Written by A Subject Access Request should be a clear route to personal data. When the organisation responding to the request is already in dispute with the requester, the issue becomes more than delay. It becomes a question of fairness, transparency, accountability and whether the ICO’s complaint process is able to address perceived conflicts before confidence in the SAR process is lost.
Publication snapshot
- Core issue: whether a SAR can be handled fairly where the controller’s chosen route involves a party connected to an ongoing dispute with the requester.
- Case context: this update concerns the author’s complaint to the ICO about Balliol Property Services and its handling of a SAR.
- Practical focus: SAR deadline, fairness, perceived conflict, ID verification, ICO complaint handling and possible escalation.
- Bottom line: a perceived conflict does not automatically prove unlawful handling, but it should trigger a clear explanation of how fairness and accountability are being protected.
Why this matters
On 13 August 2024, I reached another stage in my dispute with the Information Commissioner’s Office over the handling of my Subject Access Request to Balliol Property Services. The ICO had recognised that BPS had failed to respond to the SAR within the required timeframe. That should have been a meaningful step towards resolution.
The difficulty arose when I raised a further concern: Burnetts Solicitors, who were acting for BPS in legal matters involving me, appeared to be involved in the processing or handling of the SAR. From my perspective, that created an obvious fairness problem. A SAR is supposed to give access to personal data. It should not become entangled with litigation strategy or adversarial positioning.
The question is not whether a solicitor can ever assist a controller with a SAR. In many situations, organisations use legal advisers, data-protection officers, processors, administrators or external support when dealing with access requests. The real question is whether, in a disputed relationship, the controller can still show that the SAR was handled fairly, transparently and independently enough to protect the requester’s rights.
The core issue: where a SAR is handled through a route connected to an existing dispute, the controller should be able to explain who is handling the request, what role they have, how the searches are being conducted, and what safeguards protect the requester from unfair or incomplete disclosure.
What happened
According to my account, the ICO accepted that BPS had failed to respond to the SAR within the required timeframe. I then raised the concern that Burnetts’ involvement created a perceived conflict because of its role in legal matters involving BPS and me.
The ICO did not treat that concern as requiring the kind of intervention I had hoped for. That response is the focus of this article. It raises a practical regulatory question: when a complainant identifies an apparent conflict in the handling of a SAR, how far should the ICO go in asking the controller to explain its process?
That question matters because SARs often arise in difficult relationships: employment disputes, housing disputes, professional complaints, litigation, safeguarding disagreements, family conflict, debt disputes or disputes with public bodies. In those situations, personal data may be highly sensitive and strategically important. The fairness of the process is therefore central to public confidence.
The ICO had recognised a failure to respond to the SAR within the required timeframe.
The involvement of solicitors connected to the wider dispute created a perceived conflict in the SAR process.
The practical issue is whether the controller and regulator explained how fairness and transparency were protected.
The fairness question
The UK GDPR does not create a simple rule that a solicitor involved in a dispute can never assist with a SAR. That would overstate the position. The better criticism is narrower and stronger: where the chosen SAR handler is connected to an adversarial dispute, the controller should be able to show why the arrangement does not compromise fairness, transparency or accountability.
A SAR is not a tactical favour. It is a statutory right. If the response route makes the requester reasonably concerned that data may be withheld, filtered or approached through a litigation lens, the controller should explain the safeguards. That might include who is making disclosure decisions, who is conducting searches, whether the controller remains responsible, how exemptions are being assessed, and whether the requester’s personal data is being handled only for proper purposes.
Unsafe framing
“The ICO allowed BPS and its solicitors to manipulate the SAR process.”
Safer and stronger framing
“The involvement of dispute-connected solicitors created a perceived conflict that required a clear explanation of safeguards, role separation and controller accountability.”
That distinction is important. It avoids making unsupported findings about motive while keeping the pressure on the real issue: process integrity.
UK GDPR principles
The UK GDPR framework is built around principles including lawfulness, fairness, transparency and accountability. In a SAR dispute, those principles are not abstract. They shape how the controller should handle the request, communicate with the requester, justify delay, explain any identity checks, and remain responsible for compliance.
Fairness means the requester should not be left with a process that appears weighted against them. Transparency means the controller should explain what is happening and why. Accountability means the controller should be able to demonstrate compliance, not simply assert it.
