Skip to main content

A guide to the data protection exemptions

Latest updates

8 March 2024 - We have updated this guidance to reflect a legislative amendment to the immigration exemption that came into force on 8 March 2024.

28 November 2023 - We have made updates to the section ‘Functions designed to protect the public’. The guidance now makes clear that this exemption can apply if you handle personal data to perform one of six functions designed to protect the public, or to enable another body to perform those functions. It also makes clear that if you can comply with these provisions and discharge your functions (or enable the relevant body to discharge their functions) as normal, you must do so.

19 May 2023 - we have broken the Guide to the UK GDPR down into smaller guides. All the content stays the same.

At a glance

  • The UK GDPR and the Data Protection Act 2018 set out exemptions from some of the rights and obligations in some circumstances.
  • Whether or not you can rely on an exemption often depends on why you process personal data.
  • You should not routinely rely on exemptions; you should consider them on a case-by-case basis.
  • You should justify and document your reasons for relying on an exemption.
  • If no exemption covers what you do with personal data, you need to comply with the UK GDPR as normal.

Checklists

Exemptions

We consider whether we can rely on an exemption on a case-by-case basis.

Where appropriate, we carefully consider the extent to which the relevant UK GDPR requirements would be likely to prevent, seriously impair, or prejudice the achievement of our processing purposes.

We justify and document our reasons for relying on an exemption.

When an exemption does not apply (or no longer applies) to our processing of personal data, we comply with the UK GDPR’s requirements as normal.

In brief

What are exemptions?

In some circumstances, the DPA 2018 provides an exemption from particular UK GDPR provisions. If an exemption applies, you may not have to comply with all the usual rights and obligations.

There are several different exemptions; these are detailed in Schedules 2-4 of the DPA 2018. They add to and complement a number of exceptions already built in to certain UK GDPR provisions.

This part of the Guide focuses on the exemptions in Schedules 2-4 of the DPA 2018. We give guidance on the exceptions built in to the UK GDPR in the parts of the Guide that relate to the relevant provisions.

The exemptions in the DPA 2018 can relieve you of some of your obligations for things such as:

  • the right to be informed;
  • the right of access;
  • dealing with other individual rights;
  • reporting personal data breaches; and
  • complying with the principles.

Some exemptions apply to only one of the above, but others can exempt you from several things.

Some things are not listed here as exemptions, although in practice they work a bit like an exemption. This is simply because they are not covered by the UK GDPR. Here are some examples:

  • Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR’s scope. This means that if you only use personal data for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to the UK GDPR.
  • Law enforcement – the processing of personal data by competent authorities for law enforcement purposes is outside the UK GDPR’s scope (e.g. the Police investigating a crime). Instead, this type of processing is subject to the rules in Part 3 of the DPA 2018. See our Guide to Law Enforcement Processing for further information.
  • Intelligence services processing – personal data processed by the intelligence services (eg MI5) and their processors is outside the UK GDPR’s scope. Instead, this type of processing is subject to the rules in Part 4 of the DPA 2018. See our Guide to Intelligence Services Processing for further information.

How do exemptions work?

Whether or not you can rely on an exemption generally depends on your purposes for processing personal data.

Some exemptions apply simply because you have a particular purpose. But others only apply to the extent that complying with the UK GDPR would:

  • be likely to prejudice your purpose (e.g. have a damaging or detrimental effect on what you are doing); or
  • prevent or seriously impair you from processing personal data in a way that is required or necessary for your purpose.

Exemptions should not routinely be relied upon or applied in a blanket fashion. You must consider each exemption on a case-by-case basis.

If an exemption does apply, sometimes you will be obliged to rely on it (for instance, if complying with UK GDPR would break another law), but sometimes you can choose whether or not to rely on it.

In line with the accountability principle, you should justify and document your reasons for relying on an exemption so you can demonstrate your compliance.

If you cannot identify an exemption that covers what you are doing with personal data, you must comply with the UK GDPR as normal.

What exemptions are available?

