The government's response to its 'Data: a new direction' consultation suggests that an inappropriate 'purpose' for making a DSAR could soon be used as a reason to refuse to respond
For many years, businesses have complained of the costs of dealing with data subject access requests (DSARs), and that they are often being used by individuals not to protect their data rights, but as an improper alternative to pre-action disclosure, or as a method of imposing costs on businesses to gain leverage in settlement discussions.
This problem has been exacerbated since the General Data Protection Regulation (GDPR) was introduced, with businesses unable to charge data subjects for making a DSAR (before the GDPR, they were able to charge £10), and with the emergence of data portals and claims management companies facilitating bulk requests.
While there is no intention from the government to re-introduce a nominal charge for DSARs, the response to the "Data: a new direction" consultation suggests that businesses may soon be able to refuse a DSAR "where access to personal data or concerns about its processing are not the purpose of the request". This would be a very welcome development for data controllers.
Background to the consultation
The consultation was launched on 10 September 2021 by the government as part of its drive to take advantage of the UK leaving the EU and being able to set its own legislative framework; it included an objective of "reducing burdens on business and delivering better outcomes for people" and asked respondents to consider (among many other things): (i) whether a charge should be re-introduced for DSARs; and (ii) whether the current threshold for refusing a DSAR on the basis of it being manifestly unfounded should be changed.
Outcome of the consultation
Having received almost 3,000 responses to the consultation, the government published its response on 23 June 2022. The response confirmed that the government:
- does not plan to introduce a nominal fee for data subject access requests; and
- does plan to amend the threshold for refusing to respond to/charge a reasonable fee for a data subject access request from "manifestly unfounded or excessive" to "vexatious or excessive".
The Data Reform Bill
The amendment of the threshold under UK GDPR is to be made by the passing of the Data Reform Bill, which was published on 18 July 2022. Paragraph 7 of the Bill adds a new Article 12A to the UK GDPR, which permits data controllers to charge a fee or refuse to respond to a data subject access request if it is vexatious or excessive. It states that whether a request is vexatious or excessive must be determined with regard to the circumstances of the request, including (so far as is relevant):
- the nature of the request;
- the relationship between the data subject and the controller;
- the resources available to the controller;
- the extent to which the request repeats a previous request made by the data subject to the controller;
- how long ago any previous request was made; and
- whether the request overlaps with other requests made by the data subject to the controller.
Paragraph 7 of the Bill also provides examples of requests that may be vexatious, including those that:
- are intended to cause distress;
- are not made in good faith; or
- are an abuse of process.
Osborne Clarke comment
The true effect of this proposed change in the law will largely depend on how the Information Commissioner's Office (ICO) and the courts choose to interpret the term "vexatious" in any new DSAR guidance.
If the ICO chooses to define it widely, so that it includes requests made in the context of a wider dispute such that requests where "access to personal data or concerns about its processing are not the purpose of the request" fall within it (which the consultation paper suggests was the government's aim), it would provide a strong first line of defence to DSARs made in the context of litigation, particularly where the requestor does little to dress up their real motives.
However, the DSAR regime will still be open to abuse by skilled lawyers who, rather than make DSAR requests as part of letters before action, will advise their clients to make the requests independently of any dispute, making very clear that they are very concerned about the processing of their data. Data controllers will need to consider carefully how they challenge these requests.
In addition to clarifying the purpose of DSARs, more robust guidance on the proportionality of requests would be welcome. Data subjects should be strongly encouraged to narrow the scope of requests to what is really of concern rather than the typical "please can I have a copy of all my data" requests that feature strongly in employment disputes in particular.
We are therefore left waiting for the Data Reform Bill to become law, and for the ICO guidance that will follow. Until then, data controllers are not entitled to refuse DSARs on the basis that they are being used as a litigation tactic, and will need to continue responding to DSARs in a timely, reasonable and proportionate manner.