Can you refuse to comply with a Data Subject Access Request [SAR]?

The right of access under GDPR gives data subjects the right to obtain a copy of their personal data. It helps them understand how and why you are using their data and whether you do it lawfully.

However, GDPR, DPA 2018 and ICO recognise that, in some circumtances, you might have a legitimate interest for not complying with a SAR, so there are a number of exceptions from the right of access. Therefore, you can refuse to comply with a request fully or partially, depending on specific case.

Not all of the exemptions apply in the same way. You should look at each exemption carefully to see how it applies to a particular SAR. Some exemptions apply because of the nature of the personal data in question, e.g., information contained in a confidential reference. Others apply because disclosure of the information is likely to prejudice your purpose, ie it would have a damaging or detrimental effect on what you are doing.

The ICO’s detailed guideline stipulates that you can refuse to comply with a SAR if the request is manifestly unfounded or manifestly excessive. For more information, please see below.

What does manifestly unfounded mean?

A request may be manifestly unfounded if:

• the individual clearly has no intention to exercise their right of access (for example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation); or
• the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption.

This however does not mean that the request is unfounded per se. You must consider a request in the context in which it is made. If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.

What does manifestly unfounded means?

It means that the request is clearly or obviously unreasonable. You should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request.

This will mean taking into account all the circumstances of the request, including:

• the nature of the requested information;
• the context of the request, and the relationship between you and the individual;
• whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual;
• your available resources;
• whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
• whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive). 

A request is not necessarily excessive just because the individual requests a large amount of information. As stated above, you must consider all the circumstances of the request. You should also consider asking the individual for more information to help you locate the information they want and whether you can make reasonable searches for the information.

Specifically, there is no obligation to comply with a SAR where:

• The request is for solely personal or household activity.
• A claim of legal professional privilege applies (information being requested relates to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections, and various corporate finance services).
• It relates to personal data used for management forecasting or planning and complying with a DSAR would reasonably prejudice the conduct of the business or activity. For example, the data relates to a staff redundancy which has yet to be announced.
• Information about other people involved – access to such data will not be granted, unless the individuals involved consent to the disclosure of their data.
• Where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a six month period of the original request will be considered a repeat request
• Publicly available information
• Opinions given in confidence or protected by copyright law
• Privileged documents

Exemptions set out in Schedules 2 or 3 of the DPA 2018

• Crime and taxation: general
• Crime and taxation: risk assessment
• Legal professional privilege
• Functions designed to protect the public
• Regulatory functions relating to legal services, the health service and children’s services
• Other regulatory functions
• Judicial appointments, independence and proceedings
• Journalism, academia, art and literature
• Research and statistics
• Archiving in the public interest
• Health, education and social work data
• Child abuse data
• Management information
• Negotiations with the requester
• Confidential references
• Exam scripts and exam marks
• Other exemptions

What should you do if we refuse to comply with a request?

You should inform the data subject of the following information:

• The reasons why you decided not to comply with the request;
• their right to make a complaint to the supervisory authority;
• their right to seek enforcement of this right before the courts.