Those principles become particularly important where the SAR is connected to a wider legal dispute. A controller may be entitled to take advice, but it should not allow the access process to be perceived as controlled by litigation interests. The ICO’s role is not to micromanage every SAR, but it should be willing to ask focused questions where the facts suggest that fairness or accountability may be at risk.
Fairness
The SAR should not be handled in a way that gives the requester a reasonable concern that the process is biased, tactical or incomplete.
Transparency
The controller should explain the deadline, any ID request, any delay, and the role of any adviser or representative involved in the response.
Accountability
The controller remains responsible for compliance and should be able to demonstrate how the SAR was handled lawfully and properly.
What the ICO route can do
The ICO complaint route is important, but it has limits. The ICO can review complaint material, ask for more information, tell an organisation to do more work to resolve a complaint or explain its position more clearly, recommend improvements and, in some cases, take regulatory action. It cannot award compensation.
That means a complainant should frame the issue precisely. The question for the ICO is not simply whether the complainant distrusts the organisation. The question is whether the available material shows a data-protection issue requiring closer scrutiny: missed deadline, inadequate response, unreasonable ID request, lack of transparency, failure to search, improper reliance on exemptions, or a process that does not demonstrate fairness and accountability.
Identify the SAR failure
Set out the request date, response deadline, any ID request, any clarification request and any response or non-response.
Identify the fairness concern
Explain why the role of a dispute-connected representative creates a perceived conflict requiring safeguards.
Ask for a specific outcome
Request clarification of the deadline, the controller’s current position, the role of any representative and what further action the ICO expects.
Preserve alternative routes
If the SAR remains unresolved or loss has been caused, consider whether direct action against the controller or legal advice is needed.
Next steps
The immediate next step is to keep the challenge focused. A general allegation that the ICO has failed is less effective than a structured request asking the ICO to address specific points: deadline, ID verification, the role of Burnetts, BPS’s continuing responsibility, and the steps needed to complete the SAR fairly.
If the ICO maintains its position, the next options should be separated carefully. An ICO review may be appropriate if the complaint outcome failed to address material evidence. A direct claim against the controller may be relevant where data-protection breaches have caused loss or distress. Judicial review of the ICO is a specialist public-law route and should not be treated as a general appeal from a disappointing outcome.
The strongest position is an evidence-led one. The issue is not simply that the process felt unfair. The issue is whether the controller and regulator can show, through documents and reasons, that the SAR was handled in a way that met the standards of fairness, transparency and accountability required by data-protection law.
Ask the ICO to address the process
Focus on the SAR clock, ID verification, representative involvement, controller responsibility and unresolved disclosure.
Consider direct action
If BPS has not complied or harm has been caused, consider whether the correct route is action against the controller.
Check before escalation
Get legal advice before threatening judicial review, issuing a claim, or publishing stronger allegations about named parties.
Source anchors
These source anchors help separate the legal framework from the author’s case-specific account and public-interest criticism.
Closing point
The ICO’s response to this type of complaint matters because SARs are often made by people already in a vulnerable or unequal position. A requester may be trying to understand decisions made about them, prepare a complaint, challenge a process, or protect themselves in a dispute.
Where a SAR response route appears connected to an adversarial legal relationship, the answer cannot simply be that the controller may choose who assists it. The controller should be able to show how fairness was protected. The ICO should be willing to test that explanation where the concern is properly raised.
The right of access is too important to become a procedural afterthought. It depends on visible fairness, clear deadlines, transparent handling and accountability that can be checked when something goes wrong.
Decision support before review, claim or escalation
Get a free written assessment before escalating a SAR dispute
Legal Lens helps complainants turn SAR disputes into structured, evidence-led next steps. The aim is practical: map the SAR chronology, identify the missed evidence, separate perceived conflict from proven breach, and decide whether ICO review, direct action, compensation or solicitor advice is the right route.
What we assess
SAR request, ICO complaint, review grounds, deadline calculation, ID verification, correspondence gaps, conflict risk and possible court route.
Use it before
Requesting ICO review, sending a letter before action, filing a claim, or raising a perceived conflict involving a named firm or organisation.
What you get
A concise written view on the strongest next route, missing evidence, legal risk and whether solicitor review is needed before action.
Independent Legal Lens consultancy. This is not a regulated solicitors’ firm. A preliminary assessment is not a substitute for regulated legal advice where that is needed.