SAR Exemptions Explained: When Can UK Employers Withhold Data?

Not everything in your files has to go into a SAR response. The Data Protection Act 2018 (Schedule 2, Part 4) contains exemptions that let you withhold specific categories of data — but only if you assess each document individually and record your reasoning.

This guide covers the exemptions UK employers rely on most frequently, with practical examples for each.

This guide covers DPA 2018 exemptions relevant to employer SAR responses. It is not legal advice. For SARs linked to litigation or tribunal claims, seek specialist legal counsel before applying exemptions.

How exemptions work

SAR exemptions are not blanket permissions to ignore a request. Each exemption:

• Applies to specific documents or data items, not entire categories
• Must be assessed on a case-by-case basis — you cannot exempt "all legal correspondence" or "the entire tribunal file"
• Requires written justification for each application — this is what the ICO asks for when a complaint is filed
• Can be challenged by the requester through an ICO complaint or court order

The ICO's guide to data protection exemptions is the definitive reference. The practical summary below covers the exemptions employers encounter most often.

Legal professional privilege (paragraph 19)

What it covers: Personal data that is subject to legal professional privilege — advice from your solicitor, correspondence prepared in connection with legal proceedings, or documents created for the dominant purpose of obtaining legal advice.

Employer example: An ex-employee submits a SAR while a tribunal claim is ongoing. Your solicitor has sent you advice on how to respond to the tribunal claim, including assessments of the employee's conduct. This advice is privileged and can be withheld.

What it does NOT cover:

• Internal discussions about the employee that happen to mention the solicitor's involvement (the discussion itself is not privileged unless it reveals the substance of the legal advice)
• HR investigation notes that were not created for the purpose of obtaining legal advice
• The fact that legal advice was sought (you can acknowledge it; you can withhold the content)

Common mistake: Applying privilege to the entire tribunal file. Privilege attaches to specific documents — the solicitor's advice letter, the litigation strategy memo — not to every document that happens to be in the same folder. For more on handling SARs that arrive during active tribunal proceedings, see the SAR and employment tribunal guide.

Management forecasts (paragraph 22)

What it covers: Personal data processed for management forecasting or management planning, where disclosure would prejudice the conduct of the business.

Employer example: You are planning a restructure that will result in 10 redundancies. The restructuring plan includes names of employees in the at-risk pool. An employee in the pool submits a SAR before the consultation process has been announced. Disclosing their inclusion in the redundancy plan would prejudice the proper conduct of the consultation process.

Two conditions must both be met:

1. The data is being processed for management forecasting or planning
2. Disclosure would prejudice the conduct of the business or activity

Once the restructuring plan is announced and the consultation begins, the exemption falls away — the data is no longer confidential management planning.

Negotiations (paragraph 23)

What it covers: Records of your intentions in negotiations with the individual, where disclosure would prejudice those negotiations.

Employer example: An employee has raised a grievance and you are considering offering a settlement. Your internal notes state: "We are prepared to offer up to £15,000 but will start at £8,000." Disclosing this to the employee would directly prejudice the negotiation.

Key limitation: This only covers your intentions — the strategy, the walk-away figure, the settlement parameters. It does not cover the facts of the situation, correspondence exchanged during the negotiation, or the outcome of the negotiation once it concludes.

Confidential references (paragraph 24)

What it covers: References given in confidence for the purposes of education, training, employment, or appointment.

Employer example: You provided a reference for a departing employee to their new employer. The reference was given in confidence. If the employee submits a SAR, you can withhold the reference you gave.

Important distinction:

• References you gave in confidence — exempt from disclosure
• References you received about the employee — NOT automatically exempt. The ICO's employer guidance states you may need to disclose references you received, potentially with third-party details redacted

This catches many employers off guard. The exemption protects the referee's confidence when giving the reference. It does not prevent the subject from seeing references held about them by the recipient organisation.

