient or time-consuming
The person might use the data in litigation
The relationship has broken down
The organisation doesn't like the requester

Common Invalid Excuses

Organisations often claim exemptions that don't actually exist or misapply legitimate ones. Watch out for these:

"It's commercially sensitive"

There is no general "commercial sensitivity" exemption for SARs. Your personal data doesn't stop being your personal data just because it's commercially valuable to the organisation.

"It would take too long"

The effort involved is not grounds for refusal. If the request is genuinely complex, they can extend the deadline to three months — but they must still comply.

"You might use it in court"

This is not a valid reason to refuse. People often make SARs precisely because they're considering legal action. That's a legitimate use of your data rights.

"We've already given you everything"

If you believe they hold more data, you can challenge this. Ask them to confirm what searches they conducted and what systems they checked.

"It's management information"

There's no "management information" exemption. If the data is about you, it's your personal data, regardless of who created it or why.

What Organisations Must Do When Claiming Exemptions

Even when exemptions legitimately apply, organisations must:

Respond within one month (or three months if extended)
Tell you which exemptions they're relying on
Explain why the exemption applies (in general terms)
Provide all non-exempt data
Inform you of your right to complain to the ICO

A blanket refusal without explanation is not acceptable.

How to Challenge a Refusal

If you believe an exemption has been wrongly applied:

Write back asking them to explain specifically why the exemption applies to each piece of withheld data
Challenge their reasoning if it doesn't match the legal requirements
Complain to the ICO if they maintain their refusal
Consider court action under section 167 of the Data Protection Act 2018

Burden of Proof

The organisation must prove that an exemption applies — the burden is on them, not you. If they can't demonstrate that the specific requirements of an exemption are met, they should provide the data.

Need Help Challenging a SAR Refusal?

Clear Draft can help you draft a formal challenge letter or ICO complaint if an organisation has wrongly refused your Subject Access Request.

Request a Quote

SAR Exemptions Explained — When Organisations Can Legally Refuse

The Key Principle

Legitimate SAR Exemptions

Legal Professional Privilege

Third Party Data

Crime Prevention and Detection

Confidential References

Negotiations

Manifestly Unfounded or Excessive Requests

Common Invalid Excuses

"It's commercially sensitive"

"It would take too long"

"You might use it in court"

"We've already given you everything"

"It's management information"

What Organisations Must Do When Claiming Exemptions

How to Challenge a Refusal

Burden of Proof

Need Help Challenging a SAR Refusal?

Related Guides