The ICO exists to empower you through information.

Organisations don't always have to give you all or any of the information you request.

An organisation may withhold some, or all, of your personal information because of an exemption. Exemptions are in the law to protect particular types of information or how certain organisations work.

When organisations use an exemption, they normally need to:

  • tell you why they are not completing your request for information;
  • explain their decision; and
  • tell you how you can challenge their decision (eg by submitting a complaint).

Sometimes it's acceptable for an organisation to refuse some or all of your request without telling you why.  

Organisations don’t always need to tell you if they do or don’t hold the requested information.

We have listed examples of some common exemptions:

'Manifestly unfounded' requests

Manifestly unfounded means the organisation believes you're not making a SAR because you truly want to exercise your legal right of access.

Examples of when your request may be manifestly unfounded include:

  • having no clear intention of exercising your right of access (eg if you make a request but then offer to withdraw it in return for some form of benefit from the organisation); or
  • if you are using your request to harass an organisation or cause disruption.

To come to this decision, the organisation must consider each request on a case-by-case basis. They must also explain their reasoning to you and us if necessary.

'Excessive' requests

There is no set meaning of what makes a subject access request ‘excessive’. However, organisations should consider whether the request is clearly unreasonable.

Examples of when your request may be excessive include when:

  • it overlaps with other, previous requests for similar information (particularly if the organisation hasn’t had the chance to respond to your first request); or
  • your request asks for the same information as previous requests , but not enough time has passed (eg you’re aware your information hasn’t changed).

To come to this decision, the organisation must consider each request on a case-by-case basis. They must also explain their reasoning to you.

Information about other people

Responding to a SAR may involve giving out information about other people.

Organisations must respect your right to get copies of your information. However, they must also protect other people's rights over their information. This means that if another person's information is included in the requested documents (eg that of a family member or colleague), the organisation might redact it or not provide it at all.

However, you may receive information which identifies another person in response to your SAR if:

  • that person gives their permission; or
  • it is reasonable for the organisation to comply with your request without the other person’s permission.

Legal professional privilege

If your personal information is discussed or included in confidential communications between the organisation and their legal advisors (including in-house legal teams), they don’t have to give it to you as part of your request. This information is considered ‘privileged’, which means it should remain confidential between the organisation and the legal team.

For example:

  • if your insurance company asks for legal advice about a claim dispute involving you; or
  • an employer asks for legal advice about a disciplinary matter involving you.

In those two examples, a response to a SAR would not include that information, even though it is about you.