Data (Use and Access) Bill and DSARs

The Data (Use and Access) Bill (DUA) is a legislative proposal aimed at enhancing the management and utilisation of data within organisations. As of February 2025, the DUA is under consideration in Parliament. The bill covers various aspects of data protection, including data subject access requests (DSAR).

This article explores the implications of the DUA on DSARs including: changes in handling privilege, the incorporation of guidance into legislation, and the overall impact on data controllers and data subjects.

Key points:

• Reflecting ICO's guidance: The DUA aims to incorporate the Information Commissioner's Office (ICO) guidance on DSARs into legislation, including the timing for responses and the scope of searches for personal data
• Changes in handling privilege: Data controllers must now inform data subjects when legal professional privilege is used to withhold documents, and the ICO gains the power to review privileged documents to verify the claim
• Vexatious requests: The proposal (under the earlier reforms proposed by the Conservative government) to allow controllers to refuse vexatious or excessive requests has not been brought forward into the DUA
• Overall impact: save for the changes as to how privilege is handled by the ICO, the DUA is expected to have a limited impact on DSARs.

Reflecting ICO's guidance

The majority of changes under the DUA are unlikely to significantly impact DSARs as them aim to establish the ICO's guidance on a statutory basis. These include:

• The timing for responding to a DSAR where identification or clarification on the scope of personal data sought has been requested from the data subject
• The process of locating and providing personal data, as well as information concerning the processing of the personal data, is limited to a reasonable and proportionate search. This has been the standard followed in practice for many years but has now been enshrined into the legislation.

Privilege

Under the DUA, when withholding documents due to legal professional privilege or client confidentiality, a data controller must inform the data subject of:

1. The exemption being relied upon and the reason.
2. The data subject's right to make a request to the ICO to review the application of the exemption (under Section 51 of UK GDPR); right to lodge a complaint with the ICO (under Section 165 of the UK GDPR); and right to apply to the Court (under Section 167 of the UK GDPR).

This level of detail may not previously have been included in DSAR response letters. As such, we would recommend considering whether updates are needed to any template DSAR response letters to reflect this requirement.

Amendments have also been introduced to Section 51 of the UK GDPR – the changes would enable the ICO to verify that the data controller is entitled to rely on the privilege and/or client confidentiality exemption. 

Currently, there is no requirement to provide privileged documents to the ICO for the purposes of verifying claims to privilege, although documents could be provided to the ICO on a voluntary basis. This amendment would grant the ICO to authority to require access to privileged documents so that it may scrutinise the claims of privilege more thoroughly.

Depending on the ICO's approach to investigations, several questions and concerns arise, such as:

• Will the ICO request a copy or detailed descriptions of the documents?
• How will the ICO handle the documents provided to them and communicate (or not) the contents of the documents to the data subject? There is a risk of the ICO inadvertently waiving privilege which could have wider implications in other legal proceedings.
• Will the ICO provide written assurances that disclosure to them is not a waiver of privilege, and that the documents will not be used further without the data controller's permission?
• In international matters, provision of information to a regulator may amount to a waiver of privilege over that material under the rules of other Courts. How will this be addressed by the ICO?
• How will the ICO verify a claim to privilege? Privilege decisions can be nuanced depending on the circumstances and context of the document, sometimes requiring more background information than is provided in the document itself.

WBD Clarity

WBD Clarity is a targeted solution for responding to DSARs, allowing you as an organisation to reduce the volume of personal data, streamline the review process and undertake DSARs in a manner compliant with the DUA.

For example,  WBD Clarity provides the following features to ensure adherence with the DUA:

• Record decisions at either a category or document level to explain why documents have been withheld. For example, maintaining an audit trail of the documents withheld on the basis of privilege and the reasons for the exclusion.
• Provide analytical justification for a particular search requested by the data subject as not being reasonable and proportionate. For example, automatically identifying all emails to / from the data subject or responsive to a particular search term which, dependant on volume, may not be reasonable to review. 

To see the other benefits of the platform or to discuss how WBD Clarity could help support your business, visit this link.