Skip to main content
Hafan

Exemptions: when can we refuse a SAR?

Contents

In more detail

What are exemptions and how do they work?

There are a number of exemptions from the right of access. Where an exemption applies to the facts of a particular request, you could refuse to provide all or some of the requested information, depending on the circumstances. You can apply an exemption to any of the information you are required to provide to a person in response to their SAR. This includes:

  • confirmation that you are processing their personal information;
  • a copy of their personal information; and
  • other supplementary information.

You can also apply an exemption to providing the supplementary information where doing this would prejudice the operation of the exemption. For further details about how this works, see Does this exemption apply to supplementary information?

Not all the exemptions apply in the same way. You should look at each exemption carefully to see how it applies to a particular SAR. Some exemptions apply because of the nature of the personal information (eg information contained in a confidential reference). Others apply because disclosing the information is likely to prejudice your purpose.

For more on prejudice, see What does ‘prejudice’ mean?

If an exemption does apply, you may sometimes be obliged to rely on it (for instance, if complying with a SAR would break another law). In other cases, you can choose whether to use the exemption or not.

You should consider whether an exemption applies on a case-by-case basis. You cannot routinely rely on exemptions or apply them in a blanket fashion.

In line with the accountability principle, you should document your reasons for relying on an exemption and be able to justify it.

What do we need to do if we refuse to comply with a request?

If you refuse to comply with a request, you must inform the person of:

  • the reasons why;
  • their right to make a complaint to the controller;
  • their right to make a complaint to the ICO; and
  • their ability to seek to enforce these rights through the courts.

If you believe that an exemption applies, you must be able to demonstrate this.

If you rely on an exemption, the reasons you give to the requester may depend on the circumstances. For example, if telling a person that you have applied a particular exemption would prejudice the purpose of that exemption, your response may be more general. However, where possible, you should be transparent about your reasons for withholding information.

What does ‘prejudice’ mean?

‘Prejudice’ is a term often used in the context of exemptions. Many of the exemptions discussed in this section allow a controller to withhold information to the extent that disclosure would prejudice a particular purpose or function.

The meaning of ‘prejudice’ may vary depending on the nature of the information and the specific circumstances. In general, it can mean:

  • compromising or undermining a purpose or function;
  • preventing a purpose or function from being carried out independently or fairly; or
  • limiting rights and freedoms (for example, by compromising a person’s position in a negotiation).

Where you are applying an exemption based on prejudice to a particular purpose, function or right, you should clearly identify and document:

  • the specific nature of the prejudice;
  • a clear and direct link between the disclosure of the information and the prejudice likely to be suffered; and
  • why the prejudice likely to be suffered is actual, real and of substance.

If a disclosure will only have trivial or insignificant consequences, this is unlikely to be sufficient to establish prejudice.

Prejudice may also occur where confirming or denying that you hold the information would itself undermine the purpose of an exemption. In these circumstances, you may be able to rely on an exemption to issue a ‘neither confirm nor deny’ (NCND) response.

Can an exemption be used to prevent prejudice to another organisation’s function?

Yes — but only in very specific circumstances. In the sections below, we discuss three exemptions you may apply if complying with a SAR (in full or in part) would likely prejudice another organisation’s function. These exemptions are:

  • functions designed to protect the public;
  • regulatory functions relating to legal services, the health service and children’s services; and
  • other regulatory functions.

Please see the relevant sections below for more information about each of these exemptions.

When considering the use of an exemption in these circumstances, you could consult with the other organisation and seek their views before you respond. In such cases, you may consider the request to be complex, which will allow you to extend the time limit by up to two months. For more information, see Can we extend the time for a response?

You are responsible for deciding whether to disclose personal information in response to a SAR, and whether an exemption can be applied to withhold requested information. If you do apply an exemption, you must be able to explain why. If you choose to apply an exemption in these circumstances, consulting with the other organisation can support your reasoning and help you explain your actions more clearly.

Crime and taxation: general

There are two parts to this exemption.

The first part applies to personal information processed for the following crime- and taxation-related purposes:

  • The prevention, investigation or detection of crime.
  • The apprehension or prosecution of offenders.
  • The assessment or collection of a tax or duty, or an imposition of a similar nature.

