The ICO exists to empower you through information.

Latest updates

28 November 2023 - We have made updates to the section ‘Functions designed to protect the public’ under ‘What other exemptions are there?’. The guidance now makes clear that personal data is exempt from the right of access if you handle it to perform one of the six functions designed to protect the public, or enable another body to perform those functions.

In more detail

Crime and taxation: general

There are two parts to this exemption. Firstly, personal data processed for crime and taxation-related purposes is exempt from the right of access. These purposes are:

  • the prevention or detection of crime;
  • the apprehension or prosecution of offenders; or
  • the assessment or collection of a tax or duty or an imposition of a similar nature.

However, the exemption applies only to the extent that complying with a SAR is likely to prejudice the crime and taxation purposes set out above. You need to judge whether or not this is likely in each case. You should not use the exemption to justify denying access to whole categories of personal data, if its disclosure is unlikely to prejudice the crime and taxation purposes.

Example

A bank conducts an investigation into one of their customers for suspected financial fraud. During their investigation, the bank receives a subject access request for all of the personal data they hold from the customer in question. The bank decides that they will withhold information about the investigation, because it would be likely to prejudice the investigation as the individual may abscond or destroy evidence. However, the bank is able to provide other information in response to the request which would not prejudice the investigation (for example the individual’s account details and transactions).

The second part of this exemption applies when another controller obtains personal data processed for any of the reasons mentioned above for the purposes of discharging statutory functions. The controller that obtains the personal data is exempt from complying with a SAR to the same extent that the original controller was exempt.

Note that if you are a competent authority processing personal data for law enforcement purposes (eg the police conducting a criminal investigation), your processing is subject to the rules of Part 3 of the DPA 2018. See our guidance on law enforcement processing for information on how individual rights may be restricted when competent authorities process personal data for law enforcement purposes. If you are an intelligence service under Part 4 of the DPA 2018, please see our guidance on intelligence services processing.

Crime and taxation: risk assessment

Personal data is exempt from the right of access if it is in a classification applied to an individual as part of a risk assessment system.

A government department, local authority or another authority administering housing benefit must operate the risk assessment system, for the purposes of:

  • the assessment or collection of a tax or duty or an imposition of a similar nature; or
  • the prevention or detection of crime or the apprehension or prosecution of offenders, where the offence involves the unlawful use of public money or an unlawful claim for payment out of public money.

However, the exemption only applies to the extent that complying with a SAR would prevent the risk assessment system from operating effectively.

Legal professional privilege

Personal data is exempt from the right of access if it consists of information:

  • to which a claim to legal professional privilege (or confidentiality of communications in Scotland) could be maintained in legal proceedings; or
  • in respect of which a professional legal adviser owes a duty of confidentiality to his client.

This exemption covers the two branches of legal professional privilege: litigation privilege and legal advice privilege. The English law concept of legal professional privilege encompasses both ‘litigation’ privilege and ‘legal advice’ privilege. In broad terms, the former applies to confidential communications between a client, professional legal adviser or a third party, but only where litigation is contemplated or in progress. The latter applies only to confidential communications between a client and professional legal adviser for the purpose of seeking or obtaining legal advice.

The Scottish law concept of confidentiality of communications provides protection for both communications about the obtaining or providing of legal advice and communications made in connection with legal proceedings. You may withhold information that comprises confidential communications between client and professional legal adviser under the legal privilege exemption, in the same way that you may withhold information attracting English law ‘legal advice’ privilege. Similarly, the Scottish law doctrine that a litigant is not required to disclose material they have brought into existence for the purpose of preparing their case protects information that, under English law, enjoys ‘litigation’ privilege.

Legal professional privilege is only available for communications that are:

  • confidential in nature;
  • except where litigation is in contemplation, made solely between client and professional legal adviser acting in a professional capacity; and
  • made for the dominant purpose of obtaining or providing legal advice or being used by lawyers in possible or probable litigation.

A communication is a document that conveys information and it can take any form, including a letter, report, email, memo, photograph, note of a conversation or an audio or visual recording. It can also include draft documents prepared, eg with the intention of putting them before a legal adviser.

Functions designed to protect the public

Personal data is exempt from the right of access if you handle it to perform one of six functions designed to protect the public, or enable another body to perform those functions. However, this exemption only applies to the extent that complying with a SAR would be likely to prejudice the proper discharge of any of these functions. If you can comply with a SAR without causing prejudice to any of these functions, then you must do so.

The first four functions are to:

  1. protect the public against financial loss due to the seriously improper conduct (or unfitness or incompetence) of financial services providers, or in the management of bodies corporate, or due to the conduct of bankrupts;
  2. protect the public against seriously improper conduct (or unfitness or incompetence);
  3. protect charities or community interest companies against misconduct or mismanagement in their administration, to protect the property of charities or community interest companies from loss or misapplication or to recover the property of charities or community interest companies; or
  4. secure workers’ health, safety and welfare or to protect others against health and safety risks in connection with (or arising from) someone at work.

