Subject Access Requests – Part 2: Refusing to Comply
In our previous blog, “Subject Access Requests – The Fundamentals”, we provided basic guidance on how to respond to a subject access request (“SAR”), together with essential details such as the time limits by which organisations need to comply and the supplementary information that must be provided with the response to the SAR. However, there may be occasions when organisations have a good reason not to respond to a SAR. In this blog, we take a look at some of the situations in which an organisation may lawfully refuse to provide the personal data requested.
Manifestly Unfounded or Excessive
Under Article 12(5) of the UK GDPR, organisations can lawfully refuse to process a SAR, if it is deemed to be “manifestly unfounded or excessive”.
A request may be regarded as “manifestly unfounded” if the individual making the request has no genuine desire to exercise their rights but has clearly submitted the SAR with malice or with the intention of causing disruption or harassment to an organisation. For example, if an ex-employee was dismissed from their position and because they bear a grudge, they submit a SAR to their former employer in the hope of disrupting their business, their action could be regarded as “manifestly unfounded”. Such an argument is strengthened if the ex-employee proposes to withdraw their SAR if they are given a lump sum.
However, on every occasion, it is for the controller to demonstrate that the SAR falls within this category, which, in some cases could be difficult to do, bearing in mind that the starting point is that individuals are entitled to exercise their right of access and are under no obligation to explain why they wish to do so. It is also worth noting that a request does not automatically become “manifestly unfounded” simply because the requestor uses foul or abusive language, although it is a factor to take into consideration.
A request may be regarded as “manifestly excessive” if it is clearly unreasonable. Reaching a decision on this would depend on various matters such as whether the request repeats previous requests made only a short while ago or overlaps with previous requests. For example, if an individual submits a SAR once a fortnight but the information being processed by the organisation has not changed since responding to the first SAR, this would be regarded as manifestly excessive.
Other relevant factors to take into consideration include, amongst other things, the context of the request and the nature of the relationship between the individual and the organisation. For example, if an individual makes a request to social services for information relating to when they were in care between the ages of 4 and 16, this would involve a great deal of work for social services as there will be a large volume of data for them to review. However, this does not mean that the request is “manifestly excessive.” Indeed, if the purpose of the request is to enable the data subject to piece together what happened to them as a child, this would be regarded as important information for the individual and it is unlikely that the request would be classed as manifestly excessive.
That said, the government has indicated that, as part of the UK data protection reforms, it proposes to change the test for refusing to process a SAR from “manifestly unfounded or excessive” to “vexatious or excessive”. The idea is that the test will have a broad application providing more scope for organisations to refuse requests. For example, the new test will allow controllers to take into consideration factors such as their resources, and whether the requests are intended to cause distress or are an abuse of process. The aim is to reduce the burden on organisations. However, the government recently confirmed that the data reform bill is on hold to allow ministers to take another look at it so it is unclear whether this proposal will come to fruition.
If a SAR is not regarded as “manifestly unfounded or excessive”, there may be an exemption that can be relied upon to justify refusing to respond. Schedule 2 of the Data Protection Act 2018 (“DPA 2018”) sets out numerous exemptions and we consider several of the most regularly used ones below. However, before we take a look at those, it’s important to highlight that not all exemptions apply in the same way. Some exemptions apply because the disclosure of the information would be likely to prejudice your purpose. For example, if you were assisting the police with an investigation relating to the data subject, it would prejudice that investigation if you were to disclose details of it in response to a SAR. Other exemptions apply because of the nature of the personal data in question such as information contained in a confidential reference. Further, some exemptions are “permissive” exemptions, meaning that you are permitted to rely on them if you so wish i.e you have a choice. However, there are some exemptions that you are obligated to rely on because if you comply with the UK GDPR, you would break another law.
