GDPR for HR

GDPR for HR Coffee Break | June 2026

Published on 3rd June 2026

Wider privilege exemption for DSARs, AI-generated FOI requests, anticipated ICO updates

Banking-finance-building-facade

At a glance

  • A first instance decision clarifies which intra-client documents can attract privilege, with concrete steps for updating DSAR review processes.

  • Practical principles from the ICO's AI-FOI guidance apply directly to DSARs, covering validity, inaccurate legal assertions, and staff training.

  • Forthcoming ICO guidance on exemptions and DSARs will reflect legislative changes introduced by the Data (Use and Access) Act.

Glencore case: wider privilege exemption for DSARs

In April 2026, the Commercial Court in Aabar Holdings S.á.r.l. & Ors v Glencore Plc (2026) (a first instance decision) held that legal advice privilege (LAP) can extend to intra-client group communications, even where no lawyer is a party, provided the dominant purpose of those communications is the seeking or receiving of legal advice. The court concluded that internal preparatory notes and emails exchanged within the client group in anticipation of legal advice are analogous to lawyers' working papers and are therefore equally capable of attracting LAP.  

For detailed commentary on the judgment, see this Insight; the focus here is on the implications for data subject access requests (DSARs).

Under the Data Protection Act 2018 (DPA 2018), data controllers may withhold personal data from a DSAR where the information would be subject to legal professional privilege (LPP) in legal proceedings. LPP covers both LAP and litigation privilege. The Glencore decision effectively widens the category of documents that organisations may legitimately withhold from DSAR disclosure on the basis of the LAP exemption.  

Internal preparatory notes and inter-departmental emails compiled in anticipation of or in connection with legal advice, which previously occupied something of a grey area, may now more confidently be withheld under the privilege exemption even if they do not directly involve a lawyer, provided the dominant purpose test is satisfied.

Practical steps for organisations

  • Privileged communications must remain confined to the properly defined client group (that is, those company representatives tasked with obtaining legal advice and the company's lawyers).

  • Labelling such communications as "Legally Privileged" or similar is helpful to flag their potential status for the purposes of any subsequent court or DSAR disclosure exercise, but there are no short cuts: all documents must still be manually reviewed to confirm that the LPP exemption can be legitimately relied upon.

  • At the outset of any DSAR search and review exercise, organisations should ascertain whether legal advice has been sought and, if so, identify internally who within the organisation has been tasked with obtaining that advice, and externally who the lawyer(s) providing the advice are. 

  • Controllers and their legal teams should review their DSAR response processes in light of this ruling to ensure that the exemption is both appropriately asserted where available and that the basis for doing so is properly documented. A contemporaneous note briefly outlining why a controller concluded that a particular document attracted the exemption will be invaluable if the decision is ever queried by the data subject or the ICO. 

ICO guidance on AI-generated FOI requests: what could this mean for DSARs?

The Information Commissioner's Office (ICO) has published guidance on managing requests made under the Freedom of Information Act 2000 that have been drafted using artificial intelligence. While DSARs are governed by a different legal regime (UK GDPR and the Data Protection Act 2018), many of the practical principles set out in the guidance translate readily to the DSAR context. 

  • AI-assisted DSARs are not automatically invalid. The fact that a requester has used AI to draft a DSAR does not, of itself, render it invalid. Provided the request meets the requirements under UK GDPR, it should be treated as any other valid request.
  • AI-generated requests may contain legal inaccuracies. Requests may misstate the scope of data subject rights or refer to case law or ICO decisions that do not exist. Organisations should not feel compelled to accept or act upon inaccurate legal assertions simply because they appear in a formally worded request.
  • Inaccuracies should be corrected, politely and constructively. Where a request misstates the law, it is both appropriate and helpful to correct the requester courteously. Doing so enables them to exercise their rights more effectively and reduces the risk of unnecessary disputes.
  • Clarification should be sought promptly where the scope is unclear. AI-generated DSARs can be broad, repetitive or difficult to interpret. Where the scope of a request is genuinely unclear, organisations may seek clarification from the requester. The response period under UK GDPR can be paused while awaiting a response, provided this is done without undue delay.
  • AI-generated outputs may fall within the scope of a DSAR. Where staff use AI tools in the course of their work, the prompts used and outputs generated may constitute personal data relating to a data subject and could therefore be disclosable in response to a DSAR. Organisations should ensure that AI-generated content produced for official purposes is captured within appropriate records management systems, with defined retention periods.
  • Inaccurate AI-generated personal data remains disclosable. The fact that personal data has been generated by AI and may be inaccurate does not create an exemption from disclosure. The data should be provided, accompanied by an appropriate explanation of its potential inaccuracy where this is relevant.
  • Staff training is essential. Practitioners handling DSARs must have a sound understanding of what UK GDPR and the DPA 2018 do and do not require. Well-trained staff will be better placed to identify legally inaccurate assertions in AI-generated requests and respond to them with confidence.

ICO guidance updates 

The ICO has confirmed its intention to publish new and updated guidance for data protection practitioners across a range of data protection matters. The following are among the updates anticipated in summer 2026:

  • Handling subject access requests generated by AI.
  • Exemptions (updated to reflect changes introduced by the Data (Use and Access) Act).
  • Subject access requests (updated to reflect changes introduced by the Data (Use and Access) Act).
Related articles
GDPR for HR Coffee Break | May 2026
11/05/2026 3 mins
GDPR for HR | March 2026
31/03/2026 7 mins
GDPR for HR | December 2025
10/12/2025 6 mins
UK and EU GDPR for HR | Autumn 2025
17/11/2025 4 mins
Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?

Register now for more insights, news and events from across Osborne Clarke

Sign up