However, for a controller to rely upon this exemption, one of the functions above must be:

  • conferred on a person by enactment;
  • a function of the Crown; or
  • of a public nature and exercised in the public interest.

The fifth function is to:

5. protect the public from maladministration, or a failure in services provided by a public body, or from the failure to provide a service that it is a function of a public body to provide.

A controller may rely on this exemption only where one of the above functions has been conferred on the:

  • Parliamentary Commissioner for Administration;
  • Commissioner for Local Administration in England;
  • Health Service Commissioner for England;
  • Public Services Ombudsman for Wales;
  • Northern Ireland Public Services Ombudsman;
  • Prison Ombudsman for Northern Ireland; or
  • Scottish Public Services Ombudsman.

The sixth function must be conferred by enactment on the Competition and Markets Authority. This function is to:

6. protect members of the public from business conduct adversely affecting them, to regulate conduct (or agreements) preventing, restricting or distorting commercial competition, or to regulate undertakings abusing a dominant market position.

Regulatory functions relating to legal services, the health service and children’s services

Personal data is exempt from the right of access if you process it for the purposes of discharging a function of:

  • the Legal Services Board;
  • considering a complaint under:
    • Part 6 of the Legal Services Act 2007,
    • Section 14 of the NHS Redress Act 2006,
    • Section 113(1) or (2), or Section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,
    • Section 24D or 26 of the Children’s Act 1989, or
    • Part 2A of the Public Services Ombudsman (Wales) Act 2005; or
  • considering a complaint or representations under Chapter 1, Part 10 of the Social Services and Well-being (Wales) Act 2014.

The exemption only applies to the extent that complying with a SAR would be likely to prejudice the proper discharge of your functions. If you can comply with a SAR and discharge your functions as normal, you cannot rely on the exemption.

Other regulatory functions

Personal data is exempt from the right of access if an organisation processes it for the purpose of discharging a regulatory function. The exemption is only available to the following bodies and persons:

  • the ICO;
  • the Scottish Information Commissioner;
  • the Pensions Ombudsman;
  • the Board of the Pension Protection Fund;
  • the Ombudsman for the Board of the Pension Protection Fund;
  • the Pensions Regulator;
  • the Financial Conduct Authority;
  • the Financial Ombudsman;
  • the investigator of complaints against the financial regulators;
  • a consumer protection enforcer (other than the Competition and Markets Authority);
  • the monitoring officer of a relevant authority;
  • the monitoring officer of a relevant Welsh authority;
  • the Public Services Ombudsman for Wales; or
  • the Charity Commission.

The exemption only applies to the extent that complying with a SAR would be likely to prejudice the proper discharge of your functions. If you can comply with a SAR and discharge your functions as normal, you cannot rely on the exemption.

Judicial appointments, independence and proceedings

Personal data is exempt from the right of access if you process it:

  • for the purposes of assessing a person’s suitability for judicial office or the office of Queen’s Counsel;
  • as an individual acting in a judicial capacity; or
  • as a court or tribunal acting in its judicial capacity.

Additionally, even if you do not process personal data for the reasons above, you are also exempt from the right of access to the extent that complying with a SAR would be likely to prejudice judicial independence or judicial proceedings.

Journalism, academia, art and literature

Personal data is exempt from the right of access if you process it for:

  • journalistic purposes;
  • academic purposes;
  • artistic purposes; or
  • literary purposes.

Together, these are known as the ‘special purposes’.

However, the exemption only applies to the extent that:

  • as controller for the processing of personal data, you reasonably believe that compliance with a SAR would be incompatible with the special purposes (this must be more than just an inconvenience);
  • the processing is being carried out with a view to the publication of some journalistic, academic, artistic or literary material; and
  • you reasonably believe that the publication of the material would be in the public interest, taking into account the special importance of the general public interest in freedom of expression, any specific public interest in the particular subject, and the potential to harm individuals.

When deciding whether it is reasonable to believe that publication would be in the public interest, you must (if relevant) have regard to the:

  • BBC Editorial Guidelines;
  • Ofcom Broadcasting Code; or
  • Editors’ Code of Practice.

If you rely upon this exemption and the individual makes a complaint to the ICO, we expect you to be able to explain why you require the exemption in each case, and how and by whom this was considered at the time. The ICO does not have to agree with your view – but we must be satisfied that you had a reasonable belief.

Research and statistics

There is an exemption from the right of access if you process personal data for:

  • scientific or historical research purposes; or
  • statistical purposes.

This exemption only applies:

  • to the extent that complying with the SAR would prevent or seriously impair the achievement of the purposes for processing;
  • if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the UK GDPR) – among other things, you must implement data minimisation measures;
  • if the processing is not likely to cause substantial damage or substantial distress to an individual;
  • if the processing is not used for measures or decisions about particular individuals, except for approved medical research; and
  • if the research results are not made available in a way that identifies individuals.

Archiving in the public interest

There is an exemption from the right of access if you process personal data for archiving purposes in the public interest.

This exemption only applies:

  • to the extent that complying with the SAR would prevent or seriously impair the achievement of the purposes for processing;
  • if the processing is subject to appropriate safeguards for individuals’ rights and freedoms (see Article 89(1) of the UK GDPR) – among other things, you must implement data minimisation measures;
  • if the processing is not likely to cause substantial damage or substantial distress to an individual; and
  • if you are not using the processing for measures or decisions about particular individuals, except for approved medical research.

Health, education and social work data

The exemptions that may apply when a SAR relates to personal data included in health, education and social work data are explained in detail in ‘What should we do if the request involves information about other individuals?’, ‘Health data’, ‘Education data’ and ‘Social work data’.

Child abuse data

Child abuse data is personal data consisting of information about whether the data subject is or has been the subject of, or may be at risk of, child abuse. This includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.

You are exempt from providing child abuse data in response to a SAR if you receive a request (in exercise of a power conferred by an enactment or rule of law) from someone:

  • with parental responsibility for an individual aged under 18; or
  • appointed by a court to manage the affairs of an individual who is incapable of managing their own affairs.

But the exemption only applies to the extent that complying with the request would not be in the best interests of the child.

This exemption can only apply in England, Wales and Northern Ireland. It does not apply in Scotland.

Management information

An exemption applies to personal data that you process for management forecasting or management planning about a business or other activity. Such data is exempt from the right of access to the extent that complying with a SAR would be likely to prejudice the conduct of the business or activity.

Example

The senior management of an organisation are planning a reshuffle. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the organisation reveals the plans to the workforce, an employee makes a subject access request. In responding to that request, the organisation does not have to reveal their plans to make the employee redundant, if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest before the management’s plans are announced).

Negotiations with the requester

Personal data that is a record of your intentions in negotiations with an individual is exempt from the right of access. This only applies to the extent that complying with a SAR would be likely to prejudice the negotiations.

Example

An individual makes a claim to his insurance company. The claim is for compensation for personal injuries he sustained in an accident. The insurance company disputes the seriousness of the injuries and the amount of compensation they should pay. An internal paper sets out the company’s position on these matters, including the maximum sum they are willing to pay to avoid the claim going to court. If the individual makes a subject access request to the insurance company, they do not have to send him the internal paper – because doing so would be likely to prejudice the negotiations to settle the claim.

The exemption does not set out any limits regarding the timing of negotiations, nor does it say that you can only withhold information where negotiations are still ongoing. Therefore, you may be able to apply the exemption after negotiations have ended, but only if you can justify why disclosure would be likely to prejudice negotiations. This may be most relevant where you can demonstrate that disclosure would prejudice your position in future negotiations.

Confidential references

From time to time you may give or receive references about an individual. The personal data included in a confidential reference is exempt from the right of access for the purpose of prospective or actual:

  • education, training or employment of an individual;
  • placement of an individual as a volunteer;
  • appointment of an individual to office; or
  • provision of any service by an individual.

The exemption applies regardless of whether you have given or received the reference.

Example

Company A provides an employment reference in confidence for one of their employees to company B. If the employee makes a subject access request to company A or company B, the reference is exempt from disclosure.

It is important to note that this exemption only applies to references given in confidence. You should make it clear to individuals, and those providing references, whether you will treat references confidentially or adopt a policy of openness. You should do this through the privacy information you provide. For more information see our guidance on the right to be informed.

You should bear in mind that it is good data protection practice to be open as possible with individuals about information which relates to them. They should be able to challenge information that they consider to be inaccurate or misleading, particularly when, as in the case of a reference, this may have an adverse impact on them.

Exam scripts and exam marks

There is an exemption from the right of access relating to information about the outcome of academic, professional or other examinations, but it only applies to the information recorded by candidates. This means candidates do not have the right to copies of their answers to the exam questions.

The information recorded by the person marking the exam is not exempt. However, if an individual makes a SAR for this information before the results are announced, special rules apply to how long you have to comply with the request. You must provide the information within:

  • five months of receiving the request; or
  • 40 days of announcing the exam results, if this is earlier.

Other exemptions

The exemptions mentioned in this chapter are those most likely to apply in practice. However, the DPA 2018 contains additional exemptions that may be relevant when dealing with a SAR. For more information please see our guidance about exemptions.