The Information Commissioner’s Office (ICO) has updated its guidance on access requests and whether such requests are manifestly unfounded or excessive, providing further clarification to the definitions in the guidance and on how data controllers should respond to such requests. We summarise the key points below.

Background

A data subject has rights under the Data Protection Act 2018 to send requests to the data controller pertaining to their personal data, for example: the right of access (section 45), right to rectification (section 46), right to erasure or restriction of processing (section 47) and requests relating to automated decision-making (section 50).

On the other hand, if a data controller finds requests to be “manifestly unfounded or excessive”, it may refuse to act or charge a reasonable fee for the requests, under section 53. The importance of how the data controller makes this decision has now been considered by the ICO.

Guidance

The ICO has given further clarification to the meaning of section 53, as summarised below:

 
“Manifestly unfounded” Where it is obvious or clear (“manifestly”) that the individual has no intention to access the information or is malicious in intent, and/or is using the request to harass with no real purposes other than to cause disruption.

Some factors contributing to a malicious intent include: when the individual admits that they are causing disruption, makes unsubstantiated accusations, or holds personal grudges against the controller on a systematic (e.g., weekly requests) basis.
“Excessive” Where the request “repeats the substance of previous requests and a reasonable interval has not elapsed; or overlaps with other requests”.

A large request or a request on the same issue does not in itself mean that it is excessive; controllers should still make reasonable searches when handling large requests, and demonstrate good practice through appropriate records management procedures.

A repeated request may not be excessive if a reasonable amount of time has elapsed since the last request – controllers should consider factors like the nature of the data, the purpose of the processing, and if the data is likely to be altered (hence new versions should be produced), etc.

 

Importantly, a case-by-case analysis approach must be used, and requests are to be considered within the context of each situation. For example, a request that is worded aggressively/abusively does not automatically disqualify as a manifestly unfounded request. Similarly, a new request from an individual should not be presumed as manifestly unfound or excessive, even if they had a record of submitting such requests in the past.

Refusal to act on the request, and reasonable fees

If the controller decides not to comply with the individual’s request, it must state its reasons for the decision, and inform the individual of their right to make a complaint to the ICO and the ability to seek to enforce the right through judicial remedies. The key here is to ensure that the process remains transparent to the individual. In the event of proceedings, the burden is placed on the controller to show that the request is manifestly unfounded or excessive (section 53(3)).

In the event a controller has deemed the request to be manifestly unfounded or excessive, but still chooses to respond, it may charge a reasonable fee. The controller should inform the individual of the fee, and is entitled to not respond or to withhold the information, until the fee has been paid. Controllers can also charge a reasonable fee for the administrative cost of providing new copies of information that was previously requested (which is unlikely to be excessive).

Comment

This guidance will aid organisations in the practical implementation of how to respond to requests, and also serves as a reminder of how organisations can exercise their right to refuse to comply, and manage any cost implications when answering requests. To echo the ICO, controllers should consider each request on a case-by-case basis, and should not simply adopt a blanket policy. It is also worth bearing in mind that the controller should always be prepared to justify any of its actions in front of the ICO, should the individual concerned choose to raise a complaint.