At a glance

  • Under Part 3 of the DPA 2018 individuals have rights of access, rectification, erasure or restriction, and to not be subject to automated decision-making.
  • You may refuse to respond to a request if it is manifestly unfounded or excessive.
  • Alternatively you may charge a reasonable fee for dealing with the request.
  • You must be able to demonstrate why it is manifestly unfounded or excessive.

In brief

How should we respond to manifestly unfounded and excessive requests?

If you process personal data for law enforcement purposes, you may refuse to respond to certain requests from individuals if you can demonstrate that they are manifestly unfounded or excessive.

Alternatively, you may choose to respond to a request that you regard as manifestly unfounded or excessive. If so, you may charge a reasonable fee for doing so.

You should not have a blanket policy for determining whether a request is manifestly unfounded or excessive. You must consider each request on a case-by-case basis.

Whilst there may be characteristics that are indicative of a manifestly unfounded or excessive request (please see the next sections), you should only use these as a guide. Also, you should not presume that a request is manifestly unfounded or excessive just because the individual has previously submitted requests which have been manifestly unfounded or excessive. 

You must be able to demonstrate to the individual why you consider the request is manifestly unfounded or excessive and, if asked, to the Information Commissioner.

What does manifestly unfounded mean?

A request may be manifestly unfounded if the individual has no clear intention to access the information or is malicious in intent and is using the request to harass an organisation with no real purposes other than to cause disruption.

Factors that may indicate malicious intent include:

  • the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption;    
  • the request makes unsubstantiated accusations against you or specific employees;
  • the individual is targeting a particular employee against whom they have some personal grudge; or
  • the individual systematically or frequently sends different requests to you as part of a campaign with the intention of causing disruption, eg once a week.

These factors are not intended to form a simple tick list that automatically mean a request is manifestly unfounded. You must consider a request in the context in which it is made, and the onus on you is to be able to demonstrate it is manifestly unfounded.

The inclusion of the word “manifestly” means it must be obvious or clear that it is unfounded.  You should consider the particular situation and whether the individual genuinely wants to exercise their rights. If this is the case, it is unlikely that the request is manifestly unfounded. In most cases, use of aggressive or abusive language does not, in itself, demonstrate a manifestly unfounded request.

Example

An individual believes that information held about them is inaccurate. They repeatedly request its correction but you have previously investigated and told them you regard it as accurate.

The individual continues to make requests along with unsubstantiated claims against you as the controller.

You refuse the most recent request because it is manifestly unfounded and you notify the individual of this.

What does excessive mean?

Whether a request is excessive depends on its particular circumstances. A request may be excessive if it:                      

  • repeats the substance of previous requests and a reasonable interval has not elapsed; or
  • overlaps with other requests.

You must still try to comply with a large request by making reasonable searches for the information. While requests will be handled on a case by case basis, in the interest of good practice, you must ensure you have appropriate records management procedures in place to handle large requests and locate information efficiently. 

In most cases, a request is not excessive just because the individual has asked for a large amount of information, even if you find it a burden. You can ask them for more information to help you locate the information they want to receive.

Requests about the same issue are not always excessive. An individual may have legitimate reasons for making requests that repeat the content of previous requests. For example, if the controller has not handled previous requests properly.

An individual may also want to receive another copy of information they have requested previously. In this situation a controller can charge a reasonable fee for the administrative costs of providing this information again and it is unlikely that this is an excessive request.

A repeat request may also not be excessive if a reasonable amount of time has passed since their last request. In deciding whether a reasonable interval has elapsed, you should consider:

  • the nature of the data – this could include whether it is particularly sensitive, but also the value of the information to the individual;
  • the purposes of the processing – these could include whether the processing is likely to cause harm to the requester if disclosed;
  • how often the data is altered – if information is unlikely to have changed between requests, you may decide you do not need to respond to the same request twice. However, if you have deleted information since the last request you should inform the individual of this; and
  • remember, this is not just about the right of subject access. You should also consider the importance of individuals being able to exercise the other rights that apply.

A request may be excessive if an individual makes a new request before you have had the opportunity to address an earlier request. However, this is only the case if the substance of the new request repeats some of the previous request. It is unlikely to be excessive, if the overlapping request is about a completely separate set of information.

What should we do if we refuse to comply with a request?

If you refuse to comply with a request you must inform the individual about:

  • the reasons why you have not complied with their request;
  • their right to make a complaint to the ICO or another supervisory authority; and
  • their ability to seek to enforce this right through a judicial remedy.

As mentioned above, if you believe a request is manifestly unfounded or excessive you must be able to demonstrate this to the individual. If an exemption applies, the reasons you give to an individual for not complying with their request may depend on the particular case. For example, if telling an individual that you have applied a particular exemption would prejudice the purpose of that exemption, your response may be more general. However, if it is appropriate to do so, you should be transparent about your reasons for withholding information.

When can you charge a fee?

Under Part 3 of the DPA 2018, you can no longer request a fee for processing a subject access request. However, you may charge a reasonable fee if you decide that a request to exercise a right under sections 45, 46, 47 or 50 is manifestly unfounded or excessive, but you still choose to respond to it.

If you do decide to charge a fee, you should notify the requester and say why. You do not need to send the information or respond to the request until you have received the fee. The time limit for responding to the request begins once the requester has paid the fee.

If you decide on a reasonable fee, you must be able to justify the cost, in case the requester makes a complaint to the Information Commissioner.

Example

An individual repeatedly requests a personal file through the right of access. You have given them the same file before, but you decide to respond to the request because you think they may have lost the file and it is harmful for them not to have this information.

You tell the individual you are charging them a fee for this information, based on the cost of administration. Once you have received the fee, you provide the information within one calendar month.