The recent introduction of the Data Protection and Digital Information Bill provides further insight into the government's plans for reducing the burden caused too many organisations by data subject access requests (DSARs).

There are two measures under consideration for DSARs:

  1. Amending the thresholds for the manifestly unfounded and/or manifestly excessive exemptions.
  2. Introducing a fee and/or costs cap.

The Bill tackles the first of these through seeking to amend the threshold from "manifestly unfounded or excessive" to "vexatious or excessive". In the circumstances where a DSAR crosses this new threshold then the data controller could either charge a reasonable fee for dealing with the DSAR, or refuse to respond. However, the government currently does not intend to go further than this by introducing either a general fee for making a DSAR or a costs cap on the maximum effort that a data controller is required to expend in responding to a DSAR.

As with the prior criteria ("manifestly unfounded or excessive"), these new terms are not defined but the examples provided of vexatious requests include: intended to cause distress, not made in good faith, or an abuse of process. It appears that the government is looking to raise the bar on what amounts to a valid DSAR in an attempt to return the use of DSARs to their original purpose: to check that a data subject's privacy is being respected.

DSARs and litigation

One of the biggest issues faced by organisations is DSARs made in the lead-up to litigation, in particular in relation to employees. There can be vast volumes of data which is of no relevance to the litigation but which will be caught by a DSAR. Business are burdened with responding to the DSARs, even though data subjects receive a pack of redacted documents which does not contain the "smoking gun" they thought existed. Both parties have spent considerable time to be no further forward.

It will be of interest to see if the ICO will expressly provide in later guidance that DSARs made when there is litigation in contemplation, or underway, will be considered to be vexatious requests on the basis that the DSAR is being used as an abuse of process to obtain disclosure of documents.

We have seen this approach adopted in the German Courts (considered in the second in our two part series on DSAR developments in Europe). Given this approach was adopted under the old wording, and "vexatious" is intended to be a lower threshold it should follow that organisations can refuse to respond to DSARs made for the purposes of obtain documents for litigation. 

Whilst this lowering of the threshold will be welcomed by data controllers, the Bill is some way off becoming law and this remains an unclear area with guidance from government and the ICO needed before the legislation is brought into force. In the meantime, it will be left to the Courts to set the boundary between permitted and vexatious DSARs and there are tentative signs that they are willing to refuse DSARs where they are considered an abuse of process.[1] It may be that in light of the new policy direction from government that the Courts are willing to adopt a firmer line.

Data Protection and Digital Information Bill

For further consideration on the impacts of the Data Protection and Digital Information Bill, please see our full briefing.

Other articles about DSARs

  • DSARs: unburdening organisations
  • Part 1: European change in direction for access to personal data?
  • Part 2: European change in direction for access to personal data?