Many organisations find it challenging responding to subject access requests (SARs). We look at some of the situations when it is possible to decline to respond to a SAR, in circumstances where no other exemption applies.
Responding to subject access requests: an overview
Under data protection law, individuals are entitled to ask for a copy of the personal data, essentially information about that individual, which an organisation holds about them. Organisations must usually respond within one month, although this period may be extended by two further months if the complexity of the request justifies an extension.
The Data Protection Act 2018 provides for a number of exemptions to these rights, but if no exemption applies, organisations should still consider whether the request is either “manifestly unfounded” or “excessive”. In those cases, the General Data Protection Regulation (GDPR) provides that an organisation may either charge a reasonable fee for responding or may decline to respond.
Until recently there was no official advice on what “manifestly unfounded” or “excessive” mean. However, the Information Commissioner's Office (ICO) has recently provided guidance about when a request might fall within one of these categories.
Manifestly unfounded requests
According to the ICO, a request may be “manifestly unfounded” if an individual has no clear intention of exercising the right of access. This may occur if an individual makes a request and then offers to withdraw it in return for some kind of benefit from the organisation. A request may also be manifestly unfounded if it is malicious in intent and is being used to harass an organisation, with the sole purpose of causing disruption. A request may be malicious if the individual:
- states an intention to cause disruption in the request;
- makes unsubstantiated allegations against particular individuals;
- is targeting a particular employee against whom the requestor has a grudge; or
- systematically sends different requests as part of a campaign, for example once a week.
However, even if these criteria are met, the request will not automatically be manifestly unfounded and the context in which a request is made must be considered before an organisation decides how to proceed. If, considered in the round, the request demonstrates a wish on the requestor’s part to access his or her data, the ICO's view is that it is unlikely it will fall into this category.
A request may be considered “excessive” if it repeats the substance of previous requests without a reasonable interval having passed, or if it overlaps with other requests.
Conversely, the ICO considers that a request will not necessarily be excessive simply because an individual:
- requests a large amount of information;
- wishes to receive a copy of information previously received;
- makes an overlapping request regarding a different set of information; or
- has previously submitted requests which have been manifestly unfounded or excessive.
How to respond to the requestor
If you decide a request is manifestly unfounded or excessive, then without undue delay and within one month of receiving the request you should inform the requestor that:
- you believe the request is manifestly unfounded or excessive;
- the requestor has the right to complain to the ICO; and
- the requestor is entitled to seek to enforce the right of access via the courts
If you conclude that a request is manifestly unfounded or excessive, we recommend that you keep a record of the reasons for your decision. This will then be available should you need to explain your reasoning to the requestor or the ICO if a complaint is made, and will also help demonstrate compliance with the GDPR’s accountability principle.
If you conclude that the request is not manifestly unfounded or excessive, you should usually respond to the request within one month of receiving it. The ICO has recently updated its guidance on how to work out the date by which you must respond. The day on which you receive the request counts as ‘day one’. This means that a request received on 3 October 2019 would have a deadline of 3 November 2019, for example.
A final caveat is that the UK and EU courts have yet to consider what “manifestly unfounded” or “excessive” means. The ICO’s guidance may develop further as and when the courts interpret these provisions of the GDPR.