Crime, law and public protection

Regulation, parliament and the judiciary

Journalism, research and archiving

Health, social work, education and child abuse

Finance, management and negotiations

References and exams

Subject access requests – information about other people

National security and defence

Crime and taxation: general

There are two parts to this exemption. The first part can apply if you process personal data for the purposes of:

  • the prevention and detection of crime;
  • the apprehension or prosecution of offenders; or
  • the assessment or collection of a tax or duty or an imposition of a similar nature.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling;
  • notifying individuals of personal data breaches;
  • the lawfulness, fairness and transparency principle, except the requirement for processing to be lawful;
  • the purpose limitation principle; and
  • all the other principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice your purposes of processing. If this is not so, you must comply with the UK GDPR as normal.

Example

A bank conducts an investigation into suspected financial fraud. The bank wants to pass its investigation file, including the personal data of several customers, to the National Crime Agency (NCA) for further investigation. The bank’s investigation and proposed disclosure to the NCA are for the purposes of the prevention and detection of crime. The bank decides that, were it to inform the individuals in question about this processing of their personal data, this would be likely to prejudice the investigation because they might abscond or destroy evidence. So the bank relies on the crime and taxation exemption and, in this case, does not comply with the right to be informed.

The second part of this exemption applies when another controller obtains personal data processed for any of the purposes mentioned above for the purposes of discharging statutory functions. The controller that obtains the personal data is exempt from the UK GDPR provisions below to the same extent that the original controller was exempt:

  • The right to be informed.
  • The right of access.
  • All the principles, but only so far as they relate to the right to be informed and the right of access.

Note that if you are a competent authority processing personal data for law enforcement purposes (e.g. the Police conducting a criminal investigation), your processing is subject to the rules of Part 3 of the DPA 2018. See our Guide to Law Enforcement Processing for information on how individual rights may be restricted when personal data is processed for law enforcement purposes by competent authorities.

Crime and taxation: risk assessment

This exemption can apply to personal data in a classification applied to an individual as part of a risk assessment system.

The risk assessment system must be operated by a government department, local authority, or another authority administering housing benefit, for the purposes of:

  • the assessment or collection of a tax or duty; or
  • the prevention or detection of crime or the apprehension or prosecution of offenders, where the offence involves the unlawful use of public money or an unlawful claim for payment out of public money.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • the right of access;
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But the exemption only applies to the extent that complying with these provisions would prevent the risk assessment system from operating effectively. If this is not so, you must comply with these provisions as normal.

Information required to be disclosed by law or in connection with legal proceedings

This exemption has three parts. The first part can apply if you are required by law to make personal data available to the public.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling;
  • the lawfulness, fairness and transparency principle, except the requirement for processing to be lawful;
  • the purpose limitation principle; and
  • all the other principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would prevent you meeting your legal obligation to make personal data publicly available.

Example

The Registrar of Companies is legally obliged to maintain a public register of certain information about companies, including the names and (subject to certain restrictions) addresses of company directors. A director asks to exercise his right to erasure by having his name and address removed from the register. The request does not need to be complied with as it would prevent the Registrar meeting his legal obligation to make that information publicly available.

The second part of this exemption can apply if you are required by law, or court order, to disclose personal data to a third party. It exempts you from the same provisions as above, but only to the extent that complying with those provisions would prevent you disclosing the personal data.

Example

An employer receives a court order to hand over the personnel file of one of its employees to an insurance company for the assessment of a claim. Normally, the employer would not be able to disclose this information because doing so would be incompatible with the original purposes for collecting the data (contravening the purpose limitation principle). However, on this occasion the employer is exempt from the purpose limitation principle’s requirements because it would prevent the employer disclosing personal data that it must do by court order.

The third part of this exemption can apply if it is necessary for you to disclose personal data for the purposes of, or in connection with:

  • legal proceedings, including prospective legal proceedings;
  • obtaining legal advice; or
  • establishing, exercising or defending legal rights.

It exempts you from the same provisions as above, but only to the extent that complying with them would prevent you disclosing the personal data. If complying with these provisions would not prevent the disclosure, you cannot rely on the exemption.

Example

A primary school collects information about the parents of the children who attend the school. The school has informed the parents that they will only use their personal data for specified purposes related to the care, welfare and education of their children.

