In more detail
- Can we refuse to comply with a request?
- What does manifestly unfounded mean?
- What does manifestly excessive mean?
- What general considerations should we take into account when deciding if a request is manifestly unfounded or excessive?
- What are exemptions and how do they work?
- What should we do if we refuse to comply with a request?
Yes. If an exemption applies, you can refuse to comply with a SAR (wholly or partly). Not all exemptions apply in the same way and you should look at each exemption carefully to see how it applies to a particular request.
You can also refuse to comply with a SAR if it is:
- manifestly unfounded; or
- manifestly excessive.
A request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual:
- explicitly states, in the request itself or in other communications, that they intend to cause disruption;
- makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice;
- targets a particular employee against whom they have some personal grudge; or
- systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.
This is not a simple tick list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made. If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.
Whilst aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.
An individual makes a subject access request to an online retail company for their personal data. They state that they are making a SAR in accordance with the GDPR and that if the company credits the individual’s online account with a specified sum of money, they will withdraw their request. The company is correct to consider the request as manifestly unfounded.
To determine whether a request is manifestly excessive you need to consider whether it is clearly or obviously unreasonable. You should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request.
This will mean taking into account all the circumstances of the request, including:
- the nature of the requested information;
- the context of the request, and the relationship between you and the individual;
- whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual;
- your available resources;
- whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
- whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive).
A request is not necessarily excessive just because the individual requests a large amount of information. As stated above, you must consider all the circumstances of the request. You should also consider asking the individual for more information to help you locate the information they want and whether you can make reasonable searches for the information. Please see ‘Can we clarify the request?’ and ‘What efforts should we make to find information?’.
You should consider the following when deciding whether a reasonable interval has elapsed:
- the nature of the data – this could include whether it is particularly sensitive; and
- how often you alter the data – if it’s unlikely that the information has changed between requests, you may decide you do not need to respond to the same request twice. However, if you have deleted information since the last request, you should inform the individual of this.
What general considerations should we take into account when deciding if a request is manifestly unfounded or excessive?
You must take the following into account when determining whether a request is manifestly unfounded or excessive:
- consider each request individually – you should not have a blanket policy;
- do not presume that a request is manifestly unfounded or excessive just because an individual has previously submitted a manifestly unfounded or excessive request;
- the inclusion of the word “manifestly” means there must be an obvious or clear quality to unfoundedness/excessiveness; and
- ensure you have strong justifications for why you consider a request to be manifestly unfounded or excessive, which you can clearly demonstrate to the individual and the ICO.
The GDPR and DPA 2018 recognise that, in some circumstances, you might have a legitimate reason for not complying with a SAR, so there are a number of exemptions from the right of access. Where an exemption applies to the facts of a particular request, you may refuse to provide all or some of the requested information, depending on the circumstances.
Not all of the exemptions apply in the same way. You should look at each exemption carefully to see how it applies to a particular SAR. Some exemptions apply because of the nature of the personal data in question, eg information contained in a confidential reference. Others apply because disclosure of the information is likely to prejudice your purpose, ie it would have a damaging or detrimental effect on what you are doing.
If an exemption does apply, sometimes you are obliged to rely on it (for instance, if complying with GDPR would break another law), but sometimes you can choose whether to or not.
You should not routinely rely on exemptions or apply them in a blanket fashion, and should consider each one on a case-by-case basis.
In line with the accountability principle, you should justify and document your reasons for relying on an exemption so you can demonstrate your compliance.
The following sections look at the exemptions most likely to occur in practice.
If you refuse to comply with a request, you must inform the individual of:
- the reasons why;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through the courts.
If you believe a request is manifestly unfounded or excessive, you must be able to demonstrate this to the individual. Where an exemption applies, the reasons you give to an individual for not complying with a request may depend upon the particular case. For example, if telling an individual that you have applied a particular exemption would prejudice the purpose of that exemption, your response may be more general. However, where possible, you should be transparent about your reasons for withholding information.