You can only rely on this exemption to withhold this information to the extent that complying with a SAR is likely to prejudice these purposes. You need to judge whether or not this is likely in each case. You cannot use the exemption to justify denying access to whole categories of personal information, if its disclosure is unlikely to prejudice the crime and taxation purposes.

Example

A bank investigates one of their customers for suspected financial fraud. During the investigation, the customer who is under suspicion makes a SAR for all their personal information.

The bank decides that it will withhold information about the investigation. This is because disclosing it would likely damage the investigation, as the person may abscond or destroy evidence. However, the bank can provide other information that would not damage the investigation (eg the person’s account details and transactions).

The second part of this exemption applies when another organisation obtains personal information used for any of the reasons mentioned above for the purposes of discharging statutory functions. The organisation that obtains the personal information is exempt from complying with a SAR to the same extent that the original organisation was exempt.

Example

The Independent Office for Police Conduct (IOPC) obtains information from the police for the purpose of carrying out its statutory function to investigate a complaint made against the police. The police advises the IOPC that this information is also being used as part of a criminal investigation. It tells the IOPC that it received a SAR while its investigations were in progress, and it applied a restriction under the relevant law enforcement provisions of the DPA to withhold the information to avoid prejudicing the prevention, investigation and detection of crime.

As this information is being used as part of a criminal investigation, the IOPC can rely on the crime and taxation exemption to withhold the relevant information if it receives a SAR, to avoid prejudicing the prevention, investigation and detection of crime.

If you are a competent authority using personal information for law enforcement purposes (eg the police conducting a criminal investigation), see our guidance on logging for law enforcement purposes for more information. If you are an intelligence service under part 4 of the DPA, see our guidance on intelligence services processing.

Crime and taxation: risk assessment

Personal information is exempt from the right of access if it would disclose a person’s classification within a risk assessment system, but only to the extent that complying with a SAR would prevent the system from operating effectively. For example, where a person has been classified as a tax compliance risk following review of their tax returns by HMRC, disclosing this information would compromise the effectiveness of this system (by notifying the person of their classification or revealing the methods used).

A government department, local authority or other authority administering housing benefit must operate the risk assessment system for:

  • the assessment or collection of a tax or duty, or an imposition of a similar nature; or
  • the prevention or detection of crime or the apprehension or prosecution of offenders, where the offence involves the unlawful use of public money or an unlawful claim for payment out of public money.

Legal professional privilege

Personal information is exempt from the right of access if it consists of information:

  • to which a claim to legal professional privilege (or confidentiality of communications in Scotland) may be maintained in legal proceedings; or
  • about which a professional legal adviser owes a duty of confidentiality to their client.

This exemption covers the two branches of legal professional privilege: litigation privilege and legal advice privilege. In England, Wales and Northern Ireland, the concept of legal professional privilege encompasses both these branches, which apply as follows:

  • Litigation privilege applies to confidential communications between a client, professional legal adviser or a third party, but only where litigation is contemplated or in progress.
  • Legal advice privilege only applies to confidential communications between a client and a professional legal adviser for the purpose of seeking or obtaining legal advice.

Under Scottish law, the concept of confidentiality of communications gives protection for:

  • confidential communications between a client and solicitor, where the client seeks, and the solicitor gives, legal advice; and
  • confidential communications made in connection with legal proceedings (this extends beyond communications solely between solicitors and clients to cover communications with third parties, such as experts or witnesses).

In Scotland, you may withhold information that comprises confidential communications between a client and their professional legal adviser in the same way that you may withhold information covered by legal advice privilege under English law.

The Scottish law also says that a litigant is not required to disclose material they have brought into existence for the purpose of preparing their case. This is similar to litigation privilege under English law.

Legal professional privilege is only available for communications that are confidential in nature, and:

  • where litigation is not contemplated or in progress, made solely between client and professional legal adviser acting in a professional capacity; or
  • made for the dominant purpose of obtaining or providing legal advice or being used by lawyers where litigation is contemplated or in progress.

A communication is a document that conveys information. It can take any form, including a letter, report, email, memo, photograph, note of a conversation, or an audio or visual recording. It can also include draft documents prepared with the intention of putting them before a legal adviser.

This exemption only applies where the obligations under data protection legislation prejudice the confidentiality of the work that lawyers are doing for their clients. It does not apply to all the processing that a lawyer or a law firm carries out.

