Data protection accountability
A Data Subject Access Request is meant to give people practical access to their personal data. But where responses are heavily redacted, known documents appear to be missing, or exemptions are explained only in general terms, the right of access can become difficult to test. The problem is not that every redaction is wrong. The problem is that too many responses leave the data subject unable to understand what was searched, what was withheld, and why.
Publication snapshot
- The right of access is powerful only if the response is intelligible, searchable and capable of being challenged.
- Redactions may be lawful, including for legal professional privilege or third-party personal data, but they should not operate as a blanket answer.
- Document omission is often harder to prove than over-redaction because it requires the requester to know or infer what should exist.
- The ICO complaint route matters, but it may not give the data subject the same practical clarity as a proper search map, exemption schedule and disclosure log.
- The better reform direction is simple: clearer explanations, better records, proportionate search evidence and a route to independent review where responses are contested.
Why DSARs matter
A Data Subject Access Request, often shortened to DSAR or SAR, is one of the most direct ways a person can understand how an organisation is processing their personal data. It can reveal correspondence, internal notes, account information, decision records, complaint handling, lawful-basis explanations and data-sharing practices.
That makes the right of access especially important where the individual is trying to understand an adverse decision, a dispute, a professional-service file, a workplace process, a property matter, a complaint record or a regulator-facing issue. A weak response does not merely frustrate curiosity. It can prevent the person from understanding the record that has been created about them.
The practical test: after reading the response, can the data subject understand what personal data has been disclosed, what has been withheld, what searches were carried out, and what route remains open if the response is incomplete?
The redaction problem
Redaction is not inherently suspicious. Organisations may need to protect third-party personal data, privileged legal communications, confidential material or information covered by a statutory exemption. The problem arises when redactions are so broad that the response becomes practically unusable.
Where sender fields, recipient fields, dates, subject lines, document context and exemption explanations are removed, the requester may be unable to test whether the redaction is justified. A response can then appear formally compliant while failing the transparency test that makes the right of access meaningful.
Necessary redaction
Targeted withholding to protect a clearly identified interest, such as another person’s personal data or privileged legal advice.
Problematic redaction
Blanket obscuring of context without enough explanation to understand the category of material withheld or the exemption relied on.
Better standard
A category-level explanation showing what type of information has been withheld, why disclosure is refused, and how the decision was reached.
The omission problem
Omission is more difficult than redaction because it may leave no visible mark. The data subject may know that a meeting happened, a call took place, a file was opened, a third party was contacted or an internal decision was made, but the response may contain no obvious trace of it.
That is why search explanation matters. A DSAR response is stronger when the controller explains the search logic: which systems were searched, which date range was used, which teams or matter files were considered, whether archived material was checked, and whether any search limits were applied.
Search locations
Emails, matter files, case-management systems, billing records, complaint records, archives, shared drives and relevant third-party correspondence may all need consideration.
Search terms and date range
Controllers do not need to disclose every operational detail, but the requester should be able to understand the general search approach.
Known missing documents
If the requester can identify a missing email, meeting note, file note or disclosure category, the follow-up should be specific and evidence-led.
Search limits
If a controller says a wider search would be unreasonable or disproportionate, it should be able to explain why.
The ICO route
The Information Commissioner’s Office is an important route where a data subject considers that a controller has failed to comply with a DSAR. The ICO may consider complaints and, in appropriate cases, use enforcement powers.
But a complaint to the ICO is not the same thing as a full disclosure audit for the individual. The practical difficulty is that many disputes turn on detailed questions: what was searched, what was omitted, whether privilege was correctly applied, whether third-party data could have been partially disclosed, and whether a category explanation would have been possible.
The route distinction
The ICO route can test regulatory compliance. The data subject may still need a structured issue map to explain the missing documents, excessive redactions, vague exemption wording and specific remedy sought.
Case study: Naylors Gavin Black
The draft case study concerns a DSAR response involving Naylors Gavin Black. The data subject says the response raised concerns about delay, extensive redaction, vague explanation of withheld material, possible conflicts in the redaction process, and insufficient clarity about third-party data sharing.