However, a dispute has arisen between a teacher and one of the parents of a 7 year old child. The matter escalates, and the parent makes a number of allegations against the teacher. The school is concerned that the parent’s behaviour is threatening and abusive, and decides to take legal action against them. The parent writes to the school and asks it not to share their information with any other organisation or individual.

The school relies on the exemption to the extent that complying with the request, and complying with the purpose limitation principle, would prevent it from disclosing the information to its solicitor.

Legal professional privilege

This exemption applies if you process personal data:

  • to which a claim to legal professional privilege (or confidentiality of communications in Scotland) could be maintained in legal proceedings; or
  • in respect of which a duty of confidentiality is owed by a professional legal adviser to their client.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

Self incrimination

This exemption can apply if complying with the UK GDPR provisions below would reveal evidence that you have committed an offence.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But the exemption only applies to the extent that complying with these provisions would expose you to proceedings for the offence.

This exemption does not apply to an offence under the DPA 2018 or an offence regarding false statements made otherwise than on oath.

But any information you do provide to an individual in response to a subject access request is not admissible against you in proceedings for an offence under the DPA 2018.

Disclosure prohibited or restricted by an enactment

Five separate exemptions apply to personal data that is prohibited or restricted from disclosure by an enactment.

Each of them exempts you from the UK GDPR’s provisions on:

  • the right of access; and
  • all the principles, but only so far as they relate to the right of access.

But the exemptions only apply to personal data restricted or prohibited from disclosure by certain specific provisions of enactments covering:

  • human fertilisation and embryology;
  • adoption;
  • special educational needs;
  • parental orders; and
  • children’s hearings.

If you think any of these exemptions might apply to your processing of personal data, see Schedule 4 of the DPA 2018 for full details of the enactments that are covered.

Immigration

This exemption can apply to certain rights if complying with those rights would be likely to prejudice effective immigration control.

The exemption can only be applied by the Secretary of State (including the Home Office and its agencies) when processing data for the purposes of maintaining effective immigration control, including investigatory/detection work (the immigration purposes).

The exemption is not available to other controllers who liaise with the Home Office on immigration matters.

It can exempt the Secretary of State from the UK GDPR’s provisions on:

  • the right to be informed;
  • the right of access;
  • the right to erasure;
  • the right to restrict processing;
  • the right to object;
  • all the principles, but only so far as they relate to the rights to be informed, of access, to erasure, to restrict processing and to object.

But the exemption only applies to the extent that applying these provisions would be likely to prejudice processing for the immigration purposes. If not, the exemption does not apply.

The Secretary of State must apply the exemption on a case-by-case basis, and balance the risk to immigration control against the risks to the person’s rights and freedoms (taking into account their potential vulnerabilities). They must only apply the exemption if it is necessary and proportionate in that particular case.

The Secretary of State is required to keep records of the use of the exemption and to inform individuals that the exemption has been applied unless it would be prejudicial to immigration purposes to inform them.

There is no longer any requirement for the Secretary of State to have an immigration exemption policy document in place.

Further reading

The ICO has produced detailed guidance on the immigration exemption.

Functions designed to protect the public

This exemption can apply if you handle personal data to perform one of six functions designed to protect the public, or to enable another body to perform those functions.

The first four functions must: be conferred on a person by enactment; be a function of the Crown, a Minister of the Crown or a government department; or be of a public nature and exercised in the public interest. These functions are:

  1. to protect the public against financial loss due to the seriously improper conduct (or unfitness, or incompetence) of financial services providers, or in the management of bodies corporate, or due to the conduct of bankrupts;
  2. to protect the public against seriously improper conduct (or unfitness, or incompetence);
  3. to protect charities or community interest companies against misconduct or mismanagement in their administration, to protect the property of charities or community interest companies from loss or misapplication, or to recover the property of charities or community interest companies; or
  4. to secure workers’ health, safety and welfare or to protect others against health and safety risks in connection with (or arising from) someone at work.

The fifth function must be conferred by enactment on: the Parliamentary Commissioner for Administration; the Commissioner for Local Administration in England; the Health Service Commissioner for England; the Public Services Ombudsman for Wales; the Northern Ireland Public Services Ombudsman; the Prison Ombudsman for Northern Ireland; or the Scottish Public Services Ombudsman. This function is:

  1. to protect the public from maladministration, or a failure in services provided by a public body, or from the failure to provide a service that it is a function of a public body to provide.

