Subject access request self serve
-
1. What is your question about?
Refusing a request or withholding information
-
2. What is your question?
A requester is harassing me, a member of staff or my organisation - can I refuse their request?
The following information might help answer your question
If a request is being used to harass and organisation or individual with no real purpose other than to cause disruption it may be considered manifestly unfounded.
You can refuse to comply with a SAR if it is manifestly unfounded
What does manifestly unfounded mean?
A request may be manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual:
- explicitly states, in the request itself or in other communications, that they intend to cause disruption;
- makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice;
- targets a particular employee against whom they have some personal grudge; or
- systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.
This is not a simple tick list exercise that automatically means a request is manifestly unfounded. You must consider a request in the context in which it is made. If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.
Whilst aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.
Example
An individual makes a subject access request to an online retail company for their personal data. They state that they are making a SAR in accordance with the UK GDPR and that if the company credits the individual’s online account with a specified sum of money, they will withdraw their request. The company is correct to consider the request as manifestly unfounded.
You must take the following into account when determining whether a request is manifestly unfounded or excessive:
- consider each request individually – you should not have a blanket policy;
- do not presume that a request is manifestly unfounded or excessive just because an individual has previously submitted a manifestly unfounded or excessive request;
- the inclusion of the word “manifestly” means there must be an obvious or clear quality to unfoundedness/excessiveness; and
- ensure you have strong justifications for why you consider a request to be manifestly unfounded or excessive, which you can clearly demonstrate to the individual and the ICO.
You need to inform the individual of your decision to withhold the information. For more information, read our detailed When can we refuse to comply with a request? guidance.