Those concerns should be examined as questions requiring evidence rather than assumed findings. The strongest public-interest value is in the pattern: how does a data subject test a response when the controller has legal resources, controls the records, and can rely on exemptions that may be difficult to challenge without seeing the withheld material?
Timing
Was the response provided within the applicable time limit, or was an extension, clarification or identity issue properly relied on?
Redaction
Were redactions tied to specific exemptions, or did the response rely on broad category wording that was difficult to test?
Search scope
Were all obvious sources of personal data considered, including emails, file notes, matter records and third-party correspondence?
Independence
Was the decision-making process sufficiently separate from individuals or interests directly involved in the underlying dispute?
The lesson is broader than one case study. The more contested the underlying relationship, the more important it becomes for the DSAR response to show process discipline.
Better accountability mechanisms
Improving DSAR transparency does not require every withheld document to be disclosed. It requires a better way to explain and test what has happened. The following mechanisms would make contested responses easier to assess.
Disclosure decision log
A short internal record showing categories searched, exemption categories applied, and who made the decision.
Redaction schedule
A category-level schedule identifying the type of material withheld and the exemption relied on, without disclosing protected content.
Search map
A plain-English explanation of the systems, teams, date ranges and record types searched, plus any justified limits.
Independent review option
A route for contested responses to be reviewed by someone not involved in the underlying dispute or original redaction decision.
Technology-assisted checking
Carefully governed tools can help identify duplicate records, search gaps and redaction patterns, but should not replace human accountability.
Practical steps
Data subjects, controllers and policymakers each have a role in improving DSAR transparency. The aim should be a process that is easier to understand, easier to challenge and easier to defend.
For data subjects
Do: keep a document list, identify known missing material, request exemption explanations, and prepare a concise issue schedule before escalating.
For controllers
Do: document searches, apply exemptions case by case, explain redactions clearly, and separate disclosure decisions from dispute defensiveness.
For regulators
Do: encourage standardised response explanations, clearer redaction categories and better evidence of reasonable searches.
For policymakers
Do: consider whether contested DSARs need a more accessible review route before court enforcement becomes the only realistic option.
Source anchors
These sources help readers separate the right of access, exemption discipline, search obligations, timing, enforcement and reform context:
- ICO: Right of access guidance — current detailed guidance on subject access requests.
- ICO: SAR exemptions — guidance on applying exemptions, including legal professional privilege, case by case.
- ICO: Finding and retrieving relevant information — guidance on reasonable and proportionate searches.
- ICO: Responding to a SAR — guidance on timing, complexity, clarification, fees and response requirements.
- ICO: Enforcing the right of access — guidance on ICO complaints, court orders, compensation and concealment offences.
- GOV.UK: Data (Use and Access) Act 2025 factsheet — government summary of reforms affecting UK GDPR and the Data Protection Act 2018.
Closing point
The right of access should not depend on guesswork. If a response is heavily redacted or appears to omit known material, the data subject should not have to reverse-engineer the controller’s reasoning from silence. Transparency requires more than a bundle of documents. It requires a process that shows what was searched, what was withheld, why it was withheld, and how the answer can be challenged if it is wrong.
Legal Lens decision support
Redacted or incomplete DSAR response? Turn it into an issue map.
If a response is heavily redacted, appears to omit known documents, relies on privilege, or gives vague exemption wording, the next step should be structured. A focused review can convert frustration into a clear schedule of what is missing, what is unclear, and what needs to be challenged.
What the assessment can organise
Legal Lens can help build a practical DSAR response map: the request scope, response timeline, disclosed categories, missing documents, redaction patterns, exemption wording, search gaps and escalation route.
Best for
Data subjects facing heavy redaction, missing records, vague exemption wording or unclear search explanations.
What you get
A structured issue map showing what appears missing, what needs clarification and what evidence supports follow-up.
Practical output
A cleaner route for response: targeted questions, document schedule, ICO complaint structure or correspondence plan.
Independent Legal Lens consultancy. A preliminary assessment is decision support designed to help you organise the documents, issues and next step.