The sixth function must be conferred by enactment on the Competition and Markets Authority. This function is:

  1. to protect members of the public from business conduct adversely affecting them, to regulate conduct (or agreements) preventing, restricting or distorting commercial competition, or to regulate undertakings abusing a dominant market position.

If you process personal data for any of the above functions, you are exempt from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of those functions. If you can comply with these provisions and discharge your functions (or enable the relevant body to discharge their functions) as normal, you must do so.

Audit functions

This exemption can apply if you process personal data for the purposes of discharging a function conferred by enactment on:

  • the Comptroller and Auditor General;
  • the Auditor General for Scotland;
  • the Auditor General for Wales; or
  • the Comptroller and Auditor General for Northern Ireland.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If it does not, you must comply with the UK GDPR as normal.

Bank of England functions

This exemption can apply if you process personal data for the purposes of discharging a function of the Bank of England:

  • in its capacity as a monetary authority;
  • that is a public function (within the meaning of Section 349 of the Financial Services and Markets Act 2000); or
  • that is conferred on the Prudential Regulation Authority by enactment.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If this is not so, the exemption does not apply.

Regulatory functions relating to legal services, the health service and children’s services

This exemption can apply if you process personal data for the purposes of discharging a function of:

  • the Legal Services Board;
  • considering a complaint under:
    • Part 6 of the Legal Services Act 2007,
    • Section 14 of the NHS Redress Act 2006,
    • Section 113(1) or (2), or Section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,
    • Section 24D or 26 of the Children’s Act 1989, or
    • Part 2A of the Public Services Ombudsman (Wales) Act 2005; or
  • considering a complaint or representations under Chapter 1, Part 10 of the Social Services and Well-being (Wales) Act 2014.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your functions. If you can comply with these provisions and discharge your functions as normal, you cannot rely on the exemption.

Other regulatory functions

This exemption can apply if you process personal data for the purpose of discharging a regulatory function conferred under specific, listed legislation on any one of 14 bodies and persons. These are:

  • the Information Commissioner;
  • the Scottish Information Commissioner;
  • the Pensions Ombudsman;
  • the Board of the Pension Protection Fund;
  • the Ombudsman for the Board of the Pension Protection Fund;
  • the Pensions Regulator;
  • the Financial Conduct Authority;
  • the Financial Ombudsman;
  • the investigator of complaints against the financial regulators;
  • a consumer protection enforcer (other than the Competition and Markets Authority);
  • the monitoring officer of a relevant authority;
  • the monitoring officer of a relevant Welsh authority;
  • the Public Services Ombudsman for Wales; or
  • the Charity Commission.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with these provisions would be likely to prejudice the proper discharge of your function. If this is not so, you must comply with these provisions as you normally would.

Parliamentary privilege

This exemption can apply if it is required to avoid the privileges of either House of Parliament being infringed.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling;
  • the communication of personal data breaches to individuals; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But if you can comply with these provisions without infringing parliamentary privilege, you must do so.

Judicial appointments, independence and proceedings

This exemption applies if you process personal data:

  • for the purposes of assessing a person’s suitability for judicial office or the office of Queen’s Counsel;
  • as an individual acting in a judicial capacity; or
  • as a court or tribunal acting in its judicial capacity.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

Additionally, even if you do not process personal data for the reasons above, you are also exempt from the same provisions of the UK GDPR to the extent that complying with them would be likely to prejudice judicial independence or judicial proceedings.

Crown honours, dignities and appointments

This exemption applies if you process personal data for the purposes of:

  • conferring any honour or dignity by the Crown; or
  • assessing a person’s suitability for any of the following offices:
    • archbishops and diocesan and suffragan bishops in the Church of England,
    • deans of cathedrals of the Church of England,
    • deans and canons of the two Royal Peculiars,
    • the First and Second Church Estates Commissioners,
    • lord-lieutenants,
    • Masters of Trinity College and Churchill College, Cambridge,
    • the Provost of Eton,
    • the Poet Laureate, or
    • the Astronomer Royal.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

Journalism, academia, art and literature

This exemption can apply if you process personal data for:

  • journalistic purposes;
  • academic purposes;
  • artistic purposes; or
  • literary purposes.

