Vexatious Individuals – Identifying Unreasonable Requests
This week’s episode of the Data Protection Made Easy Podcast is extra special as we have just hit an amazing milestone. 1000 Subscribers! That 1000 Data Protection Practitioners tune in and listen to our many discussions surrounding data protection. This week’s episode marks number 94 in the series with each one covering a different area of data protection. Our goal is to make data protection easy and understandable for everyone meaning our community has every type of individual from Students to full-time Data Protection Officers (DPOs). If you would like to sign up and join our community, follow this link: https://dataprotectionpeople.com/events/
During this week’s episode of the Data Protection Made Easy Podcast, our amazing hosts, Oliver Rear, Charlotte Hogg and David Holmes join together to discuss ‘Vexatious Individuals’ and share insights on information requests and when you can and can’t refuse them.
What is a vexatious request?
A request can be considered vexatious if it is likely to cause a disproportionate amount of stress and disruption to an organisation.
What are the typical indicators of a vexatious request:
Aggressive or abusive language: Most organisations have a policy on the treatment of staff, if the language in a written request would not be tolerated if it was delivered during face-to-face communication then you are within your rights to refuse the request.
A burden on the authority: If the request would take an unreasonable amount of time and resources, costing the business a considerable amount of money, the request can be denied no matter how valid the intentions of the requestor are.
Personal grudges: If the requestor is targeting a certain individual within your organisation and it is clear to see it has been done purposely to cause distress.
Unreasonable persistence: The process of trying to open a previously resolved case without reason, if the case has been addressed by a governing body you can refuse the request.
Unfounded accusations: The subject makes a request that is unsubstantiated.
Intransigence: The requestor is refusing to assist with the request and making it difficult to complete the request.
Frequent or overlapping requests: The requestor submits frequent correspondence relating to the same issue.
Deliberate intention to cause annoyance: The requestor doesn’t have a valid reason to make the request other than to cause disruption to the business.
Scattergun approach: The information request is completely random and lacks clear focus and reasoning.
Disproportionate effort: If the request is considered to be trivial and there are no understandable benefits then it can be considered unreasonable to utilise company resources to complete the request.
Lack of obvious intent: The accuser has no reason to request the information, you can also refuse a request if you believe the subject already has access to the information they are trying to get you to disclose.
Futile requests: The issue has already been resolved by the authorities or if it has been comprehensively evaluated by an independent investigator.
Frivolous requests: The subject matter is considered to be extremely trivial. Some individuals have been known to make requests purely for entertainment purposes.
How should you deal with a vexatious request:
You must keep a record of any correspondence with the data subject to make sure you can evidence where their request was unreasonable. You must have a valid reason to refuse the request and make sure you consider your decision with a senior member of your organisation.
If an organisation decides to refuse a rights request for any of the reasons listed above, they must respond to the requestor within 20 working days of the request. In this correspondence, you will have to mention that you are supported by section 14(1) of the Freedom Of Information Act (FOIA). The details of your internal review and information on how the appeal will be sent to the ICO.
You should provide the data subject with a valid reason for your refusal however there are a few exceptions. If the requestor has already received the same update previously then it can be considered a waste of resources and time to send the same document again. this is protected under section 17(6) of the FOI Act.
Need assistance with a vexatious request?
If you would like more information on vexatious requests and how you can handle them, get in touch with one of the teams here at DPP or visit the ICOs Website.
Data Protection Made Easy
As always this session was completely free to join and anyone was welcome to get involved, if you would like to join us live on future episodes of the podcast why not check out our many amazing upcoming events?
Our next event will return on the 7th of October and our top consultants will join forces to discuss the top 10 challenges for data protection practitioners. if you would like to tune into that episode of the podcast, click here.