Having the confidence or knowing when you have the right to refuse a request for a SAR / DSAR can be a tricky thing to navigate. In this article, we’ll help you to understand the differences between Manifestly Unfounded and Manifestly Excessive and teach you how and when to use them.
A Subject Access Request (SAR), also called a Data Subject Access Request (DSAR), is any request by a data subject for access to their personal data. Legally, if a SAR / DSAR is requested, the company/organization to whom the SAR / DSAR was made must find, collate, and redact the discovered information, as well as apply any relevant exemptions, before sharing it back with the requester. Typically, a SAR / DSAR may be dealt with by an Information Asset Owner, Information Governance Officer/Team, Data Protection Officer/Team, or other nominated person.
Sometimes these requests can be made with malice in mind, for example if someone gets let go from a company, kicks up a big stink, and requests a SAR / DSAR straight after.
In such case, you can refuse to comply with a SAR / DSAR by deeming the request as Manifestly Unfounded or Manifestly Excessive, but it will depend on the circumstances and the terms.
Use of Manifestly Unfounded and Manifestly Excessive refusal notices should be considered at the initial stages of a SAR / DSAR. It may be appropriate to think about the use of Manifestly Unfounded if the request becomes repeated.
The information below refers to guidance given by the Information Commissioners Office (ICO). If you’d like to learn more about SAR / DSAR’s as well as other Information Governance and Data Privacy & Protection topics, we have some great training courses that can help.
What does manifestly unfounded mean?
A request may be manifestly unfounded if the person clearly has no intention to exercise their right or if the request is malicious in intent. They may also use the request to harass an organisation, with no real purpose other than to cause disruption. The term ‘manifestly’ indicates that organisations should provide evidence which demonstrates why the request is unfounded.
Factors that may indicate a manifestly unfounded request include where:
- the person explicitly states, in the request itself or in other communications, that they intend to cause disruption;
- the request makes unsubstantiated or false accusations against you or specific employees which are clearly prompted by malice;
- the person is targeting a particular employee against whom they have a personal grudge;
- the person makes a request but then offers to withdraw it in return for some sort of benefit from the organisation; or
- the person systematically or frequently sends different requests to you as part of a campaign with the intention of causing disruption, eg once a week.
This is not a simple tick list that automatically means a request is manifestly unfounded. You should consider a request in its own context, and consider all the circumstances. The onus is on you to demonstrate that a request is manifestly unfounded.
You should consider the particular situation and whether the person genuinely wants to exercise their rights. If they do want to exercise their rights, it is unlikely that the request is manifestly unfounded. In most cases, use of aggressive or abusive language does not, in itself, demonstrate a manifestly unfounded request.
What does manifestly excessive mean?
To determine whether a request is manifestly excessive, you should consider whether it is clearly or obviously unreasonable. You should base this on whether the request is proportionate, when balanced with the burden or costs involved in dealing with the requests.
This means taking into account all the circumstances of the request, including:
- the nature of the information the request is about;
- the context of the request and the circumstances of the relationship between you and the person;
- whether a refusal to carry out the request or even acknowledge that you hold relevant information may cause substantive damage to the person, such as an adverse impact on their rights. You should think about rights broadly by considering any aspect of a person’s life;
- your available resources;
- if the request largely repeats previous requests and there has not been a reasonable interval since the last request;
- whether it largely overlaps with other requests (although if it is about a separate set of information, it is unlikely to be excessive); or
- where you have already provided a copy of the information to the person by alternative means.
In most cases, a request is not excessive just because the request covers a large amount of information, even if you find it a burden. As noted above, you should consider all the circumstances of the request. If it is a request for access, you could also consider asking them for more information to help you locate the information they are looking for.
A repeat request may not be excessive if a reasonable amount of time has passed since their last request. You should consider the following when deciding whether a reasonable amount of time has passed:
- the nature of the data – this could include whether it is particularly sensitive;
- whether the circumstances of the request have changed, for example, can you provide access to information you previously restricted, now that the circumstances have changed?; and
- how often you alter the data.
If it is unlikely that there have been any changes to the information between requests, you could decide you do not need to respond to the same request twice.
If you have deleted information since the last request, you should let the requester know.
If you have collected new information since their last request then it may not be an excessive request (at least not for the new information).
Requests about the same issue are not always excessive. Someone may have legitimate reasons for making requests that repeat the content of previous requests. For example, if the organisation did not handle previous requests properly, or if a response to a previous request provided someone with new information that they were not previously aware of, prompting a new request. However, in other circumstances, a request which effectively repeats the substance of a previous request may be excessive. This depends on the circumstances.
A request may be excessive if someone makes a new request before you have had the opportunity to address an earlier request. However, this is only the case if the substance of the new request repeats some of the previous request. It is unlikely to be excessive if the overlapping request is about a separate set of information.
A request for information is not automatically excessive just because the information was previously made available as part of the criminal justice system. However, if a person has already received exactly the same information through an alternative statutory disclosure mechanism, this may be a factor to consider in deciding whether a request is excessive. In deciding whether such a request is excessive you should take into account the wider circumstances of the request, including:
- Have you provided exactly the same information as the person has now requested?
- Does the person already know this?
- What would be the likely impact on the person’s rights, freedoms and interests, if you refused the request? Would they suffer substantive damage?
The rights that are impacted may vary in the circumstances. The amount of weight you attach to the person’s rights, freedoms or legitimate interests will depend on how compelling or trivial they are.
What general considerations should be considered when deciding if a request is manifestly unfounded or excessive?
You must take the following into account when determining whether a request is manifestly unfounded or excessive:
- Consider each request individually – you should not have a blanket policy
- Do not presume that a request is manifestly unfounded or excessive just because an individual has previously submitted a manifestly unfounded or excessive request
- The inclusion of the word “manifestly” means there must be an obvious or clear quality to unfoundedness/excessiveness; and
- Ensure you have strong justifications for why you consider a request to be manifestly unfounded or excessive, which you can clearly demonstrate to the individual and the ICO.
For more information see the ICO’s website which provides detailed guidance on SARs / DSARs on its right of access page.
For further learning and education on this subject we suggest booking a place on our Subject Access Request training course. We also have a course that covers Redaction & Scrutiny as well as Data Protection Impact Assessments.
When is the new Data Protection & Digital Information Bill being passed?
A new Data Protection & Digital Information Bill is currently being reviewed and finalised through parliament, which means that there will be changes surrounding a Subject Access Request. These changes are expected in autumn 2023.
Regarding the above article, we expect that the current terms ‘Manifestly Unfounded’ and ‘Manifestly Excessive’ will change and are predicted to be known as ‘Vexatious’ and ‘Manifestly Excessive’. The rules that surround them are expected to have more or less the same criteria. We will update this article when the new bill is passed.
Why shouldn’t I wait for the bill to be passed before doing any SAR / DSAR training?
The main process that needs to be followed for a SAR / DSAR will not be changing. So, the content of what you will learn from our Subject Access Request training course will remain almost exactly the same, just a few bits of wording and terminology might be slightly different. The main changes with the new Data Protection & Digital Information Bill will be the job roles and requirements of ‘who does what’.
We will update the terminology within our courses as soon as the bill is passed.