Together, these are known as the ‘special purposes’.

The exemption relieves you from your obligations regarding the UK GDPR’s provisions on:

  • all the principles, except the security and accountability principles;
  • the lawful bases;
  • the conditions for consent;
  • children’s consent;
  • the conditions for processing special categories of personal data and data about criminal convictions and offences;
  • processing not requiring identification;
  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling;
  • the communication of personal data breaches to individuals;
  • consultation with the ICO for high risk processing;
  • international transfers of personal data; and
  • cooperation and consistency between supervisory authorities.

But the exemption only applies to the extent that:

  • as controller for the processing of personal data, you reasonably believe that compliance with these provisions would be incompatible with the special purposes (this must be more than just an inconvenience);
  • the processing is being carried out with a view to the publication of some journalistic, academic, artistic or literary material; and
  • you reasonably believe that the publication of the material would be in the public interest, taking into account the special importance of the general public interest in freedom of expression, any specific public interest in the particular subject, and the potential to harm individuals.

When deciding whether it is reasonable to believe that publication would be in the public interest, you must (if relevant) have regard to:

  • the BBC Editorial Guidelines;
  • the Ofcom Broadcasting Code; and
  • the Editors’ Code of Practice.

We expect you to be able to explain why the exemption is required in each case, and how and by whom this was considered at the time. The ICO does not have to agree with your view – but we must be satisfied that you had a reasonable belief.

Research and statistics

This exemption can apply if you process personal data for:

  • scientific or historical research purposes; or
  • statistical purposes.

It is unlikely to apply to the processing of personal data for commercial research purposes such as market research or customer satisfaction surveys, unless you can demonstrate that this research uses rigorous scientific methods and furthers a general public interest.

It exempts you from the UK GDPR’s provisions on:

  • the right of access;
  • the right to rectification;
  • the right to restrict processing; and
  • the right to object.

The UK GDPR also provides exceptions from its provisions on the right to be informed (for indirectly collected data) and the right to erasure.

But the exemption and the exceptions only apply:

  • to the extent that complying with the provisions above would prevent or seriously impair the achievement of the purposes for processing;
  • if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the UK GDPR – among other things, you must implement data minimisation measures);
  • if the processing is not likely to cause substantial damage or substantial distress to an individual;
  • if the processing is not used for measures or decisions about particular individuals, except for approved medical research; and
  • as regards the right of access, the research results are not made available in a way that identifies individuals.

Additionally, the UK GDPR contains specific provisions that adapt the application of the purpose limitation and storage limitation principles when you process personal data for scientific or historical research purposes, or statistical purposes. See the Guide pages on these principles for more detail.

Archiving in the public interest

This exemption can apply if you process personal data for archiving purposes in the public interest.

It exempts you from the UK GDPR’s provisions on:

  • the right of access;
  • the right to rectification;
  • the right to restrict processing;
  • the obligation to notify others regarding rectification, erasure or restriction;
  • the right to data portability; and
  • the right to object.

The UK GDPR also provides exceptions from its provisions on the right to be informed (for indirectly collected data) and the right to erasure.

But the exemption and the exceptions only apply:

  • to the extent that complying with the provisions above would prevent or seriously impair the achievement of the purposes for processing;
  • if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the UK GDPR – among other things, you must implement data minimisation measures);
  • if the processing is not likely to cause substantial damage or substantial distress to an individual; and
  • if the processing is not used for measures or decisions about particular individuals, except for approved medical research.

Additionally, the UK GDPR contains specific provisions that adapt the application of the purpose limitation and storage limitation principles when you process personal data for archiving purposes in the public interest. See the Guide pages on these principles for more detail.

Further reading – The National Archives

The National Archives is the official archive and publisher for the UK Government and for England and Wales. It has published a detailed guide to archiving personal data.

Further reading - ICO guidance

The ICO has produced guidance on the research provisions.