Third-party data (not an exemption — a separate rule)

Strictly, this is not a Schedule 2 exemption but a separate obligation under UK GDPR Article 15(4). You must not disclose personal data about other identifiable individuals unless:

• The third party has consented, or
• It is reasonable to disclose without consent

Employer example: An employee's SAR captures emails between their line manager and HR discussing performance concerns. The emails mention other team members by name. You must redact the other employees' names and identifying details unless they have consented to disclosure or disclosure is reasonable in the circumstances.

Practical approach:

• Redact names, email addresses, and identifying details of third parties
• Consider whether the third party would reasonably expect their data to be disclosed in this context
• A colleague copied on a routine email may not object to disclosure; a whistleblower reporting misconduct almost certainly would
• Document your reasoning for each redaction decision

For a step-by-step approach to redaction — what to redact, what to leave intact, and how to log your decisions — see the SAR redaction guide.

Refusing the request entirely

Separately from withholding specific data, you can refuse an entire SAR if it is manifestly unfounded or manifestly excessive.

This threshold is retained under the Data (Use and Access) Act 2025. (An earlier draft of the 2025 reforms proposed switching to "vexatious or excessive," but the enacted Act kept the existing UK GDPR wording.) In practice the ICO treats requests as manifestly unfounded or excessive only in narrow cases — for example, requests intended to cause distress, not made in good faith, or that are an abuse of process.

The bar is high. Most SARs — even those submitted during tribunal disputes — are not manifestly unfounded or excessive. The ICO expects you to respond to routine requests regardless of the requester's motivation. Refusing a legitimate SAR exposes you to an ICO complaint and potential enforcement action.

If you refuse, you must:

1. Explain why you consider the request manifestly unfounded or excessive
2. Inform the requester of their right to complain to the ICO
3. Do so within the one-month deadline

Frequently asked questions

Can an employer refuse a SAR from an employee? Only if the request is manifestly unfounded or excessive. The threshold is high — most requests must be honoured. You can withhold specific data using the exemptions above, but refusing the entire request requires strong justification.

Do I need to tell the requester which exemptions I applied? Yes. You should tell the requester that certain data has been withheld and identify the exemption relied upon. You do not need to describe the specific content of the withheld data.

What if I am not sure whether an exemption applies? Err on the side of disclosure. The ICO's guidance favours transparency — if you are uncertain whether privilege applies to a specific document, disclose it (with third-party data redacted if necessary). Where the decision is genuinely borderline, document your reasoning and seek legal advice.

Can I apply multiple exemptions to the same document? Yes. A single document could be partly withheld under legal privilege (paragraph 19) and partly redacted for third-party data. Document each decision separately.

What happens if I wrongly apply an exemption? The requester can complain to the ICO. If the ICO finds the exemption was incorrectly applied, they can order you to disclose the data. In serious cases, this may result in an enforcement notice or reprimand.

Use the SAR exemption checker for a guided walkthrough of which exemptions may apply to your situation.

For the full SAR response process including deadlines and redaction, see How to Respond to a Subject Access Request from an Employee. For deadline rules including the DUAA 2025 stop-the-clock mechanism, see Subject Access Request Time Limit UK. For tools that help document exemption decisions alongside your full SAR workflow, see DSAR Software for Small Businesses.

Exemption documentation checklist

For every SAR where you withhold data, record:

• The specific document or data item withheld
• Which exemption you are relying on (with the DPA 2018 paragraph reference)
• Your written reasoning for why the exemption applies to this specific data
• Whether the exemption is partial (some data withheld) or full (entire document withheld)
• The date the exemption was assessed and by whom

This record is your defence if the ICO investigates. Without it, you are relying on verbal explanations after the fact — which the ICO does not find persuasive.

Sources

• ICO — Guide to the data protection exemptions
• ICO — Subject access request Q&As for employers
• Data Protection Act 2018 — Schedule 2, Part 4 (exemptions)
• ICO — Right of access (subject access) guidance