SAR Exemptions Explained: When Can UK Employers Withhold Data?

Not everything in your files has to go into a SAR response. The Data Protection Act 2018 (Schedule 2, Part 4) contains exemptions that let you withhold specific categories of data — but only if you assess each document individually and record your reasoning.

This guide covers the exemptions UK employers rely on most frequently, with practical examples for each.

This guide covers DPA 2018 exemptions relevant to employer SAR responses. It is not legal advice. For SARs linked to litigation or tribunal claims, seek specialist legal counsel before applying exemptions.

How exemptions work

SAR exemptions are not blanket permissions to ignore a request. Each exemption:

• Applies to specific documents or data items, not entire categories
• Must be assessed on a case-by-case basis — you cannot exempt "all legal correspondence" or "the entire tribunal file"
• Requires written justification for each application — this is what the ICO asks for when a complaint is filed
• Can be challenged by the requester through an ICO complaint or court order

The ICO's guide to data protection exemptions is the definitive reference. The practical summary below covers the exemptions employers encounter most often.

Legal professional privilege (paragraph 19)

What it covers: Personal data that is subject to legal professional privilege — advice from your solicitor, correspondence prepared in connection with legal proceedings, or documents created for the dominant purpose of obtaining legal advice.

Employer example: An ex-employee submits a SAR while a tribunal claim is ongoing. Your solicitor has sent you advice on how to respond to the tribunal claim, including assessments of the employee's conduct. This advice is privileged and can be withheld.

What it does NOT cover:

• Internal discussions about the employee that happen to mention the solicitor's involvement (the discussion itself is not privileged unless it reveals the substance of the legal advice)
• HR investigation notes that were not created for the purpose of obtaining legal advice
• The fact that legal advice was sought (you can acknowledge it; you can withhold the content)

Common mistake: Applying privilege to the entire tribunal file. Privilege attaches to specific documents — the solicitor's advice letter, the litigation strategy memo — not to every document that happens to be in the same folder.

Management forecasts (paragraph 22)

What it covers: Personal data processed for management forecasting or management planning, where disclosure would prejudice the conduct of the business.

Employer example: You are planning a restructure that will result in 10 redundancies. The restructuring plan includes names of employees in the at-risk pool. An employee in the pool submits a SAR before the consultation process has been announced. Disclosing their inclusion in the redundancy plan would prejudice the proper conduct of the consultation process.

Two conditions must both be met:

1. The data is being processed for management forecasting or planning
2. Disclosure would prejudice the conduct of the business or activity

Once the restructuring plan is announced and the consultation begins, the exemption falls away — the data is no longer confidential management planning.

Negotiations (paragraph 23)

What it covers: Records of your intentions in negotiations with the individual, where disclosure would prejudice those negotiations.

Employer example: An employee has raised a grievance and you are considering offering a settlement. Your internal notes state: "We are prepared to offer up to £15,000 but will start at £8,000." Disclosing this to the employee would directly prejudice the negotiation.

Key limitation: This only covers your intentions — the strategy, the walk-away figure, the settlement parameters. It does not cover the facts of the situation, correspondence exchanged during the negotiation, or the outcome of the negotiation once it concludes.

Confidential references (paragraph 24)

What it covers: References given in confidence for the purposes of education, training, employment, or appointment.

Employer example: You provided a reference for a departing employee to their new employer. The reference was given in confidence. If the employee submits a SAR, you can withhold the reference you gave.

Important distinction:

• References you gave in confidence — exempt from disclosure
• References you received about the employee — NOT automatically exempt. The ICO's employer guidance states you may need to disclose references you received, potentially with third-party details redacted

This catches many employers off guard. The exemption protects the referee's confidence when giving the reference. It does not prevent the subject from seeing references held about them by the recipient organisation.

Third-party data (not an exemption — a separate rule)

Strictly, this is not a Schedule 2 exemption but a separate obligation under UK GDPR Article 15(4). You must not disclose personal data about other identifiable individuals unless:

• The third party has consented, or
• It is reasonable to disclose without consent

Employer example: An employee's SAR captures emails between their line manager and HR discussing performance concerns. The emails mention other team members by name. You must redact the other employees' names and identifying details unless they have consented to disclosure or disclosure is reasonable in the circumstances.

Practical approach:

• Redact names, email addresses, and identifying details of third parties
• Consider whether the third party would reasonably expect their data to be disclosed in this context
• A colleague copied on a routine email may not object to disclosure; a whistleblower reporting misconduct almost certainly would
• Document your reasoning for each redaction decision

Refusing the request entirely

Separately from withholding specific data, you can refuse an entire SAR if it is manifestly unfounded or manifestly excessive.

The Data (Use and Access) Act 2025 amends this threshold to "vexatious or excessive" and provides examples: requests intended to cause distress, requests not made in good faith, or requests that are an abuse of process.

The bar is high. Most SARs — even those submitted during tribunal disputes — are not vexatious. The ICO expects you to respond to routine requests regardless of the requester's motivation. Refusing a legitimate SAR exposes you to an ICO complaint and potential enforcement action.

If you refuse, you must:

1. Explain why you consider the request vexatious or excessive
2. Inform the requester of their right to complain to the ICO
3. Do so within the one-month deadline

Frequently asked questions

Can an employer refuse a SAR from an employee? Only if the request is vexatious or excessive. The threshold is high — most requests must be honoured. You can withhold specific data using the exemptions above, but refusing the entire request requires strong justification.

Do I need to tell the requester which exemptions I applied? Yes. You should tell the requester that certain data has been withheld and identify the exemption relied upon. You do not need to describe the specific content of the withheld data.

What if I am not sure whether an exemption applies? Err on the side of disclosure. The ICO's guidance favours transparency — if you are uncertain whether privilege applies to a specific document, disclose it (with third-party data redacted if necessary). Where the decision is genuinely borderline, document your reasoning and seek legal advice.

Can I apply multiple exemptions to the same document? Yes. A single document could be partly withheld under legal privilege (paragraph 19) and partly redacted for third-party data. Document each decision separately.

What happens if I wrongly apply an exemption? The requester can complain to the ICO. If the ICO finds the exemption was incorrectly applied, they can order you to disclose the data. In serious cases, this may result in an enforcement notice or reprimand.

Use the SAR exemption checker for a guided walkthrough of which exemptions may apply to your situation.

For the full SAR response process including deadlines and redaction, see How to Respond to a Subject Access Request from an Employee. For deadline rules including the DUAA 2025 stop-the-clock mechanism, see Subject Access Request Time Limit UK. For tools that help document exemption decisions alongside your full SAR workflow, see DSAR Software for Small Businesses.

Exemption documentation checklist

For every SAR where you withhold data, record:

• The specific document or data item withheld
• Which exemption you are relying on (with the DPA 2018 paragraph reference)
• Your written reasoning for why the exemption applies to this specific data
• Whether the exemption is partial (some data withheld) or full (entire document withheld)
• The date the exemption was assessed and by whom

This record is your defence if the ICO investigates. Without it, you are relying on verbal explanations after the fact — which the ICO does not find persuasive.

Sources

• ICO — Guide to the data protection exemptions
• ICO — Subject access request Q&As for employers
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• ICO — Right of access (subject access) guidance