Health data – processed by a court

This exemption can apply to health data (personal data concerning health) that is processed by a court.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies if the health data is:

  • supplied in a report or evidence given to the court in the course of proceedings; and
  • those proceedings are subject to certain specific statutory rules that allow the data to be withheld from the individual it relates to.

If you think this exemption might apply to your processing of personal data, see paragraph 3(2) of Schedule 3, Part 2 of the DPA 2018 for full details of the statutory rules.

Health data – an individual’s expectations and wishes

This exemption can apply if you receive a request (in exercise of a power conferred by an enactment or rule of law) for health data from:

  • someone with parental responsibility for an individual aged under 18 (or 16 in Scotland); or
  • someone appointed by the court to manage the affairs of an individual who is incapable of managing their own affairs.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with the request would disclose information that:

  • the individual provided in the expectation that it would not be disclosed to the requestor, unless the individual has since expressly indicated that they no longer have that expectation;
  • was obtained as part of an examination or investigation to which the individual consented in the expectation that the information would not be disclosed in this way, unless the individual has since expressly indicated that they no longer have that expectation; or
  • the individual has expressly indicated should not be disclosed in this way.

Health data – serious harm

This exemption can apply if you receive a subject access request for health data.

It exempts you from the UK GDPR’s provisions on the right of access regarding your processing of health data.

But the exemption only applies to the extent that compliance with the right of access would be likely to cause serious harm to the physical or mental health of any individual. This is known as the ‘serious harm test’ for health data.

You can only rely on this exemption if:

  • you are a health professional; or
  • within the last six months you have obtained an opinion from an appropriate health professional that the serious harm test for health data is met. Even if you have done this, you still cannot rely on the exemption if it would be reasonable in all the circumstances to re-consult the appropriate health professional.

If you think this exemption might apply to a subject access request you have received, see paragraph 2(1) of Schedule 3, Part 2 of the DPA 2018 for full details of who is considered an appropriate health professional.

Health data – restriction of the right of access

This is a restriction rather than an exemption. It applies if you receive a subject access request for health data.

It restricts you from disclosing health data in response to a subject access request, unless:

  • you are a health professional; or
  • within the last six months you have obtained an opinion from an appropriate health professional that the serious harm test for health data is not met. Even if you have done this, you must re-consult the appropriate health professional if it would be reasonable in all the circumstances.

This restriction does not apply if you are satisfied that the health data has already been seen by, or is known by, the individual it is about.

If you think this restriction could apply to a subject access request you have received, see paragraph 2(1) of Schedule 3, Part 2 of the DPA 2018 for full details of who is considered an appropriate health professional.

Social work data – processed by a court

This exemption can apply to social work data (personal data that isn’t health or education data) processed by a court. If you are unsure whether the data you process is social work data, see paragraphs 7(1) and 8 of Schedule 3, Part 3 of the DPA 2018 for full details of what this is.

The exemption relieves you from your obligations regarding the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies if the social work data is:

  • supplied in a report or evidence given to the court in the course of proceedings; and
  • those proceedings are subject to certain specific statutory rules that allow the social work data to be withheld from the individual it relates to.

If you think this exemption might apply to your processing of personal data, see paragraph 9(2) of Schedule 3, Part 3 of the DPA 2018 for full details of the statutory rules.

Social work data – an individual’s expectations and wishes

This exemption can apply if you receive a request (in exercise of a power conferred by an enactment or rule of law) for social work data concerning an individual from:

  • someone with parental responsibility for an individual aged under 18 (or 16 in Scotland); or
  • someone appointed by court to manage the affairs of an individual who is incapable of managing their own affairs.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies to the extent that complying with the request would disclose information that:

  • the individual provided in the expectation that it would not be disclosed to the requestor, unless the individual has since expressly indicated that they no longer have that expectation;
  • was obtained as part of an examination or investigation to which the individual consented in the expectation that the information would not be disclosed in this way, unless the individual has since expressly indicated that they no longer have that expectation; or
  • the individual has expressly indicated should not be disclosed in this way.

Social work data – serious harm

This exemption can apply if you receive a subject access request for social work data.

It exempts you from the UK GDPR’s provisions on the right of access regarding your processing of social work data.

