Under UK data protection law, an organisation can refuse to provide some or all of the information requested under a SAR where an exemption to the obligation to provide access to personal data applies. Additionally, if a SAR is ”manifestly unfounded or excessive”, an organisation can either charge a reasonable fee for dealing with the SAR or refuse to deal with it.
Guidance from the Information Commissioner’s Office (ICO) says that for a SAR to be “manifestly excessive”, it must be “clearly or obviously unreasonable” in all the circumstances. The ICO goes on to clarify that organisations “… should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request” and recommends that the following criteria should be taken into account when deciding whether a SAR is “manifestly excessive”:
- The nature of the requested information.
- The context of the request, and the relationship between the organisation and the individual.
- Whether a refusal to provide the information or even acknowledge if the organisation holds it may cause substantive damage to the individual.
- The organisation’s available resources.
- Whether the SAR largely repeats previous SARs, and a reasonable interval hasn’t elapsed.
- Whether the SAR overlaps with other requests (although if it relates to a separate set of information, it is unlikely to be excessive).
However, just because the individual requests a large amount of information, it does not necessarily mean that the SAR is “manifestly excessive”. If an organisation faces such a SAR, then it might consider whether it can ask the individual to clarify their request.
The ICO guidance also explains that a SAR may be “manifestly unfounded” if:
- The individual clearly has no intention to exercise their right of access. For example, an individual makes a SAR, but then offers to withdraw it in return for some form of benefit from the organisation.
- The request is malicious in intent and is being used, for example, to harass specific employee/s or the organisation itself with no real purpose other than to cause disruption.
If the individual genuinely wants to exercise their rights, it is unlikely that the request is “manifestly unfounded”. Even if an individual uses abusive language, then this does not necessarily make a SAR “manifestly unfounded”.
Each request must be handled on a case-by-case basis and all the circumstances of the SAR must be fully and carefully taken into account.
If an organisation decides to refuse to comply with a SAR on the basis that it is “manifestly unfounded or excessive”, then the individual must be told why the organisation has reached that decision. They should also be informed of their rights to complain to the ICO and seek redress via the courts. This must be done without delay and at the latest within one month of the organisation receiving the SAR.
As the burden is on the organisation, as controller, to demonstrate that a SAR was “manifestly unfounded or excessive”, the organisation should record their reason(s) for refusing to comply with a SAR for future reference.
Finally, a recent case heard in the European Court of Justice will be of interest to those facing a potentially “manifestly excessive” SARs. The case centred around the Austrian data protection authority’s reliance on the “manifestly excessive” exemption in Article 57(4) of the (EU) GDPR which is similarly worded to the SAR “manifestly excessive or unfounded” exemption in the UK GDPR. The court concluded that Article 57(4) of the (EU) GDPR had to be interpreted as meaning that 1) complaints to a data protection authority could not be classified as “excessive” solely on the basis of the number received during a specific period and 2) the data protection authority had to demonstrate, having regard to all the circumstances of the case, that there had been an “abusive intention” on the part of the individual making the complaint.
An example of this might be if an individual had lodged complaints where it was not objectively necessary to do so to protect their rights under the (EU) GDPR. Whilst the case is not binding on organisations subject only to the UK GDPR and does not specifically concern SARs it does show that the Europeans courts appear to be taking a rather restrictive view of the concept of “manifestly excessive” which to a degree is reflected in the ICO’s guidance where it says that for a SAR to be “manifestly excessive” it must be “clearly or obviously unreasonable” and that a large volume of information alone is not a reason to refuse to deal with a SAR. In our view, it is likely to be a rare occasion when an organisation can legitimately refuse to comply with a SAR on the basis that it is “manifestly excessive or unfounded.
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
