The Information Commissioner’s Office (ICO) has updated its guidance on access requests and whether such requests are manifestly unfounded or excessive, providing further clarification to the definitions in the guidance and on how data controllers should respond to such requests. We summarise the key points below.

Background

A data subject has rights under the Data Protection Act 2018 to send requests to the data controller pertaining to their personal data, for example: the right of access (section 45), right to rectification (section 46), right to erasure or restriction of processing (section 47) and requests relating to automated decision-making (section 50).

On the other hand, if a data controller finds requests to be “manifestly unfounded or excessive”, it may refuse to act or charge a reasonable fee for the requests, under section 53. The importance of how the data controller makes this decision has now been considered by the ICO.

Guidance

The ICO has given further clarification to the meaning of section 53, as summarised below:
Continue Reading Responding to requests: the ICO considers manifestly unfounded and excessive requests