But the exemption only applies to the extent that complying with the right of access would be likely to prejudice carrying out social work because it would be likely to cause serious harm to the physical or mental health of any individual. This is known as the ‘serious harm test’ for social work data.

Social work data – restriction of the right of access

This is a restriction rather than an exemption. It applies if you process social work data as a local authority in Scotland (as defined by the Social Work (Scotland) Act 1968), and you receive a subject access request for that data.

It restricts you from disclosing social work data in response to a subject access request if:

  • the data came from the Principal Reporter (as defined by the Children’s Hearings (Scotland) Act 2011) in the course of his statutory duties; and
  • the individual whom the data is about is not entitled to receive it from the Principal Reporter.

If there is a question as to whether you need to comply with a subject access request in this situation, you must inform the Principal Reporter within 14 days of the question arising.

You must not disclose the social work data in response to the subject access request unless the Principal Reporter has told you they think the serious harm test for social work data is not met.

Education data – processed by a court

This exemption can apply to education data (personal data in an educational record) processed by a court. If you are unsure whether the data you process is ‘education data’, see paragraphs 13-17 of Schedule 3, Part 4 of the DPA 2018 for full details of what this is.

The exemption relieves you from your obligations regarding the UK GDPR’s provisions on:

  • the right to be informed;
  • all the other individual rights, except rights related to automated individual decision-making including profiling; and
  • all the principles, but only so far as they relate to the right to be informed and the other individual rights.

But the exemption only applies if the education data is:

  • supplied in a report or evidence given to the court in the course of proceedings; and
  • those proceedings are subject to certain specific statutory rules that allow the education data to be withheld from the individual it relates to.

If you think this exemption might apply to your processing of personal data, see paragraph 18(2) of Schedule 3, Part 4 of the DPA 2018 for full details of the statutory rules.

Education data – serious harm

This exemption can apply if you receive a subject access request for education data.

It exempts you from the UK GDPR’s provisions on the right of access regarding your processing of education data.

But the exemption only applies to the extent that complying with the right of access would be likely to cause serious harm to the physical or mental health of any individual. This is known as the ‘serious harm test’ for education data.

Education data – restriction of the right of access

This is a restriction rather than an exemption. It applies if you process education data as an education authority in Scotland (as defined by the Education (Scotland) Act 1980), and you receive a subject access request for that data.

It restricts you from disclosing education data in response to a subject access request if:

  • you believe that the data came from the Principal Reporter (as defined by the Children’s Hearings (Scotland) Act 2011) in the course of his statutory duties; and
  • the individual whom the data is about is not entitled to receive it from the Principal Reporter.

If there is a question as to whether you need to comply with a subject access request in this situation, you must inform the Principal Reporter within 14 days of the question arising.

You must not disclose the education data in response to the subject access request unless the Principal Reporter has told you they think the serious harm test for education data is not met.

Child abuse data

This exemption can apply if you receive a request (in exercise of a power conferred by an enactment or rule of law) for child abuse data. If you are unsure whether the data you process is ‘child abuse data’, see paragraph 21(3) of Schedule 3, Part 5 of the DPA 2018 for a definition.

The exemption applies if the request is from:

  • someone with parental responsibility for an individual aged under 18; or
  • someone appointed by court to manage the affairs of an individual who is incapable of managing their own affairs.

It exempts you from the UK GDPR’s provisions on the right of access.

But the exemption only applies to the extent that complying with the request would not be in the best interests of the individual who the child abuse data is about.

This exemption can only apply in England, Wales and Northern Ireland. It cannot apply in Scotland.

Corporate finance

This exemption can apply if you process personal data in connection with a corporate finance service (e.g. if you underwrite financial instruments or give corporate finance advice to undertakings) that you are permitted to provide (as set out in the Financial Services and Markets Act 2000).

