Subject Access Requests
The Manifestly Unfounded Exemption.
A data subject access request (DSAR) gives individuals the right to obtain a copy of their personal data. It aids individuals in understanding how and why a business may be using their data, as well as helping them to check whether their data is being used lawfully. However, there are exemptions that apply which allow organisations to withhold information from disclosure. This blog post explores one such exemption – the manifestly unfounded exemption.
Article 15 of the UK GDPR states that data subjects have the right to obtain, on valid request, a description of:
• the purposes of and legal basis for the processing of personal data;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data has been disclosed;
• the period for which it is envisaged that the personal data will be stored;
• any available information as to the origin of the personal data.
As well as a copy of any data held on them.
However, the data controller has the right to refuse to act on a request if an exemption applies or if the DSAR, in accordance with Article 12.5, is “manifestly unfounded”. In these instances, the data controller must demonstrate why it is so.
The ICO states that a request may be “manifestly unfounded” if the individual has no clear intention to access the information or is malicious in intent and is using the request to harass an organisation with no real purposes other than to cause disruption. Factors that may indicate malicious intent include:
• the individual has explicitly stated in the request or in other communications that they intend to cause disruption;
• making unsubstantiated accusations against the company or any other specific members of staff;
• the individual is specifically targeting an employee in result of a personal grudge or;
• the individual constantly sends various requests to the company (e.g. once a week) as part of a campaign and intends to cause disruption.
However, the above does not automatically mean it is manifestly unfounded and the data controller must consider such a request in the context in which it is made. The onus is to be able to demonstrate that it is “obviously and clearly” (i.e. manifestly) unfounded. It should be noted that use of aggressive or abusive language does not, in itself, demonstrate a manifestly unfounded request, although it may be indicative.
An example of a request being “manifestly unfounded” is the Lees v Lloyds Bank high court case in 2020. In this case, a claimant submitted a series of DSARs over a period of time and the court concluded that Mr. Lees had no legitimate grounds to make said requests. Lloyds Bank had provided the individual with adequate responses to each of the DSARs and was not in breach of its obligation to provide data.
The court also concluded that even if Mr. Lees were able to show that Lloyds had not properly responded to his DSARs, they would not have made an order in his favour. This is because:
• Mr. Lees made multiple and repetitive DSARs that intended to cause disruption;
• the real purpose of the DSARs was to obtain documentation rather than personal data, and;
• the fact that the data sought would be of no benefit to the claimant.
Other case law examples include Ittihadieh v 5-11 Cheyne Gardens, and Deer v Oxford University.
Mr. Ittihadieh submitted a DSAR to a company explaining that he was concerned about what the company and its directors had been doing with his data. The individual had a vexed personal relationship with the directors and they lived in the same building as him. The company gave him 400 documents as a response to the DSAR but Mr. Ittihadieh was not satisfied and brought a claim to court. However, this claim was dismissed as the court concluded that Mr. Ittihadieh had a personal grudge against the directors as they were his neighbours, so the DSAR was “manifestly unfounded”.
Dr Deer also had a vexed relationship with the data controller (her employer, Oxford University) and submitted two DSARs as background to an ongoing employment tribunal litigation. The university disclosed some data to Dr Deer but on appeal they ended up reviewing 500,000 further documents at a cost of £116,000 resulting in 33 new documents containing Dr Deer’s personal data being disclosed (other documents were withheld on the basis they did not constitute Dr Deer’s personal data or were exempt as they were subject to legal privilege). Ms Deer was still not satisfied that she had received all the data she was entitled to but the court was satisfied that none of the withheld material constituted Ms Deer’s personal data and that Dr Deer’s motive for pursuing the litigation was “essentially antagonistic”.
Data controllers should consider a request in the context which it is made in and be able to demonstrate that the request is “manifestly unfounded”. They should consider the situation on a case-by-case basis and determine whether the individual genuinely wants to exercise their rights. If this is the case, then it is unlikely that the request is “manifestly unfounded”. It should not be presumed that a request is manifestly unfounded just because the individual has previously submitted requests which have been manifestly unfounded.
If the organisation does refuse to comply with a request then they must inform the individual of:-
• the reason/reasons why they have refused to comply (i.e legal privilege, malicious intent);
• their right to make a complaint to the ICO; and
• their ability to seek to enforce this right through the courts.
However, where data controllers choose to respond to a request they regard as manifestly unfounded then a “reasonable” few may be charged for doing so.
Written by Eve Hobson