Keyhole of Corruption
Access to Justice
Case Studies
Dispute Resolution
Litigants in Person
Regulatory Cases
UK Legal System

When Law Firms Obstruct Subject Access Requests: A Personal Experience

Written by John Barwell
Subject access requests · Law firms · Data transparency

After a short pause in Legal Lens publications, this article returns to a core accountability issue: what happens when a subject access request becomes entangled with a legal dispute, a former opposing solicitor, and silence from the organisations that hold the data. The right of access should create transparency. In this account, it became another battleground.

Category
Data protection case study
Jurisdiction
United Kingdom
Reading time
c. 8 minutes
Last reviewed
1 June 2026
By-line
John Barwell, Legal Lens

Publication snapshot

  • This article sets out a first-person account of a disputed SAR made to Balliol Property Services in April 2024.
  • The central concern is the involvement of Burnetts Solicitors LLP, a firm said to have previously acted for the landlord in a related dispute.
  • The article distinguishes the author’s concerns from any final legal, regulatory or judicial finding against the organisations named.
Reader note: this article is public-interest commentary based on the author’s account and documents available at the time of writing. References to alleged SAR mishandling, conflict of interest, non-response, data-protection breach or obstruction are made as criticism and analysis, and should not be read as findings of unlawful conduct unless established by a court, tribunal, regulator, ombudsman or other competent authority.

A short publication update

Legal Lens has recently paused regular article publication while work continued on new tools and resources to support litigants in person, consumers, whistleblowers and others dealing with complex legal and regulatory problems. Thank you for your patience during that period.

We are now resuming publication with an issue that goes to the heart of transparency: the obstruction, delay or mishandling of subject access requests, especially where those requests intersect with legal disputes and professional representatives.

The SAR background

In April 2024, I submitted a subject access request to Balliol Property Services. The purpose was straightforward: to obtain personal data held about me and understand how that data had been processed in the context of a wider dispute.

A subject access request should be a practical route to transparency. It allows a person to ask an organisation whether it is using or storing their personal information and to obtain copies of that information, subject to lawful limits and exemptions.

What followed, in my experience, was not a straightforward data-rights process. Instead of responding directly and transparently, Balliol Property Services forwarded the matter to Burnetts Solicitors LLP. That immediately raised concerns because Burnetts had previously acted for my landlord in a related legal dispute against me.

The core concern

The issue is not whether an organisation may ever involve lawyers in a SAR response. The issue is whether the controller remains accountable, whether the requester is told who is processing the request and why, and whether a former opposing legal representative should be involved in handling the requester’s personal data without clear safeguards.

The involvement of Burnetts Solicitors

The response I received came from the same solicitor at Burnetts who had represented my landlord. The response requested proof of identity. Identity verification can be legitimate where an organisation is not satisfied that the requester is who they say they are. But in this case, the request caused concern because Burnetts already held identification material from prior dealings, including in connection with my Will and a separate matter only two months earlier.

I asked why further identification was necessary and what role Burnetts was playing in processing my SAR. I also asked for clarity about the legal basis for their involvement. Those questions were not, in my view, answered properly.

That silence matters. Where a SAR is being handled by an organisation’s former litigation solicitors, transparency is essential. The requester should be able to understand whether the law firm is acting as legal adviser, processor, representative, independent reviewer, or some other capacity. Without that clarity, the requester cannot properly assess whether their data rights are being handled lawfully and impartially.

ICO involvement and the limits of regulatory remedy

I escalated the issue to the Information Commissioner’s Office. On my account, the ICO determined that Balliol Property Services had not fulfilled its data-protection obligations. That was significant, because it supported my concern that the SAR had not been handled properly.

However, a regulatory finding or indication is only part of the problem. The practical question is whether the individual then receives a lawful and complete response. In my case, despite ICO involvement, the handling of the request did not, in my view, become transparent or satisfactory.

When I recontacted Balliol Property Services, my request was again routed through Burnetts. This time, the response came from Burnetts’ dispute resolution department rather than what I would have expected to be a data-protection or compliance route. That intensified my concern that the SAR was being treated as an adversarial dispute-management issue rather than a rights-based data-access process.

The accountability gap

If a regulator identifies concern but the requester still does not receive a clear, lawful and complete response, the right of access risks becoming theoretical rather than practical.

Continued correspondence and unresolved concerns

On 20 August 2024, I wrote to Balliol Property Services requesting disclosure of the bailiff company involved in a lockout at my premises and all correspondence relating to me between July 2023 and August 2024. I also raised concerns about Burnetts’ involvement and asked that an independent third-party legal firm be used if legal support was genuinely required to process the SAR.

On 29 August 2024, I received a response from Burnetts asking again for proof of identity and directing me not to contact Balliol Property Services directly about the SAR. I regard that direction as a serious concern. A data subject should not be prevented from contacting the data controller about their own personal data. If an organisation chooses to use a representative, that does not remove the controller’s responsibility for compliance.

On 30 August 2024, I sent a final notice to Balliol Property Services and Burnetts. I set out my concerns about delegation, conflict, continued involvement by Burnetts, identity verification and the need for a proper response. I asked that Burnetts cease involvement in the SAR process, provide an explanation for their role, and ensure the SAR was answered by 13 September 2024.

After receiving no satisfactory response, I followed up again. On 16 September 2024, I expressed my concern about continued inaction and identified potential escalation routes, including further ICO correspondence, legal redress, Companies House notification and public-interest disclosure if the matter remained unresolved.

As at 30 September 2024, I had not received what I regarded as a proper response from either Balliol Property Services or Burnetts. That silence is central to the public-interest concern in this article.

  1. April 2024
    SAR submitted to Balliol Property Services.

    The request concerned personal data held about the author.

  2. After submission
    Request routed to Burnetts Solicitors LLP.

    The author says this raised concern because Burnetts had acted for the landlord in a related dispute.

  3. 20 August 2024
    Further SAR-related request sent.

    The author asked for bailiff company details and correspondence between July 2023 and August 2024.

  4. 29 August 2024
    Burnetts response received.

    The author says this included a further ID request and a direction not to contact BPS directly about the SAR.

  5. 30 August 2024
    Final notice sent.

    The author asked for Burnetts’ involvement to cease and for the SAR to be answered by 13 September 2024.

  6. 30 September 2024
    No satisfactory response recorded.

    The author states that neither BPS nor Burnetts had provided the response sought.

Why this matters beyond one SAR

Subject access rights are especially important where there is an imbalance of power. They allow individuals to test what has been recorded, shared, assumed or relied upon by organisations that hold information about them.

If organisations can route SARs through lawyers connected to an underlying dispute, ask repeated questions without clear justification, remain silent on the basis for delegation, or discourage direct contact with the controller, the practical value of the right of access is weakened.

The wider issues

  • Controller accountability: an organisation remains responsible for how it handles a SAR.
  • Transparency of roles: requesters should know who is processing their personal data and in what capacity.
  • Conflict concerns: use of former opposing solicitors may create a serious perception problem unless clearly justified and safeguarded.
  • Identity verification: ID requests should be necessary and proportionate, not repetitive or unexplained.
  • Regulatory effectiveness: an ICO outcome should lead to practical compliance, not merely correspondence.

The integrity of the SAR process depends on openness. It should not become a continuation of litigation by other means.

A call for greater accountability

This experience highlights the need for organisations and law firms to take subject access rights seriously. A SAR is not an inconvenience to be managed away. It is a legal route by which a person can understand how their personal data is being used.

Regulators also need to treat obstruction, delay and defensive handling as access-to-justice issues. Where data is relevant to a legal dispute, delay can prejudice the individual’s ability to understand the case, challenge inaccuracies or pursue remedies.

What needs to change

  • Clearer controller responsibility: organisations should remain visibly accountable even where lawyers assist with a SAR.
  • Mandatory role explanation: where a third party handles a SAR, the requester should be told who they are, what role they perform and why they are involved.
  • Stronger conflict safeguards: involvement of litigation solicitors should be carefully justified where the requester has been in dispute with their client.
  • Better ICO follow-up: where non-compliance is identified, the regulator should focus on whether the requester actually receives a lawful response.
  • Practical enforcement routes: individuals should not have to undertake expensive proceedings to secure basic data-access rights.

Legal Lens remains committed to supporting individuals facing similar difficulties and to developing tools that help people organise evidence, track correspondence and challenge opacity in legal and regulatory processes.

The closing point

The right of access should not depend on persistence, pressure or private resources. Where organisations hold personal data, they should respond transparently, lawfully and without allowing litigation interests to obscure data-protection duties.

— John Barwell, Founder, Legal Lens

Legal Lens supports litigants in person, whistleblowers, consumers, campaigners and public-interest accountability work. Contact Legal Lens.

This article is public-interest commentary and general information. It is not legal advice. It is based on the author’s account and should not be read as making findings of unlawful conduct by any organisation, firm or individual named.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar