Subject access requests (SARs) can often be a costly, complex and burdensome process for data controllers. In particular, there is an increasing pattern of SARs being used as an improper alternative to pre-action disclosure.
A consultation was launched by the Government as part of its drive to take advantage of the UK leaving the EU and being able to set its own legislative framework. This consultation considered whether the current threshold for refusing a SAR (namely whether it is manifestly unfounded) should be changed.
The Government published its response on 23 June 2022 and this confirmed that the Government does plan to amend the threshold for refusing to respond to or charge a reasonable fee for a SAR from “manifestly unfounded or excessive” to vexatious or excessive”.
This amendment is to be made by passing the Data Reform Bill. The Bill was published on 18 July 2022 and is expected to make its way through parliament in September. Paragraph 7 of the Bill adds a new Article 12A to the UK GDPR which permits data controllers to charge a fee or refuse to respond to SAR if it is vexatious or excessive.
Whether a request is vexatious or excessive must be determined by having regard to the circumstances of the request, including (so far as relevant);
(a) the nature of the request;
(b) the relationship between the data subject and the controller;
(c) the resources available to the controller;
(d) the extent to which the request repeats a previous request made by the data subject to the controller;
(e) how long ago any previous request was made; and
(f) whether the request overlaps with other requests made by the data subject to the controller.
Helpfully, the Bill also provides tangible examples of “vexatious” requests. This includes those intended to cause distress, which are not made in good faith, or which constitute an “abuse of process”.
This has the potential of providing much awaited relief to data controllers. Case law to date has confirmed that the intention of a SAR cannot be taken into account.
In particular, the Court of Appeal in Dawson-Damer v. Taylor Wessing LLP, [2017] EWCA Civ 74 considered whether a court can use its discretion under section 7(9) of the Data Protection Act 1998 (“DPA”) not to compel compliance with a SAR where the data subject’s real motive is to use the personal data to assist in litigation. This case confirmed that as the DPA does not limit the purposes for which a SAR may be made, it would be “odd” to conclude that the sole purpose of a SAR must be to verify the accuracy of the data subject’s personal data. Such a “no other purpose” rule would have undesirable consequences, such as non-compliance by data controllers on the basis that the data subject had an ulterior motive for making the SAR.
In contrast, the examples set out in the Bill suggest the wider context in which the SAR is made, such as ongoing litigation proceedings, could potentially be taken into account. We will await further guidance which we suspect will be issued by the ICO.
For more information, please contact Hetal Ruparelia, Partner and Head of our Information Team.