Organisations involved in difficult disputes often receive subject access requests (SARs) from disgruntled individuals. These can be made verbally or in writing, and even via social media.
It can be frustrating when the right of access request is clearly driven by a desire to seek evidence outside of the dispute disclosure process, or when the requestor is just trying to cause disruption or delay to the dispute process, however, these requests cannot be ignored.
The right, as set out in Article 15 of the UK GDPR, entitles data subjects to confirmation of whether their personal data is being processed and, if so, to access that personal data along with supplementary information about the processing. The Data Protection Act 2018 provides certain exemptions from the requirement to provide this information, and additionally, if a request is manifestly unfounded or manifestly excessive organisations can charge a reasonable fee for providing the response or refuse to comply.
Manifestly unfounded: this applies if the requestor clearly has no intention to exercise their right, or if the request is malicious in intent or is being used to harass an organisation with no real purpose other than to cause disruption.
Manifestly excessive: this applies when the request is clearly or obviously unreasonable. The request will be unreasonable if it is not proportionate when balanced with the burden or costs involved in dealing with the request.
Determining whether a request is manifestly unfounded or manifestly excessive requires careful consideration and can be a complicated process. The Information Commissioner’s Office (ICO) advises that these decisions should be made on a case-by-case basis and should take all the individual circumstances surrounding the request into account.
The burden of proof to demonstrate that the request is manifestly unfounded or manifestly excessive rests with the controller, and such a decision must be carefully recorded in case it is challenged.
Reasons for refusal to comply with a request must be communicated to the individual, along with their right to make a complaint to the ICO and their ability to seek enforcement of this right through the courts.
Top tips for managing SARs
Be prepared: put internal procedures in place to manage requests effectively.
Understand the right: ensure you can recognise a SAR and know how to respond within the one-month deadline and the circumstances where this may be extended for complex requests.
Understand the request: seek clarification if needed to understand the scope.
Search thoroughly: conduct comprehensive searches across all locations.
Exemptions and redactions: apply exemptions where applicable, redacting as necessary.
Respond: whether refusing, or providing information, respond promptly and within the deadline.
For more details, see our article: ‘Responding to a subject access request’.
If you have any queries regarding subject access requests or need help in implementing exemptions, contact our Data Protection team.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at July 2024.