Refusing a data subject access request – what is “manifestly unfounded or excessive”?
Refusing a data subject access request – what is “manifestly unfounded or excessive”?
Individuals are entitled under the UK GDPR to make a Data Subject Access Request (DSAR) for copies of their “personal data” from a data controller. Organisations must usually respond to such requests within one month, although this period may be extended by two further months if the request is complex.
The legislation provides a number of exemptions to these rights, including where the DSAR is “manifestly unfounded or excessive”.
The UK’s supervising authority in relation to data protection, the Information Commissioner’s Office (ICO) has provided the following guidance on how to interpret this wording:
A request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example, an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual:
- explicitly states, in the request itself or in other communications, that they intend to cause disruption;
- makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice;
- targets a particular employee against whom they have some personal grudge; or
- systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption.
In determining whether a request is manifestly excessive, you should consider whether the request is proportionate when balanced with the burden or costs involved in dealing with the request. This will mean taking into account all the circumstances of the request, including:
- the nature of the requested information;
- the context of the request, and the relationship between you and the individual;
- whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual;
- your available resources;
- whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
- whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).
Whether this exemption applies will depend on the specific situation and the guidance above should not be thought of as a tick box exercise. The ICO’s guidance suggests the following general considerations when establishing if a request is manifestly unfounded or excessive:
- always consider each request on its own merits—a blanket policy will not be appropriate;
- do not assume a request will be manifestly unfounded or excessive simply because the individual has previously submitted such a request or because you question their motive;
- ‘manifestly’ means the unfounded or excessive nature of the request must be somewhat obvious; and
- ensure you are able to demonstrate your justifications to the individual and the ICO.
It’s important to note that a DSAR won’t be excessive simply because a large amount of data has been asked for. It is necessary to show that supplying of a copy of the information would involve “disproportionate effort”.[1] If responding to the DSAR would involve providing a large volume of documents but the request is not manifestly unfounded or excessive, you can ask the data subject to narrow their request. However, if they refuse to do so, you will need to carry out reasonable searches.
If you are still unsure on what to do having considered the above, we can advise you on the course of action you should take – each DSAR will turn on the facts relevant to that DSAR and your organisation.
Responding to manifestly unfounded or excessive requests
If you determine that the request is manifestly unfounded or excessive, you may charge a reasonable fee, taking into account the administrative costs of providing the personal data, or refuse to act on the request. If you are not going to respond to the request, you must inform the data subject of the reason(s) for not taking action and of their right to lodge a complaint with the ICO. If you are going to charge a fee, you should let the person know as soon as possible, but you do not need to complete their request until you receive the fee.
Reform
The Data Protection and Digital Information (No.2) Bill, which is currently at the Committee stage at the house of Lords, proposes a new, lower threshold for charging a reasonable fee or refusing a DSAR if the request is “vexatious or excessive”.
The proposed bill gives examples of vexatious requests as those which are:
- intended to cause distress;
- not made in good faith; or
- an abuse of process.
Under the proposed legislation, the business (which is the data controller for the purpose of the DSAR) will have more scope to look at the underlying purpose and intention of the request. It is likely that this will mean that data controllers will be able to refuse more DSARs for being “vexatious”.
Speak to our Corporate & Commercial Specialists
If you would like advice on any of the issues mentioned above, please do not hesitate to contact our data protection team on 0330 175 7617 or email enquiries@ibblaw.co.uk. Alternatively, contact us via the enquiry form at the top of our Corporate and Commercial page.
[1] Dawson-Damer v Taylor Wessing LLP [2017] 1 W.L.R. 3255.