Functions designed to protect the public

Personal information is exempt from the right of access if you process it to perform one of six functions designed to protect the public, or if it relates to the actions of another organisation to carry out these functions — for example, if it’s information:

  • that you have shared with the other organisation; or
  • that shows that the other organisation has contacted you about the person in relation to its investigations.

This exemption only applies to the extent that complying with a SAR would likely prejudice the performance of a specific function or functions. If you can comply with a SAR (even partially) without prejudicing the function, you must do so.

The first four functions are to:

  • protect the public against financial loss because of the seriously improper conduct (or unfitness or incompetence) of financial services providers, or in the management of bodies corporate, or because of the conduct of bankrupts;
  • protect the public against dishonesty, malpractice or other seriously improper conduct (or unfitness or incompetence);
  • protect charities or community interest companies against misconduct or mismanagement in their administration, to protect the property of charities or community interest companies from loss or misapplication or to recover the property of charities or community interest companies; or
  • secure workers’ health, safety and welfare, or to protect others against health and safety risks in connection with (or arising from) someone at work.

However, to rely on this exemption, you must be able to show that one of the above functions is:

  • conferred on a person by enactment;
  • a function of the Crown, a Minister of the Crown or a government department; or
  • of a public nature and exercised in the public interest.

The fifth function is to:

  • protect the public from maladministration, or a failure in services provided by a public body, or from the failure to provide a service that it is a function of a public body to provide.

You can only rely on this if you are one of the following bodies or if you have shared the requested information with one of these bodies to enable it to discharge its function:

  • the Parliamentary Commissioner for Administration;
  • the Commissioner for Local Administration in England;
  • the Health Service Commissioner for England;
  • the Public Services Ombudsman for Wales;
  • the Northern Ireland Public Services Ombudsman;
  • the Prison Ombudsman for Northern Ireland; or
  • the Scottish Public Services Ombudsman.

The sixth function needs to be conferred by enactment on the Competition and Markets Authority. This function is to:

  • protect members of the public from business conduct adversely affecting them, to regulate conduct (or agreements) preventing, restricting or distorting commercial competition, or to regulate undertakings abusing a dominant market position.

Regulatory functions relating to legal services, the health service and children’s services

Personal information is exempt from the right of access if it’s used for carrying out a function of:

  • the Legal Services Board;
  • considering a complaint under:
    • part 6 of the Legal Services Act 2007,
    • section 14 of the NHS Redress Act 2006,
    • section 113(1) or (2), or section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,
    • section 24D or 26 of the Children’s Act 1989, or
    • part 2A of the Public Services Ombudsman (Wales) Act 2005; or
  • considering a complaint or representations under chapter 1, part 10 of the Social Services and Well-being (Wales) Act 2014.

The exemption only applies to the extent that complying with a SAR would likely prejudice the performance of a function or functions. If you can comply with a SAR (even partially) without prejudicing a function, you must do so.

Other regulatory functions

This exemption is only available where a function has been conferred on one of the following bodies or persons (the ‘specified organisations’):

  • the ICO;
  • the Scottish Information Commissioner;
  • the Pensions Ombudsman;
  • the Board of the Pension Protection Fund;
  • the Ombudsman for the Board of the Pension Protection Fund;
  • the Pensions Regulator;
  • the Financial Conduct Authority;
  • the Financial Ombudsman;
  • the investigator of complaints against the financial regulators;
  • the monitoring officer of a relevant authority;
  • the monitoring officer of a relevant Welsh authority;
  • the Public Services Ombudsman for Wales; or
  • the Charity Commission.

Personal information is exempt from the right of access if it’s used to either:

  • perform a function conferred on one of the specified organisations; or
  • enable one of the specified organisations to perform a function.

This exemption only applies to the extent that, in either case, disclosure of the information would likely prejudice the function, or the performance of a specific function or functions. For further details about prejudice, see What does ‘prejudice’ mean?

When considering the use of this exemption you could consult with the other organisation and seek their views before you respond. If you do this, you may extend the time limit by up to two months if you deem the request to be complex.

If disclosing the information is not likely to prejudice a function, then you must comply with the SAR.

Example

A person makes a SAR to their bank asking for all their personal information. The bank withholds some of the details because they relate to an ongoing investigation by the Financial Conduct Authority.

