Can you redact third-party names from a SAR response?

Yes. Under UK GDPR Article 15(4), organisations are not required to disclose information that would adversely affect the rights and freedoms of other individuals. Third-party names and personal data can be redacted where disclosure would be unfair to that individual.

Does every redaction need to be documented?

Yes. Every redaction should be accompanied by a documented justification referencing the applicable legal basis. This is essential if the requester complains to the ICO or the redaction is challenged.

What Can Be Redacted from a Subject Access Request? Complete Guide

Q: Can legally privileged documents be withheld from a SAR?

Yes. Information subject to legal professional privilege — such as communications between an organisation and its legal advisers — can be withheld from a SAR response under Schedule 2 of the Data Protection Act 2018.

When an organisation receives a Subject Access Request, the instinct is often either to disclose everything or to withhold as much as possible. Neither approach is correct. UK GDPR Article 15 gives individuals the right to access their personal data — but Article 15(4) explicitly preserves the rights of third parties. The Data Protection Act 2018 adds further exemption categories that apply in specific circumstances.

The key principle is this: every redaction must be justified, documented and defensible. Redacting without a legal basis is a breach. Failing to document your legal basis leaves you exposed if the decision is challenged.

The Golden Rule

A redaction without a documented justification is not a redaction — it is a withholding. Every item removed from a SAR disclosure must be accompanied by a specific legal basis in your audit log.

Category 1: Third-Party Personal Data

3rd Party Data

Third-Party Personal Data

UK GDPR Article 15(4) · DPA 2018 Section 45

This is the most common redaction category in SAR responses. Where a document contains personal data about an identifiable individual other than the requester — a colleague's name, email address, personal details or opinions — that information may be redacted where disclosing it would be unfair to that individual.

The key test is whether the third party would reasonably expect their personal data to be passed to the requester. In most cases, a colleague would not expect their name, comments or personal details to be disclosed via a SAR.

However, third-party redaction is not automatic. If the only way to give the requester a meaningful response is to include the third party's details, you need to balance the requester's right of access against the third party's right to privacy. This is a genuine balancing exercise — not a blanket withholding rule.

Common Mistake

Redacting the names of managers or HR personnel in documents is not always appropriate. These individuals are acting in a professional capacity, and their involvement in a decision about the requester may be directly relevant to the requester's own personal data.

Category 2: Legally Privileged Material

Privilege

Legal Professional Privilege

DPA 2018 Schedule 2 Part 4 Paragraph 19

Communications between an organisation and its legal advisers that attract legal professional privilege — including legal advice privilege and litigation privilege — may be withheld from a SAR response. This exemption applies to both internal and external legal counsel acting in a legal advisory capacity.

Legal professional privilege is a fundamental principle of English law. Where it applies, it overrides the requester's right of access. However, it must genuinely apply — it cannot be claimed as a blanket exemption over all legal communications. The communication must be a genuine legal advice communication or litigation-related communication to attract the protection.

Category 3: DPA 2018 Schedule 2 Exemptions

Management Forecasts

Management Forecasts & Planning

DPA 2018 Schedule 2 Part 4 Paragraph 20

Personal data processed for the purposes of management forecasting or management planning may be exempt where disclosure would prejudice the conduct of the organisation's business or other activities. This can apply to succession planning documents, redundancy considerations and restructuring plans.

Confidential References

DPA 2018 Schedule 2 Part 3 Paragraph 24

References given in confidence — whether provided by or to the data controller — are exempt from the right of access where they were given or received in confidence. This applies to employment references, educational references and character references. The exemption applies to the reference document itself, not necessarily to all information it contains.

Crime & Tax

Crime, Tax & Regulatory Functions

DPA 2018 Schedule 2 Part 1 Paragraphs 2–5

Personal data processed for the purposes of preventing or detecting crime, apprehending offenders, assessing or collecting tax, or carrying out regulatory functions may be exempt where disclosure would be likely to prejudice those purposes. This exemption is narrower than it sounds — the prejudice must be to a specific function, not a generalised concern.

Category 4: Special Category Data — Third Parties

Where a document contains special category personal data — health, race, religion, sexual orientation, biometric data — about a third party, particular care must be taken. Disclosing a colleague's health condition or other sensitive personal characteristic via a SAR would be a serious breach of that individual's rights under UK GDPR Article 9.

In practice, this means that medical notes referencing other patients (in healthcare settings), HR notes referencing a colleague's disability, or any document containing sensitive personal information about a third party should be carefully reviewed for special category content before disclosure.

Why the Audit Trail is Non-Negotiable

When you redact information from a SAR response, you are making a legal decision. That decision may be challenged — by the requester directly, via an ICO complaint, or in legal proceedings.

An ICO investigation into a SAR complaint will typically ask the organisation to explain each redaction. If you cannot point to a specific legal basis for each item withheld, you are in a weak position — even if the redaction was substantively correct.

Your redaction audit log should record for each redacted item:

The document and location of the redacted content
The nature of the information (e.g. "colleague's personal email address")
The legal basis for withholding (e.g. "UK GDPR Article 15(4) — third-party personal data")
The balancing exercise undertaken where relevant

Need expert redaction support?

E2E Integration provides AI-assisted, human-validated redaction with a complete audit trail for every item removed. Fixed-fee from £295. Every redaction documented and defensible.

Get a Fixed-Fee Quote →

Frequently Asked Questions

Can we redact the entire document if it's mainly about third parties?

If a document contains some personal data about the requester but is primarily about third parties, you do not need to disclose the whole document. You can disclose the relevant portions (relating to the requester) with the third-party content redacted. If the only way to make the document intelligible would require disclosing third-party data, you may withhold the document entirely — but this should be recorded in the redaction log with a brief explanation.

What if the requester says we've over-redacted?

If the requester believes the response is incomplete or contains unjustified redactions, they can complain to the ICO. Having a documented audit trail is your primary defence. If the ICO investigates and finds that your redactions were not supported by a legal basis, you may be required to provide a fuller response and could face enforcement action.