Subject access exemptions under the DPA 1998 [Archived]
Subject access exemptions under the DPA 1998 [Archived]

The following Risk & Compliance guidance note provides comprehensive and up to date legal information covering:

  • Subject access exemptions under the DPA 1998 [Archived]
  • Guidance from the Information Commissioner
  • Subject access exemptions—generally
  • Confidential references given by the data controller
  • Publicly available information
  • Crime and taxation
  • Management information
  • Negotiations with the requester
  • Regulatory activity
  • Legal advice and proceedings
  • more

ARCHIVED: This archived Practice Note provides information on the data protection regime before 25 May 2018 and reflects the position under the Data Protection Act 1998 (DPA 1998). This Practice Note is for background information only and is not maintained.

Sections 7 and 8 of the DPA 1998 set out a data subject’s right of access to personal data held by a data controller. A request for this information is known as a subject access request (and is also commonly referred to as a ‘SAR’ or ‘DSAR’).

The starting point for handling any SAR is to confirm that procedural requirements have been met by the person making the request. For more information, see Practice Note: Subject access requests under the DPA 1998.

This Practice Note examines the limited exemptions under DPA 1998 that permit a data controller to withhold personal data from a data subject that has made a data SAR.

Such exemptions relate to:

  1. confidential references given by the data controller

  2. publicly available information

  3. crime and taxation

  4. management information

  5. negotiations with the requester

  6. regulatory activity

  7. legal advice and proceedings

  8. journalism, literature and art

  9. research, history and statistics

  10. health, education and social work records

  11. domestic purposes

  12. corporate finance

  13. self-incrimination

  14. special exemptions in the interest of the state

  15. dealing with information about third parties

For an explanation of key terms mentioned in this Practice Note, such