Subject Access Requests (SAR) under the Data (Use and Access) Act 2025: what competent authorities need to know

The Data (Use and Access) Act (DUAA) 2025 (1) introduces critical updates to Subject Access Requests (SARs), specifically for competent authorities operating under Part 3 of the Data Protection Act (DPA) 2018 (2). The changes now enable competent authorities to take longer to respond to requests to access personal information, if you need extra time because of the complexity or number of requests that someone has made. It also makes it clear that you only need to make reasonable searches for information. These changes reflect a calibrated approach to balancing individual rights with operational realities in law enforcement contexts.

Clarification on searches

S45(2A) of the DPA 18 clarifies that information to be provided to the data subjects under SAR, is only that which is in scope, and identified through reasonable and proportionate searches.

The existing Information Commissioner’s Office (ICO) guidance on SARs is vague on what “reasonable” would be: the Law Enforcement processing guidance yet to be updated (expected in summer 2025) (3), but we presume the threshold will align with existing expectations under the UK GDPR, in that “you’re expected to do a reasonable amount of searching to find what you’ve been asked for, but you don’t need to check every single email or file if you feel it’s unlikely to relate to the request. In data protection law, if it’s ‘disproportionate’ then you don’t need to do it” (4).

Revised timeframes

S76 of DUAA 2025, updates S45(4) adds the provision of an “applicable time period”. Under the previous version of the legislation, competent authorities were required to respond to SARs within one calendar month – that’s it, no leeway. But now, competent authorise have:

• standard timeframe: Still one calendar month from the date of receipt.

• extended timeframe: Under (s54(3A)), authorities may now extend the period by up to two additional months (total of 3 months) in specific cases.

Extension criteria applies to the

• complexity of the request (s54(3A)(a)): For example, requests involving multiple data sources or extensive case files. However, a large request for a large amount of data itself won’t necessarily warrant an extension.

• number of requests submitted by the data subject (s54(3A)(b)): If a SAR repeats or overlaps other recent requests and there are multiple of them.  

Where an extension is applied, the authority must:

• notify the data subject within the original one-month window (s54(3B)(a)).

• explain the reasons for the delay (s54(3B)(b)).

It is best practice for the authority to also provide the revised timeline for completion. It’s important to recognise that the law allows for up to 2 months extension but a response should be issued without undue delay, and requests shouldn’t be extended by the full time limit if they won’t take that long to process.

Legal professional privilege (LPP) exemption

Section 79 of the DUAA 2025 inserts s45A into the DPA 2018, affirming the applicability of LLP exemption while introducing clearer thresholds:

• SARs may be refused in full or in part if the disclosure would reveal communications protected by LPP (s45A(1)(a) and (b)).

• this exemption applies regardless of whether proceedings are current or anticipated, provided the material in question meets the definition under UK common law.

In practice, this exemption could apply in situations where a data subject requests internal correspondence between solicitors and case officers related to their arrest, or copies of advice sought by a regulatory authority’s legal team in anticipation of enforcement action.

Authorities invoking LPP must:

• document the rationale thoroughly (s45A(4)(a)). This means compiling an actual record prior to making the disclosure, and at the time of applying the exemption, justifying the rationale for the exemption.

• be prepared to justify the exemption the ICO (s45A(4)(b)). In practice, should cases involving this exemption reach a Tribunal, the record of the decision may be required in court, too.

Best practice remains that where possible, you should redact privileged content rather than withholding an entire file.

National security exemption

Section 88 of the DUAA 2025 inserts s78A into the DPA 2018 expands the national security exemption.

Section 78A(1) now explicitly states that the DPA 2018 does not apply to personal data processed for law enforcement purposes if exemption is required to safeguard national security. The exemption applies to Chapter 3 of the DPA 2018: Data subject rights (e.g. access, rectification, erasure). The exemption also applies to other aspects of the law (more on this in a separate blog post).

In practice, the exemption may be used where disclosure could reasonably be expected to prejudice national security operations.

This could mean the exemption applies not just to direct threats, but also to:

• intelligence gathering related to terrorism or foreign interference;

• operational strategies of agencies such as MI5, GCHQ, or counter-terrorism units;

• international data exchanges under treaty or intelligence-sharing agreements.

Even under national security exemption, the following must still be respected:

• s35(1): Lawful processing

• s35(2)–(5): Restrictions on sensitive processing

• s 42 & Schedule 8: Safeguards for sensitive data

Authorities must maintain clear internal records justifying the use of the exemption as per s45(7)(a) and must be able to make the record available to the ICO if requested (s45(7)(b)).

.

Key points

• Authorities must conduct a documented risk assessment before applying the exemption.

• Justification must show how disclosure would impair national security - not simply inconvenience operations.

• Oversight remains under the Investigatory Powers Tribunal and parliamentary committees.

Best practice takeaways

• Develop internal SAR triage systems to assess complexity early.

• Standardise template communications for deadline extensions and exemptions.

• Train staff on nuanced applications of LPP and national security to avoid overreach.

• Embed compliance checks such as quality assurance dip sampling to monitor compliance and take lessons learned.

These updates place competent authorities in a stronger position to manage SARs with greater flexibility, without compromising public trust. The DUAA offers a timely opportunity to recalibrate governance, reinforce procedural robustness, and reaffirm the delicate balance between individual rights and institutional resilience.