Written by SAR case commentary
Subject Access Requests are intended to give people practical access to their personal data. But when a response is heavily redacted, relies on legal professional privilege, and appears to mirror wording used elsewhere, the data subject may be left unable to test whether the right of access has been honoured or only formally answered.
Publication snapshot
- The right of access is not satisfied by volume alone. A large disclosure can still be difficult to test if key context is removed.
- The complainant says SAR responses involving Naylors Gavin Black and Muckle LLP raised concerns about redaction, privilege and similarity of wording.
- Legal professional privilege can be a valid exemption, but exemptions should be applied carefully, documented and capable of justification.
- The practical question is whether the data subject received enough information to understand what was withheld, why it was withheld, and whether the response could be meaningfully challenged.
Why this matters
A Subject Access Request is often the first route a person has to understand what an organisation holds about them. That matters where the personal data sits inside emails, internal notes, legal correspondence, property records, complaint files, instructions, chronologies or decision-making records.
The right of access becomes difficult to use where the response removes so much context that the data subject cannot identify who was involved, what data was processed, what exemption is being relied on, or whether the withheld material genuinely falls outside disclosure. The issue is not simply whether redactions appear on the page. The issue is whether the response remains intelligible and capable of being tested.
The accountability question: can the requester understand what personal data has been disclosed, what has been withheld, the basis for withholding it, and whether the controller has applied the exemption to the facts rather than as a blanket response?
The redaction problem
The complainant says that Naylors Gavin Black’s SAR response contained extensive redactions, including redactions to email “to” and “from” fields. On that account, the concern is that the redactions made it difficult to test whether legal professional privilege or another exemption had been applied properly.
That is a significant practical issue. In some cases, redacting names, email addresses or third-party material may be justified. But if the sender, recipient, domain, date context, subject matter and explanation are all removed, the response may leave the data subject unable to understand whether the withheld material was legal advice, litigation material, third-party data, confidential business material, or something else.
What may be legitimate
Redaction may be appropriate where disclosure would reveal another person’s personal data, legally privileged material, confidential advice, or information covered by a specific exemption.
What becomes difficult
If the response gives no meaningful context, the requester may be unable to test whether the exemption is properly engaged or whether the search was adequate.
What should be recorded
The controller should be able to explain the exemption relied on, the category of information withheld, and why disclosure would not be appropriate.
What the requester should preserve
Keep the SAR, the disclosure bundle, covering letter, redaction explanations, follow-up correspondence and any ICO complaint or outcome.
The privilege question
Legal professional privilege is not a loophole. It is a recognised protection for confidential legal communications. In England and Wales it includes legal advice privilege and litigation privilege. But a privilege claim still needs careful handling in a SAR context, because the exemption does not automatically cover every document touched by a lawyer or every communication within a dispute.
The complainant’s concern is that the redactions were broad enough to obscure whether the relevant communications were genuinely privileged. That concern should be put carefully. The safer criticism is not that privilege was necessarily misused, but that the response may not have provided enough information to allow the privilege claim to be understood or tested.
The safer test
The question is not whether a controller must disclose privileged legal advice. The question is whether the controller has identified and applied the exemption with enough care, specificity and accountability to show that it is not being used as a blanket answer to a wider access request.
The coordination concern
The complainant also says that a separate SAR to Muckle LLP produced a response with similar formatting, wording and phrasing to the response from Naylors Gavin Black. The concern raised is that Muckle LLP may have been more involved in the preparation of the Naylors Gavin Black response than was apparent from the responses received.
Similarity of wording does not prove coordination, concealment or wrongdoing. It may reflect template drafting, standard advice, shared regulatory language, or ordinary professional input. But where a data subject has asked about who holds their data, who has processed it, and what role a legal adviser played, unexplained similarity may justify a focused follow-up question.
Benign explanation
The responses may use standard SAR wording, common legal terminology, similar templates, or advice limited to general compliance.
Accountability concern
If one firm materially drafted, shaped or influenced another controller’s response, the requester may ask what personal data was shared, why, and under what lawful basis.
Evidence needed
The issue requires document comparison, correspondence, instructions, engagement records, privilege logs, processing records and any explanation given by the firms.
What a fair SAR response should show
A fair SAR response does not have to disclose everything. It does have to be capable of being understood. Where exemptions are applied, the response should normally make clear enough, where possible, what has been withheld and why.
The scope searched
The response should help the requester understand which teams, systems, files, accounts or date ranges were searched.
The data disclosed
The requester should receive a copy of their personal data unless an exemption, third-party issue or other lawful limit applies.
The material withheld
The controller should explain, where possible, the categories of information withheld and the basis for relying on an exemption.
The route to challenge
The requester should be told how to complain internally, complain to the ICO and, where appropriate, consider court enforcement or compensation routes.
The practical route
Where a SAR response is heavily redacted or appears coordinated with another organisation, the response should be challenged with precision. The strongest follow-up is not a general accusation. It is a structured request for explanation.
Identify the redaction pattern
List examples by page, email, date, field, attachment or category. Distinguish sender/recipient redactions from content redactions.
Ask for the exemption basis
Request the specific exemption or legal basis relied on for each category of withholding, without demanding privileged content itself.
Ask about third-party involvement
Where another firm appears involved, ask what personal data was shared, when, why, under what role, and whether the other firm is a controller, processor or recipient.
Preserve the comparison
Keep both SAR responses, covering letters, formatting similarities, repeated wording and the chronology of who said what and when.
Escalate proportionately
Use internal complaint routes first where appropriate, then consider an ICO complaint, direct enforcement route, or legal advice if the missing data affects another dispute.
Source anchors
These official sources help readers separate the legal right, exemption framework, complaint route and enforcement options:
- ICO: Right of access guidance — current detailed guidance on SAR handling.
- ICO: Exemptions relevant to SARs — includes legal professional privilege and the need to avoid blanket reliance on exemptions.
- ICO: Information about other people in a SAR — guidance on third-party personal data and balancing rights.
- ICO: Finding and retrieving relevant information — guidance on searches and locating personal data.
- ICO: Can the right of access be enforced? — complaint, enforcement, court order and compensation routes.
- ICO: Make a complaint — public-facing complaint route.
Closing point
The right of access is weakened when a person cannot tell what has been disclosed, what has been withheld, or why. Heavy redaction and privilege claims may sometimes be justified. But they must be capable of explanation. The standard should be practical transparency: enough information for the data subject to understand the response, enough discipline for the controller to justify it, and enough accountability for the regulator or court to test it if challenged.
Legal Lens decision support
Get a free written assessment before escalating a redacted SAR response
If your SAR response is heavily redacted, relies on privilege, or appears to involve another organisation, the next step should be evidence-led. A focused review can help separate a legitimate exemption from a poor explanation, an inadequate search, or a wider complaint route.
What to send
The original SAR, both responses if comparison is needed, the redacted documents, privilege wording and any complaint replies.
What the review tests
Whether the issue is missing personal data, poor exemption reasoning, inadequate search, third-party data, privilege, or complaint strategy.
What it does not promise
It does not guarantee disclosure, provide regulated legal services, or replace solicitor advice where litigation or privilege issues are live.
Independent Legal Lens consultancy. This is not a regulated solicitors’ firm. A preliminary assessment is not a substitute for regulated legal advice where that is needed.