The Information Commissioner’s Office ('ICO') has recently updated its guidance on responding to subject access requests
Manifestly unfounded and excessive requests
Amongst the many changes introduced by the GDPR, one of the most important was the introduction of enhanced individual rights for data subjects to access, delete, restrict or correct personal data held by data controllers. This right of access allows individuals to understand how and why organisations are using their data as well as the accuracy of any information held.
However, included in the rules relating to data subject requests was an exception allowing controllers to refuse such requests which are "manifestly unfounded or excessive" (GDPR Art 12(5)). The ICO recently published its guidance on what constitutes "manifestly unfounded or excessive" in the context of processing by law enforcement institutions. Whilst the note is largely in line with previous guidance on the subject for the private sector, it is worth revisiting the key points of this important exception.
According to the ICO, a manifestly unfounded claim is one in which an individual "has no clear intention to access the information or is malicious in intent and is using the request to harass an organisation with no real purposes other than to cause disruption". While each request must be considered on its individual merits, the ICO has suggested the following as examples of claims which may be deemed to be manifestly unfounded:
- the individual has explicitly stated that they intend to cause disruption;
- the request makes unsubstantiated accusations against the organisation or its employees;
- the individual is targeting a particular employee against whom they have some personal grudge; or
- the individual systematically or frequently (e.g. once a week) sends different requests with the intention of causing disruption.
The key is to consider whether, for each request, the individual has a genuine desire to exercise their rights. The onus is on the controller to demonstrate that, taking into account the context in which the request is made, it is clearly and obviously unfounded.
The ICO reiterated that each request must be considered on a case-by-case basis but that a request may be considered excessive where it overlaps with or repeats previous requests. However, the ICO goes on to state that a request is unlikely to be deemed excessive where:
- a reasonable period of time has elapsed since the individual's last request, taking into account the nature and the purpose of processing, how often data is altered and other individual rights that apply; or
- there is a legitimate reason for the repetition.
Equally, a request is not to be deemed excessive based solely on the fact it is particularly wide or burdensome. In such a case, the controller may ask for clarification but is still obligated to carry out a 'reasonable' search for the information. However, in certain cases, the data subject’s cooperation and provision of additional information may be necessary in order for the controller to carry out such a reasonable search. The ICO has also published a helpful guidance for individual data subjects informing them what to expect when making subject access requests, which organisations may refer to when dealing with data subjects.
Dealing with a 'manifestly unfounded or excessive' request
A controller has two options for dealing with a request which they consider to fall within the two categories considered above.
A controller may refuse to comply with the request. In this case, there is a duty on the controller to inform the individual concerned of the reasons for refusing the request and their right to make a complaint to the ICO and/or seek a judicial remedy.
Alternatively, a controller may decide to respond to a request even though they consider it to be manifestly unfounded or excessive. In this case, the controller is entitled to make its compliance with the request contingent on receipt of a 'reasonable fee' from the individual concerned. The controller must be able to justify the level of fee requested and it must be based on the administrative costs of complying with the request. Assuming the request of fee is reasonable, the time limit for responding to the request is paused pending the data subject’s payment of the requested fee.
Time limits for responding to subject access request
The time limit for responding to data subject requests is "without undue delay and in any event within one month of receipt of the request" (Art 12(3) GDPR). This can, with ICO consent, be extended by up to two months.
Previously the ICO had said that the deadline for responding to a request started the day after receipt, expiring on the corresponding date of the next month (or if there is no corresponding date, the last day of the month). Where this date fell on a weekend or public holiday, the deadline would be the next working day.
However, under the new ICO guidance, the period for responding should now be calculated from the day the request is received. The corresponding day and working day rules continue to apply but the change has the effect of reducing the period in which a controller must respond by one day. It is worth noting that the primary obligation of controllers is to respond ‘without undue delay’ and therefore the time limits should be seen as a longstop rather than a target.
Failure to comply
The ICO has the power to sanction organisations which fail to comply with their data protection obligations relating to individual rights up to a maximum of €20m or 4% of global annual turnover (whichever is higher). Recent ICO enforcement action, the intention to fine British Airways (£183m) and Marriot International (£99m), shows that the regulator is more willing than ever to protect the rights of data subjects and is not likely to look favourably on organisations who consistently fail to respect the rights of data subjects.