Although the bank is not one of the specified organisations, it is helping the FCA’s investigation by providing it with relevant information. This means that it can rely on the exemption to withhold information (including correspondence between it and the FCA), as disclosure would likely prejudice the investigation.

If the person makes a SAR after the FCA investigation has ended, the bank cannot rely on this exemption if disclosing the information would no longer be prejudicial to the FCA.

Judicial appointments, independence and proceedings

Personal information is exempt from the right of access if you use it:

  • for the purposes of assessing a person’s suitability for judicial office or the office of King’s Counsel;
  • as a person acting in a judicial capacity; or
  • as a court or tribunal acting in its judicial capacity.

This exemption only applies to the extent that providing access would likely prejudice judicial independence or judicial proceedings.

The purpose of this exemption is to protect judicial independence. It applies to any information used by the person, court or tribunal in the exercise of their judicial function — not just their final decision. This includes pleadings, statements and reports considered as part of the judicial decision-making process. For example, this exemption applies to notes made by a judge for their own use during a trial.

This exemption does not apply to all information used in connection with legal proceedings. For example, legal representatives cannot rely on it to refuse to disclose information contained in documents filed or placed in the custody of the court (eg witness statements, medical or forensic reports or skeleton arguments). However, there may be other rules that apply to this information.

Some exemptions specifically apply to health, education or social work information processed by the courts.

If you are not acting in a judicial capacity, you may rely on this exemption to the extent that disclosing personal information would likely prejudice judicial proceedings or judicial independence. This may apply to information that has been shared with you by a court or body acting in a judicial capacity – or to information you have shared with them. For example, this may apply if a judge has disclosed the information to you in confidence or has attached specific conditions to its disclosure. In such cases, it’s important that you consider any court order or specific judicial instruction about the handling of the information.

If you process information in connection with a criminal investigation or criminal proceedings, including proceedings for the sentencing of an offender, please see our guidance on the right of access – part 3: what you need to consider if personal information is processed by a court for law enforcement purposes.

We do not regulate the processing of personal information by a person, court or tribunal acting in a judicial capacity. Other bodies with a regulatory remit over those acting in a judicial capacity oversee such processing.

Journalism, academia, art and literature

Personal information may be exempt from the right of access if you process it for:

  • journalistic purposes;
  • academic purposes;
  • artistic purposes; or
  • literary purposes.

These are known as the ‘special purposes’.

This exemption only applies to the extent that:

  • you are processing the information with a view to the publication of some journalistic, academic, artistic or literary material;
  • you reasonably believe that the publication of the material would be in the public interest, taking into account:
    • the special importance of the general public interest in freedom of expression,
    • any specific public interest in the particular subject, and
    • the potential harm to the requester if they do not receive their information; and
  • as the controller, you reasonably believe that compliance with a SAR would be incompatible with the special purposes (ie it is more than just an inconvenience).

When deciding whether it’s reasonable to believe that publication would be in the public interest, you must (if relevant) take into account the:

  • BBC Editorial Guidelines;
  • Ofcom Broadcasting Code; or
  • Editors’ Code of Practice.

If you rely on this exemption and the person makes a complaint to the ICO, you should be able to explain:

  • why you require the exemption in each case;
  • how you applied it; and
  • who considered it at the time.

We do not have to agree with your view, but we need to be satisfied that you have a reasonable belief that this exemption applies to the request in the circumstances, and you should document your reasons why you believe this exemption applies.

Example

An investigative journalist plans to publish an article about the illegal and abusive treatment of animals at several slaughterhouses. The journalist has interviewed multiple people in connection with this matter and will be ready to publish the piece later in the year. A person whose anonymised interview will feature in the publication makes a SAR for a copy of their interview many months before the planned publication date.

Although the person’s responses to the interview questions are their personal information, the journalist is concerned that the nature of the questions and responses reveals the purpose of the investigation.

In deciding whether or not to apply the exemption, the journalist considers the following points:

  • They are processing the person’s information with a view to publishing a piece of journalism.
  • Publishing the material is in the public interest, as it relates to broader animal welfare issues in agriculture. Also, this matter does not impact the requester personally. As the journalist intends to fully anonymise the information, the person cannot be identified through the publication.
  • Disclosing the information at this stage could damage the ongoing investigation (eg lead to concealment of evidence), particularly if the requester were to share this information with others.

