Last reviewed 29 October 2020
Under the General Data Protection Regulation (GDPR), individuals have the right to obtain a copy of their personal data from whoever is processing it.
This right of access is exercised via subject access requests (SARs) which can only be refused if they are “manifestly unfounded” or “manifestly excessive”.
Furthermore, it is possible to charge a fee for excessive, unfounded or repeat requests but this must be based on the effort involved.
The Information Commissioner's Office (ICO), the UK’s independent regulatory authority with regard to data protection, has recognised that there is a lack of clarity in both these areas that has left employers, in particular, confused as to what constitutes a manifestly excessive request and what is a reasonable fee?
Having consulted on these questions, and received over 350 responses from organisations of all sizes and sectors, the ICO has now produced detailed guidance on the right of access and SARs.
As well as the two points detailed above, this examines a problem raised by a number of respondents — what happens if it is not possible to satisfy a request within the stated time limits?
The full guidance can be found at ico.org.uk; the three main points are summarised below.
Manifestly excessive SARs
Before refusing a request on this ground, it is necessary to consider whether the request is proportionate when balanced with the burden or costs involved in dealing with it.
The ICO emphasises that a request is not necessarily excessive just because the individual requests a large amount of information. Employers must take into account:
the nature of the requested information
the context of the request, and the relationship with the individual
whether a refusal to provide the information or even acknowledge that it is held may cause substantive damage to the individual
the available resources
whether the request largely repeats previous requests without a reasonable interval having elapsed
whether it overlaps with other requests (although if it relates to a completely separate set of information, it is unlikely to be excessive).
This section of the guidance goes on to look at specific exemptions from having to comply with SARs and how they work as well as general considerations to be taken into account.
For example, each request must be considered individually; it is not possible to have a blanket policy.
Manifestly unfounded SARs
A request may be manifestly unfounded if:
the individual clearly has no intention to exercise their right of access; for example, they make a request, but then offer to withdraw it in return for some form of benefit from the organisation
the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption
it targets a particular employee against who the requester has some personal grudge
it makes unsubstantiated accusations against the organisation or specific employees which are clearly prompted by malice.
Note that the ICO states: “Whilst aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.”
Stopping the clock
Having been asked about complicated requests that potentially cannot be answered within the 30-day time limit, the ICO has clarified that its position now is that, in certain circumstances, the clock can be stopped while organisations are waiting for the requester to clarify their request.
In most cases, the ICO makes clear, no fee should be charged when complying with a SAR.
However, exceptions to this rule are possible if the request is manifestly unfounded or excessive, or an individual requests further copies of their data following a request.
A “reasonable fee” may include the costs of:
photocopying, printing, postage and any other costs involved in transferring the information to the individual (eg the costs of making the information available remotely on an online platform)
equipment and supplies (eg discs, envelopes or USB devices)
The costs of staff time should be based on the estimated time it will take staff to comply with the specific request, charged at a reasonable hourly rate.
As fees should be calculated in a reasonable, proportionate and consistent manner, the ICO suggests that it would be good practice to establish an unbiased set of criteria for charging fees which explains:
the circumstances in which a fee is charged
the standard charges (including a costs breakdown where possible, eg the costs per A4 photocopy)
how the fee is calculated — explaining the costs taken into account including the costs of staff time.