Therefore, each exemption should be considered carefully and applied in the appropriate manner. They should also be applied to each piece of data rather than to a whole file or SAR in a blanket fashion. In particular, all personal data that can be lawfully disclosed under a SAR should be provided to the data subject but any personal data that needs to be withheld because of an exemption should be redacted. If any exemptions are relied upon, it should be explained to the data subject in the most transparent way possible, without prejudicing your purpose of using the exemption. For example, if an exemption is relied upon to withhold information relating to a police investigation, it would not be appropriate to share this level of detail with the data subject and the explanation for redacting information would need to be much more general.
Schedule 2 of the DPA 2018 provides that personal data does not need to be provided in response to a SAR if doing so would involve disclosing information relating to another individual. This is because the data subject is only entitled to their own personal data and not the personal data of anyone else and organisations have a duty not to disclose personal data to others not entitled to see it.
Invariably, documents containing the personal data of one person will also include the personal data of someone else. In some cases, it will be neither unfair nor unlawful to disclose the information of the third party. For example, if a third party is mentioned in emails received from the data subject because the data subject already has that information. In other cases, information relating to third parties may need to be redacted. It is worth highlighting that, the redaction should be carried out in such a way that the data subject will not be able to work out who the third party is, bearing in mind any information the data subject already has or is reasonably able to get hold of.
In deciding whether or not to redact the personal data of third parties, the following should be considered:
- The type of information that would be disclosed
- Any duty of confidentiality owed to the other individual
- Any steps are taken to obtain consent from the other individual
- Whether the other individual is capable of giving consent
- Any express refusal of consent of the other individual
That is not to say that consent of the third party should always be sought. In some cases, it will not be appropriate to even seek consent.
Legal privilege covers:
- legal advice privilege
- litigation privilege
Legal advice privilege applies when a client communicates with their legal advisor for the purpose of obtaining legal advice.
Litigation privilege applies where a client communicates with their legal advisor or a third party where legal proceedings have been instigated or are contemplated.
In both cases, ‘communications’ is interpreted very broadly and can consist of emails, texts, letters memos, photos, recordings etc.
Therefore, any information falling into this category would not need to be disclosed in response to a SAR. However, there are particular conditions that need to be satisfied when relying on these exemptions and, as such, your data protection officer may need to be consulted.
Management information is any information within an organisation that relates to management forecasting or planning. For example, information about redundancies or restructuring a business would fall into this category. Management information can be withheld when responding to a SAR if disclosing the information would be likely to prejudice the organisation’s plans. Therefore, if an employee made a SAR at the time that the organisation was planning to make him or her redundant, the organisation could withhold the information relating to the redundancy when responding to the SAR, by applying this exemption.
It is common practice for organisations to request references from a candidate’s former employers before making them a job offer. Such references may be provided in confidence and if so, the exemption relating to references may be relied upon to prevent the disclosure of the reference in the event that the individual makes a SAR. The exemption applies whether the SAR is submitted to the party receiving the reference or receiving it. This means that the reference can be withheld in reliance on the exemption whether the employee sends their SAR to their former employer or their new employer.
On occasions, students may find it useful to obtain a copy of the answers they submitted during an exam. However, Schedule 2 of the DPA 2018 provides an exemption in relation to this information. This means that, if a student made a SAR, hoping to receive a copy of the information they submitted during the course of an exam, this will not be provided.
That said, the exemption does not apply to the examiner’s comments when marking the exam script and, as such, the student can request this information. However, if such as request is made before the exam results are announced different time limits apply to those ordinarily applied to SARs. In particular, the organisation has five months (rather than one month) to respond or 40 days of announcing the exam results, if this is earlier.
The above covers some of the most frequent scenarios for refusing to process a SAR. In the next part of this series, “Part 3 – Third Parties and Complaints Data”, we look more closely at the circumstances in which it is lawful to disclose third-party data and when it’s not and when it is appropriate to disclose the information contained within complaints files.
Need help with responding to Subject Access Requests?
"*" indicates required fields