A year of subject access requests – key challenges and changes
As 2025 unfolds, we reflect on a busy 2024 helping clients overcome key challenges when responding to data subject access requests (“SARs”). The degree of advice and assistance needed has varied, with data controllers receiving their first SAR needing end-to-end support, others simply sense checking their response, and seasoned SAR responders needing advice on tricky legislative exemptions or access to our AI software for speed and precision. Although Article 15 UK GDPR is the headline legal provision to consider, there is no ‘one size fits all’ approach. Further, application of the permitted exemptions contained within Schedule 2-4 of the Data Protection Act 2018 will differ from one organisation to another, and one SAR to another.
SARs can quickly become challenging on a practical, legal, technical, and financial level. Our experienced team at Mills and Reeve are well equipped to help your organisation navigate through a SAR response or help you establish a response process. Rest assured, you won’t be the first, or the last, to ask for help. Recent and upcoming developments to be aware of include:
- On 7 June, the High Court ruled in the case of Harrison v Cameron & ACL [2024] EWHC 1377 (KB) confirming that data subjects are entitled to be informed by the data controller, of the identities of the recipients of their personal data, and not only to the categories of recipients (Article 15(1)(c) UK GDPR). However, the case confirms that, in practice, this involves a balancing exercise to be applied by the data controller in the application of the third-party data exemption set out in para 16, Schedule 2 of the Data Protection Act 2018.
- The proposed Data Use and Access Bill put forward by the Labour government includes changes that could impact subject access requests. This isn’t law yet (and may be changed as the Bill proceeds) although you should prepare for what the proposals are seeking. Under the new provisions data controllers would need to make a complaints process available to data subjects, and the ICO will have discretion to seek from data controllers details of those complaints. Trends in a data controller’s complaint history could thus become more apparent. Courts will also be granted discretion to request documentation from the controller, which was withheld from a SAR response, when considering the adequacy of the response, and (in turn) to decide whether it is then required to be disclosed to the data subject. A welcome provision clarifies the data controller’s obligation to respond on a reasonable and proportionate basis. Whilst this position is already alive in case law and ICO guidance, in practice, this has done little to deter aggressive and persistent requests for information.
- In August, the ICO reprimanded The Labour Party and, in April, the University of Southampton NHS FT, for failing to respond to SARs (and requests for erasure). SARs can be time consuming and place demands on a team to respond. Receiving multiple SARs can expose an organisation to systemic risks, and for the ICO, this makes newsworthy headlines. If you need support, even at late stages in the response process, or because you have received communication from the ICO, please do get in contact with us.
- The ICO’s Data Protection Practitioner’s Conference 2024 included a session on SARs and acknowledged that SARs can be partially excessive - constituting grounds to refuse parts of the request. We successfully challenge the scope of SARs, alleviating the burden on organisations. SARs are often presented by requestors who lack knowledge or awareness of the data controller’s actual legal obligations, resulting in a need to carefully manage the requestor’s expectations. You can watch the ICO session here.
- In October, the ICO announced a new audit framework to help support organisations with UK GDPR compliance responsibilities. It includes various toolkits to work with specific obligations, such as SARs. The SAR toolkit helps organisations to understand the types of procedures that data controllers need to have in place and the expectations around compliance records and control measures. You can view the ICO’s SAR toolkit here. Remember, if you need help, we’re here for you!
- SARs often have an underlying motive to obtain information related to for example, employment related grievances, tribunals, or other civil claims. Events related to specific industries can thus have an impact on the level of SARs that an organisation receives, often, on either a bulk or continuous basis. The new Workers Protection Act and Employment Rights Bill for instance, are expected to prompt an increase in employment related disputes. The Supreme Court is also set to decide the fate of lenders in the car finance sector towards hidden commissions and the merits of claims for compensation, impacting the volume of SARs submitted to lenders and car dealerships by claims representatives in their quest for information and commissions paid. The impact could stretch to consumer credit generally.
Please reach out to Mills and Reeve for more information, advice, training, resources, review and redaction capability, end to end SAR response assistance, letter templates and more.