On balance, the journalist decides to apply the exemption and does not provide a copy of the interview. They explain to the requester the reason for this and keep a record of their reasoning.

Please refer to our Data protection and journalism code of practice for further information about this topic.

Research and statistics

There is an exemption from the right of access if you use personal information for:

  • scientific or historical research purposes; or
  • statistical purposes.

This exemption only applies to the extent that complying with the SAR would prevent or seriously impair the achievement of these purposes, and if:

  • the processing is subject to appropriate safeguards for people’s rights and freedoms (see article 89(1) of the UK GDPR);
  • the processing is not likely to cause substantial damage or substantial distress to a person;
  • the processing is not used for measures or decisions about a particular person (unless the purposes for which the processing is necessary include approved medical research); and
  • the research results are not made available in a way that identifies people.

Please refer to our guidance on the research provisions for further information about this exemption.

Archiving in the public interest

There is an exemption from the right of access if you use personal information for archiving purposes in the public interest.

This exemption only applies to the extent that complying with the SAR would prevent or seriously impair the achievement of this purpose, and if:

  • the processing is subject to appropriate safeguards for people’s rights and freedoms (see article 89(1) of the UK GDPR);
  • the processing is not likely to cause substantial damage or substantial distress to any person; and
  • you are not using the processing for measures or decisions about a particular person (unless the purposes for which the processing is necessary include approved medical research).

Please refer to our guidance on the research provisions for further information about this exemption.

Health, education and social work information

The exemptions that may apply when a SAR relates to personal information included in health, education and social work information are explained in detail in these sections:

Child abuse information

Child abuse information is personal information consisting of information about whether the person is or has been the subject of, or may be at risk of, child abuse. This includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, a person aged under 18.

You are exempt from providing child abuse information in response to a SAR if you receive a request (in exercise of a power conferred by an enactment or rule of law) from someone:

  • with parental responsibility for a person aged under 18; or
  • appointed by a court to manage the affairs of a person who is incapable of managing their own affairs.

But the exemption only applies to the extent that complying with the request would not be in the best interests of the child.

This exemption can only apply in England, Wales and Northern Ireland. It does not apply in Scotland.

Management information

An exemption applies to personal information that you process for management forecasting or management planning about a business or other activity. This information is exempt from the right of access to the extent that complying with a SAR would likely prejudice the conduct of the business or activity.

To rely on the exemption, you should be able to do the following:

  • Show that the personal information is relevant to, and is being used for, the purpose of management forecasting or management planning. It may therefore involve an element of forward-looking strategic thinking or consideration, although this is likely to be at a relatively high level.
  • Justify that disclosing the personal information would likely prejudice the conduct of your business or activity.
  • Show that the prejudice likely to be suffered by your organisation is greater than the harm likely to be experienced by the person as a result of not having access to their personal information.
  • Provide the person with your reasons for applying the exemption (in most cases).

This is not a blanket exemption, and you should be selective, ensuring that you disclose any information not covered by it.

Example

The senior management of an organisation is planning a reshuffle. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the organisation reveals the plans to the workforce, an employee makes a SAR.

In responding to the SAR, the organisation does not have to reveal its plans to make the employee redundant if this would likely prejudice the conduct of the business — for example, by causing staff unrest before the management’s plans are announced.

Example

A business services organisation plans to onboard a new client to do a niche piece of work. The organisation reviews its current staffing levels to establish whether it has enough suitably qualified staff. It produces an inventory of its current staff, with each person assessed against a list of criteria. This will help the organisation assess its recruitment needs for the year ahead.

An employee who has been identified as suitably qualified in the inventory makes a SAR for all their personal information. However, the organisation decides to withhold the relevant information in its staff inventory. It believes that disclosing the information may cause staff to become concerned that their job roles are changing or at risk, or that their workload may increase, which could result in a drop in morale or staff applying for other roles. Staff may also incorrectly assume that the organisation is planning to promote some staff above others. The organisation will inform staff about the new client in due course, but at present, it is only at the planning stage.

Taking this into account, the organisation decides to apply the management forecasting exemption and withhold the information. However, it must still comply with the SAR and provide the employee with the rest of the information it holds about them.

Example

An employee of a local authority makes a SAR asking for all their information, including any records of discussions between senior managers about their performance. The employee is an administrative assistant and has been through various disciplinary procedures because of their absenteeism. Senior managers have been involved in discussions about whether to terminate their employment.

The organisation considers whether it can withhold the records of the discussions between senior managers about the possibility of terminating the employee’s contract. In considering the relevance of the management forecasting exemption, the organisation considers:

  • whether the discussions relate to its wider strategic thinking or forward planning; and
  • whether disclosure of the information would cause prejudice to its wider conduct or activities.

The discussions are about the specific employee, not about the wider strategy of the organisation. They do not relate to or impact other staff within the organisation. Therefore, the requirements of the management forecasting exemption are not met. The authority must disclose the personal information that relates to the employee. However, it may be able to withhold information that relates to other people.

You may also consider applying the management forecasting exemption to refuse to confirm or deny that you hold the information where this would prejudice the exemption.

Example

A person (the requester) has been employed by a technology company for six months. Recently, they have heard rumours that many employees might be made redundant in the next few months.

In fact, because of financial challenges, the company is considering several options — including potential redundancies. However, no final decisions have been made. Despite this, as the information relates to management forecasting, and the company is still considering its options, it is likely to be prejudicial to release details at this stage.

The requester makes a SAR for “any information you have about me which relates to your planned redundancies”. Their name is on a list of employees who have been identified as being ‘at risk’ of being made redundant.

If the company confirms that it holds the information, the requester is likely to infer that they are being considered for redundancy — even if the company withholds a copy of the list itself. In the circumstances, confirming the information is held is likely to prejudice the company’s ability to carry on its business, as it is likely to reveal that the company is considering redundancies, and the requester may be affected. The company decides to neither confirm nor deny whether it holds the information.

Negotiations with the requester

Personal information that is a record of your intentions in negotiations with a person is exempt from the right of access. This only applies to the extent that complying with a SAR would likely prejudice the negotiations.

Example

A person makes a claim to their insurance company. The claim is for compensation for personal injuries they sustained in an accident. The insurance company disputes the seriousness of the injuries and the amount of compensation it needs to pay.

An internal paper sets out the company’s position on these matters, including the maximum sum it is willing to pay to avoid the claim going to court. If the person makes a SAR to the insurance company, it does not have to send them the internal paper — because doing so would likely prejudice the negotiations to settle the claim.

The exemption does not set limits on the timing of negotiations or say you can only withhold information where negotiations are still ongoing. Therefore, you may be able to apply the exemption after negotiations have ended, but only if you can show that disclosure would likely prejudice negotiations. This may be most relevant where you can show that disclosure would prejudice your position in future negotiations.

Confidential references

From time to time, you may give or receive references about a person. The personal information included in a confidential reference is exempt from the right of access when it relates to the prospective or actual:

  • education, training or employment of a person;
  • placement of a person as a volunteer;
  • appointment of a person to office; or
  • provision of any service by a person.

The exemption applies regardless of whether you give or receive the reference.

Example

Company A provides an employment reference in confidence for one of their employees to company B. If the employee makes a SAR to company A or company B, the reference is exempt from disclosure.

This exemption only applies to references given in confidence. You should make it clear to people, and those providing references, whether you will treat references confidentially or adopt a policy of openness. You should do this through the privacy information you provide when you request the reference.

You should be as open as possible with people about information that relates to them. You must ensure that people are able to challenge information that they consider to be inaccurate or misleading, particularly when, as in the case of a reference, this may have an adverse impact on them.

Exam scripts and exam marks

This applies to academic, professional or other examinations leading to qualifications. There are two parts to this exemption.

The first part applies to information recorded by candidates in an examination. Candidates don’t have the right to a copy of their answers to the questions.

The second part applies to information recorded by the person marking the exam. If the SAR is made before the results are announced, you can delay providing this information. Instead, you must provide the information within:

  • five months of receiving the request; or
  • 40 days of announcing the exam results, if this is earlier.

However, if the SAR is made after the results are announced, you cannot rely on this exemption.

Manifestly unfounded or excessive requests

See Exemptions: when can we consider a request to be manifestly unfounded or excessive?

Information about other people

See Exemptions: can we refuse a SAR if it involves information about other people?

Other exemptions

The exemptions described in this section are those most likely to apply to SARs. However, other exemptions may be relevant. For more information, see our guidance on A guide to the data protection exemptions.