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But the exemption only applies to the extent that complying with the provisions above would:

  • be likely to affect the price of an instrument; or
  • have a prejudicial effect on the orderly functioning of financial markets (or the efficient allocation of capital within the economy), and you reasonably believe that complying with the provisions above could affect someone’s decision whether to:
    • deal in, subscribe for or issue a financial instrument, or
    • act in a way likely to have an effect on a business activity (e.g. an effect on an undertaking’s capital structure, the legal or beneficial ownership of a business or asset or a person’s industrial strategy

Management forecasts

This exemption can apply if you process personal data for the purposes of management forecasting or management planning in relation to a business or other activity.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But the exemption only applies to the extent that compliance with the above provisions would be likely to prejudice the conduct of the business or activity.

Example

The senior management of an organisation is planning a re-organisation. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the plans are revealed to the workforce, an employee makes a subject access request. In responding to that request, the organisation does not have to reveal its plans to make him redundant if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest before the management’s plans are announced).

Negotiations

This exemption can apply to personal data in records of your intentions relating to any negotiations with an individual.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But it only applies to the extent that complying with the above provisions would be likely to prejudice negotiations with that individual.

Example

An individual makes a claim to his insurance company. The claim is for compensation for personal injuries he sustained in an accident. The insurance company disputes the seriousness of the injuries and the amount of compensation it should pay. An internal paper sets out the company’s position on these matters including the maximum sum it would be willing to pay to avoid the claim going to court. If the individual makes a subject access request to the insurance company, it would not have to send him the internal paper – because doing so would be likely to prejudice the negotiations to settle the claim.

Confidential references

This exemption applies if you give or receive a confidential reference for the purposes of prospective or actual:

  • education, training or employment of an individual;
  • placement of an individual as a volunteer;
  • appointment of an individual to office; or
  • provision by an individual of any service.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

Example

Company A provides an employment reference in confidence for one of its employees to company B. If the employee makes a subject access request to company A or company B, the reference will be exempt from disclosure. This is because the exemption applies to the reference regardless of whether it is in the hands of the company that gives it or receives it.

Exam scripts and exam marks

This exemption can apply to personal data in exam scripts.

It exempts you from the UK GDPR’s provisions on:

  • the right to be informed;
  • the right of access; and
  • all the principles, but only so far as they relate to the right to be informed and the right of access.

But it only applies to the information recorded by candidates. This means candidates do not have the right to copies of their answers to the exam questions.

However, the information recorded by the person marking the exam is not exempt from the above provisions. If an individual makes a subject access request for this information before the results are announced, special rules apply to how long you have to comply with the request. You must provide the information:

  • within five months of receiving the request; or
  • within 40 days of announcing the exam results, if this is earlier.

Protection of the rights of others

Paragraphs 16 and 17 of Schedule 2, Part 3 of the DPA 2018 provide an exemption that can apply if you receive a subject access request for information containing the personal data of more than one individual.

Further reading

For guidance on what to do if you receive a request for information that includes the personal data of other people, see our Guide page on the right of access.

National security and defence

If you are processing personal data to safeguard national security or for defence purposes, there is an exemption provided for at section 26 of the DPA 2018. You may be able to apply this exemption if you process data under the UK GDPR.

National security is not specifically defined but it can cover processing for:

  • protection against specific threats, such as from terrorists or hostile states;
  • protection of potential targets even in the absence of specific threats; and
  • international co-operation with other countries.

If the exemption applies, it can exempt you from:

  • any of the data protection principles (except lawfulness requirements);
  • any of the rights of individuals;
  • personal data breach reporting;
  • international transfers requirements; and
  • some of the Commissioner’s duties and enforcement powers.

You must always ensure that your processing is lawful, and that you have a lawful basis under Article 6. There is no exemption from the requirement to process lawfully.

You must always comply with your general accountability and governance obligations.

If you are processing special category data for national security purposes there is no exemption from Article 9, but special rules apply. Section 28 of the DPA permits the processing of special category data for safeguarding national security, provided you ensure there are appropriate safeguards for the rights and freedoms of data subjects.

This is not a blanket exemption. You must be able to show that the exemption from specified data protection standards is required for the purposes of safeguarding national security. When deciding whether to use this exemption, we suggest you consider whether complying with the UK GDPR would raise a real possibility of an adverse effect on national security.

Further reading

See our National security and defence guidance for more information about the National security and defence exemption.

Latest updates

29 September 2022 - we have added a link to the detailed guidance we have published about the research provisions