DSARS: WHAT A PRIVILEGE!

Written By Rachel Rigg

One of the little reported changes that the Data Use and Access Act 2025 brings in will change how employers handle data subject access requests (DSARs), particularly as we recognise that two in three DSARs are made by employees.

Data controllers are exempt from disclosing information under a subject access request where the information is subject to legal privilege. This would be where information is either:

  1. Made solely between a client and a professional legal adviser acting in a professional capacity, or

  2. Made for the dominant purpose of obtaining or providing legal advice, or being used in probable litigation.

So, all that correspondence with your legal advisors discussing the strategic approach to a tricky exit, a negotiation package or a contemplated future claim – helpfully shielded from DSAR disclosure. However, there were clearly concerns about this exemption being over-used. The Act now formalises previous ICO guidance, which means that employer controllers will need to:

  • Record the rationale for relying on the legal privilege exemption when handling a DSAR, (and be prepared to provide it to the ICO on request);

  • Provide detailed information about the application of the privilege exemption to the data subject in the DSAR response; and

  • Inform the data subject of their right to complain to the ICO about the use of that exemption.

Alongside these obligations, the Act also grants beefed up powers, including:

  • A right for the data subject a right to apply to a court for a compliance order in respect of privileged information; and

  • Explicit authority for the ICO to order the disclosure of documents, to be assessed by a court as appropriate.

Luckily, there’s only a handful of practical steps for employers to consider when it comes to tweaking their DSAR process:

  • Make sure your DSAR handlers are up to speed on how legal privilege applies. Consider training and upskilling if there are knowledge gaps;

  • Amend any processes to ensure that your privilege rationale records are kept as a matter of course for any request; and  

  • Make sure any template outcomes reflect the data subject’s right to complain to the ICO.

Need support?

We offer tailored DSAR support, from ad hoc advice to full-service response management. Get in touch to discuss how we can help streamline your DSAR processes.

Rachel Rigg https://www.horsfieldmenzies.com/rachel-rigg
Previous

LEGAL UPDATE: EHRC URGES FAST ACTION ON OUTDATED EQUALITY GUIDANCE
Next

RECENT UK TRIBUNAL RULINGS SHED FURTHER LIGHT ON SEXUAL HARASSMENT RISKS FOR EMPLOYERS