Data Controllers Undermining GDPR Subject Access Requests

The Troubling Trend of Data Controllers Undermining Subject Access Requests

Subject access requests · Transparency · Accountability

A subject access request is not meant to be a controlled narrative exercise. It is a legal route through which a person can obtain their personal information and understand how it is being used. Where a controller responds with heavy redaction, vague exemptions, processor-led review or silence about disputed records, the practical question becomes simple: can the controller show a lawful, transparent and accountable route from request to response?

Category
Data protection
Jurisdiction
United Kingdom
Reading time
c. 12 minutes
Last reviewed
4 July 2026
By-line
Legal Lens

Publication snapshot

This article examines how subject access requests can lose their practical value when a response is framed around the controller's preferred account rather than the data subject's statutory right of access. It focuses on UK GDPR accountability, redaction, exemptions, processor involvement, legal-sector conflicts and the evidence a requester should preserve when challenging an incomplete or opaque SAR response.

Reader note: this article is public-interest commentary and practical legal education. References to SAR handling, redaction, processor involvement, conflicts, regulatory response and data-controller accountability are criticism and analysis. They should not be read as findings of misconduct, dishonesty, data misuse, unlawful concealment, professional wrongdoing or regulatory failure by any named person, firm, controller, processor, regulator or public body unless established by a competent court, tribunal, regulator, ombudsman, inquiry, audit report or official decision.

The right of access

The right of access gives people the right to obtain a copy of their personal information and supplementary information about how that information is used. It is not merely an administrative courtesy. It helps a person understand whether their information is being processed lawfully, what categories of information are held, who receives it, how long it is kept and what rights or complaint routes may be available.

That purpose matters because a SAR often arises when trust has already broken down. The requester may be in a workplace dispute, a complaint process, a regulatory dispute, a legal services dispute, a housing dispute, a safeguarding matter or a conflict with an organisation that controls the relevant records. In that context, the controller's response may shape the person's ability to understand the facts.

The controller does not have to disclose everything it holds. The right of access is a right to personal information, not a general disclosure exercise or litigation disclosure route. But where the response is incomplete, heavily redacted or unclear, the controller should be able to explain the legal and evidential basis for what it has done.

Narrative control

A recurring concern in SAR disputes is narrative control. The requester asks for their data, but the response seems to preserve the organisation's version of events. Material that supports the organisation is disclosed clearly. Material that may test that account is absent, redacted, described generally or said to fall outside scope.

That does not prove bad faith. A controller may lawfully withhold information because it is not personal data, relates to third parties, is privileged, falls within an exemption, is not held, or cannot be found after a reasonable and proportionate search. But a controller should not use those concepts as labels without discipline. The stronger question is not whether the requester suspects manipulation. It is whether the controller can show the route from request, to search, to review, to redaction, to exemption, to final response.

That route is the safeguard. Without it, the requester is left with an outcome but not an explanation. They may know that documents have been withheld, but not why. They may see black boxes on the page, but not the basis for each redaction. They may be told that all data has been supplied, but have no way of testing whether obvious systems, custodians or periods were searched.

Scope

What systems, dates, custodians, searches and categories of personal data were considered?

Reason

What explains each refusal, omission, exemption, redaction or claimed search limitation?

Record

What evidence shows how the controller reached and checked its response?

Redaction and exemptions

Redaction is sometimes necessary. A SAR may contain information about other people, confidential references, legally privileged material, management information or material covered by a specific exemption. The difficulty arises when redaction becomes a blunt instrument rather than a reasoned exercise.

The ICO guidance on exemptions requires careful handling. Exemptions should be considered case by case. They cannot be applied routinely or in a blanket fashion, and the controller should document the reasons for relying on an exemption and be able to justify it. If a controller refuses to comply, it must usually tell the requester why, explain the right to complain to the controller and the ICO, and refer to court enforcement rights.

That does not mean the controller must reveal information in a way that defeats a valid exemption. In some circumstances, reasons may need to be general. But the controller should still be able to demonstrate internally what was withheld, why it was withheld, who considered it, and how the decision was checked.

Processors and law firms

Controllers may use processors to assist with SARs. That may be sensible where the request is large, technical, litigation-sensitive or requires secure review. A processor may help retrieve records, apply search terms, prepare review batches, propose redactions or assemble the response pack.

But using a processor does not transfer the controller's responsibility. The ICO guidance states that controllers are responsible for complying with SARs. If they use a processor, the contract must allow the controller to deal with SARs properly, and the processor must help the controller meet its SAR obligations. The controller remains responsible for deciding how to deal with the request.

Law firms require particular care because their role may be mixed. A law firm might advise on privilege, act in an underlying dispute, assist with SAR handling, review exemptions or correspond with the requester. Those roles can be legitimate, but they need to be clear. If the same professional or firm is close to the disputed facts, the controller should consider whether independent review, role separation or tighter supervision is needed.

Conflicts and role clarity

Where a SAR overlaps with a solicitor-client relationship, a former retainer, landlord dispute, commercial dispute or complaint against professionals, role clarity becomes essential. The question is not only whether the data protection response is technically compliant. It is whether the person handling or advising on the response is placed in a position that undermines confidence in the process.

The SRA Code of Conduct contains specific duties on conflicts, confidentiality and disclosure. Solicitors must not act where there is an own-interest conflict or significant risk. They must keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents. They must not act in a matter adverse to another current or former client for whom they hold material confidential information unless the conditions in the code are met.

Those duties do not turn every SAR dispute into professional misconduct. But they explain why legal-sector SARs require more than mechanical processing. If the SAR concerns a dispute involving confidential former-client information, adverse interests, privilege or a solicitor's own prior conduct, the response should be designed to preserve confidence as well as compliance.

01

Who is deciding?

Identify whether the controller, processor, law firm, DPO or external reviewer is making each decision.

02

What is the role?

Separate legal advice, SAR administration, privilege review, dispute strategy and data-protection compliance.

03

What is recorded?

Keep a clear audit trail showing search, redaction, exemption, review and complaint decisions.

The regulator route

Many requesters feel that the complaint route is uneven. The controller holds the systems, search logs, internal reasoning, legal advice and audit trail. The requester usually sees only the response. That imbalance can make a complaint feel frustrating, especially where the requester believes material has been withheld or selectively explained.

The practical answer is evidence discipline. A complaint is stronger when it identifies the SAR, the deadline, the systems likely to hold information, the missing records, the redactions in issue, the exemption relied on, the reason it appears inadequate, and any inconsistency between the controller's account and the documents already known to exist.

General allegations that a controller has manipulated the narrative may express the frustration, but they rarely provide the route. The stronger formulation is narrower: this information appears to be personal data; this system or person likely held it; this record is missing or redacted; this exemption has not been explained; this is why the response does not show a reasonable and proportionate search or a case-by-case exemption decision.

The SAR evidence map

The practical tool is a SAR evidence map. It connects the requester's concern to the controller's legal obligations and avoids turning a complex SAR dispute into a general complaint that everything has been hidden.

The map should start with the request. What was asked for, when was it sent, and how did the controller acknowledge it? It should then identify the expected data sources: email accounts, case files, client files, property records, HR systems, complaint files, case-management systems, invoices, calendars, meeting notes, call recordings, audit logs, portal records and correspondence with third parties.

The next step is comparison. What was disclosed? What was missing? What was redacted? What exemption was relied on? What supplementary information was supplied? What complaint route was given? What evidence shows that the missing material likely exists or that the redaction may be too broad?

01

Request. Record the date, wording, delivery method, acknowledgement and deadline calculation.

02

Sources. Identify the people, systems, files and time periods likely to hold personal data.

03

Response. List what was disclosed, withheld, redacted, refused, explained or not addressed.

04

Gap. State the precise missing-data, redaction, exemption, processor or search concern.

The accountability test

The accountability test is whether the controller can reconstruct the response. It should be able to show what was searched, what was found, what was excluded because it was not personal data, what was withheld under an exemption, what was redacted for third-party or privileged material, what role any processor played, and who made the final decision.

For requesters, the same test works in reverse. The challenge should identify the missing link in the controller's process rather than simply assert bad faith. Was the search too narrow? Was the processor's role unclear? Was the exemption unexplained? Was the redaction too broad? Was supplementary information missing? Did the controller ignore a system, person, date range or category of record that should obviously have been considered?

That structure turns a difficult SAR dispute into a focused accountability challenge. It does not guarantee success. It does make the issue harder to dismiss as mere dissatisfaction.

For requesters

Keep the SAR, acknowledgement, response pack, redactions, missing-data list, complaint correspondence and deadline record.

For controllers

Keep search logs, processor instructions, review records, redaction notes, exemption reasoning and final response approval.

For escalation

Separate search failure, redaction challenge, exemption dispute, processor conflict, solicitor conduct and ICO complaint route.

Source anchors

These sources support the legal and regulatory framework used in this article. They do not prove any disputed complaint, breach, conflict, redaction issue, SAR failure or organisation-specific misconduct.

The Legal Lens point

A SAR response should not leave the data subject guessing whether the controller searched properly, redacted lawfully, used exemptions selectively, relied on a processor appropriately or controlled the narrative of a dispute.

The strongest response to an opaque SAR is not louder accusation. It is better structure. Identify the request, the likely data sources, the disclosed material, the missing records, the redactions, the exemptions, the processor role and the specific accountability gap.

The right of access is weakened when it becomes a one-sided explanation managed by the controller. It is strengthened when both sides can see the route from request, to search, to review, to reason, to response.

SAR evidence and accountability map

If a SAR response appears incomplete, over-redacted or shaped by a disputed narrative, Legal Lens can help structure the request, response, evidence gaps and complaint route before escalation or specialist review.

Identify the SAR issue

Clarify whether the concern is missing data, narrow search, redaction, exemption, delay or processor role.

Map the evidence

Connect expected records, disclosed material, redactions and correspondence to the precise accountability gap.

Choose the route

Separate controller complaint, ICO complaint, solicitor conduct, legal advice and publication-risk questions.

Issue map

Search, redaction, exemption, processor role, conflict concern and complaint route.

Evidence schedule

Requests, responses, known sources, missing records, chronology and next questions.

Independent Legal Lens consultancy. Legal Lens is not a regulated solicitors' firm. A preliminary assessment is not a substitute for regulated legal advice where that is needed.

Legal Lens publishes public-interest commentary and practical legal education. This article is not legal advice. SAR disputes may involve data protection, legal professional privilege, confidentiality, litigation strategy, professional conduct, limitation, costs, regulatory complaints and publication-risk issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar