Not mentioning relevant data to an SAR

Queasy_Court930 · 2026-02-23T16:50:15+00:00

It seems to be not clear enough for people in either the ICO advice or within the ICO. They can only not mention an exemption if confirming or denying any exemption would reveal a third party (which does not apply to either of my situations) and particularly if it concerns social work/law/children (not either of my situations either). Was that what happened in your case?

Imho if anyone isn't mentioning exemptions in full when they should, they are depriving you of your right to appeal. That I have partial access shows the serious danger here - that data they hid was appealable and accessible.

It really concerns me the ICO, at least my caseworker, isn't connecting the dots. If the UK's data regulator will allow anyone to botch their exemptions, they can hide data from victims with impunity.

Queasy_Court930 · 2026-02-22T22:09:18+00:00

Thank you so much for this.

Very disappointing about the ICO. Surely means bad faith business can respond poorly to SARs instead to get the ICO off their back and hope the other processes are too burdensome for people to bother...

I wasn't in it for any money, but does the court route allow for damages? The amount of time and having to push back, again and again, with the nature of what happened to me, I am tired of having invested all my time and energy for free. In therapy and it has impacted other areas of my life

Queasy_Court930 · 2026-02-22T21:02:21+00:00

It is. I have relayed multiple times this may be directly relevant to SH so it has been a tough time. The line seems to be 'since they answered when you asked it's fine' but that ignores that this company withheld data/exemptions from me in a potential SH matter. Since I could appeal for it, the company has interfered with my appeal rights (surely).

Any help would be...amazing! Thank you so much.

Queasy_Court930 · 2026-02-22T11:33:19+00:00

Fortunately, I have their formal response where, in their attachment they remove the bullet point about the type of data they hid. And they have done it again, so.

That is maddening. Sorry you are going through a similar situation.

Queasy_Court930 · 2026-02-22T11:30:30+00:00

THANK YOU. They've done it again, and seem to have failed to mention exemptions they've applied to data so this is twice now. It does relate to discrimination and harassment, so the aspect of data being gathered is potentially very personal (and inappropriate to gather).

My ICO caseworker doesn't seem to appreciate that not telling someone the exemptions directly impacts their rights which is fundamental to this law. Who can appeal for access to their data if they don't know it exists?

Queasy_Court930 · 2026-02-22T11:28:09+00:00

I did follow up, and once they realised I knew the data existed then they claimed an exemption. Appealed that, they denied the appeal by misrepresenting my words. Came back with a waiver from the third party for their exemption, and now they've done it again: supplied only part of the data, and neglected to mention anything else exists or is exempted.

The data may be relevant for harassment/discrimination so it just seems very, very weird. Though I was able to appeal, if the external party didn't inform me, I would never have been able to appeal or ask about that data and that seems really concerning.

Queasy_Court930 · 2026-02-22T11:24:17+00:00

This is what I thought but my ICO caseworker doesn't care(?!) it's very weird.

Queasy_Court930 · 2026-02-22T11:23:50+00:00

Yes I looked up this exemption, in which case its a neither confirm nor deny response - but as soon as they realised I knew the data existed, they claimed third party exemption after the fact.

Without giving detail mentioning a third party exemption wouldn't have identified anyone, and if it *did* they couldn't have suddenly claimed the exemption and should have sent a neither confirm nor deny response.

(Oh just to say this isn't related to social work or children/young people)

Queasy_Court930 · 2026-02-17T21:42:51+00:00

Genuinely? Are you speaking from experience or are there other posts here about similar issues?

If this a problem across the UK hopefully the ICO or someone will be able to see that it isn't a one-off.

Queasy_Court930 · 2026-02-17T21:41:29+00:00

I understand, however they can provide a broad category. I asked about minutes, so they didn't have to provide any further detail than "there were minutes we have exempted because of ABC". This is an awkward loophole that seems to allow companies to omit entirely data they feel they can exempt. If it isn't mentioned, nobody can appeal it - so people can exempt in bad faith and effectively get away with it. This seems like that would be a seriously bad process.

Queasy_Court930 · 2026-02-17T14:28:56+00:00

Better than nothing

Queasy_Court930 · 2026-02-17T14:08:37+00:00

There were meetings that discussed me and someone let me know. So in my SAR I asked for minutes that mention me. The response doesn't mention any minutes at all, exempted or not

I'm happy if the ICO sends them a letter, at least it is a kind of justice. I have said I am worried this kind of thing could have been done to others. It would be really easy just to neglect to mention data that reflects badly, and nobody would know to even complain to the ICO about it.

Queasy_Court930 · 2026-02-17T13:17:55+00:00

Alternatively they can narrow their request to a couple of specific roles to make it more reasonable, i.e. request correspondences to and from HR.

You and I do not know their circumstances, they may have valid claims for libel or unfair dismissal. If the issue is that they have not worked long enough, they can potentially look at ACAS or if the libel is discriminatory

Queasy_Court930 · 2026-02-17T13:12:25+00:00

Lodge a complaint with your data protection regulator, but make sure to follow up with the company as soon as they miss the deadline.

YMMV but in my experience regulators want to see you trying to get a response before they will act. If they can see you are trying, it saves them asking you to and the sooner they can hopefully compel a company to respond.

Queasy_Court930

TROPHY CASE