A touchy subject: new guidance on responding to data subject access requests


One of the most effective tactics used by individuals engaged in disputes with their employers (or ex-employers) is submitting a data subject access request to obtain their personal data held by the the employer.   It is fairly simple to do, often expensive to respond to and carries the threat of enforcement by the Information Commissioner if the employer does not respond within the time limit or provide the required data.  Unlike the disclosure process in an Employment Tribunal claim, the employee is entitled to be provided with their personal data even if it is not directly relevant to the issues in dispute.  

Although there are exceptions for third party data and legally privileged documents, determining what material can be withheld is often a big undertaking in itself.   It's not surprising that employers often dread dealing with such requests. 

The Information Commissioner's Office has issued some helpful guidance for employers (and other data controllers) on dealing with subject access requests, including useful information about when the ICO will 'stop the clock' on the time limit for responses and when requests can be treated as manifestly unfounded or manifestly excessive. 

Time limits

Data controllers usually have a month to respond to a request, but this timescale can be extended by up to 2 months if the request is complex or one of several by the same person.

The guidance clarifies the circumstances in which request may be treated as complex, including where it involves:

  • Technical difficulties in retrieval.
  • Applying an exemption that involves large volumes of particularly sensitive information.
  • Specialist work in obtaining the information or communicating it in an intelligible form.
  • Confidentiality issues around disclosure of sensitive medical information to a third party.
  • Needing to obtain specialist legal advice. If you routinely obtain legal advice, doing so won't make the request complex.

However, requests aren't complex simply because they involve large amounts of information.

The time for responding can also be 'paused' if the data controller needs to clarify the request.  The guidance stipulates that this only applies where the controller holds a large volume of data about the individual and clarification is genuinely needed in order to respond - it should not be done routinely. The ICO will not consider it was reasonable or necessary to seek clarification if you process a large volume of information in relation to the individual but could obtain and provide the requested data relatively easily. 

Manifestly unfounded and manifestly excessive requests

Controllers can refuse to respond to requests which fall into these categories (or can charge a fee for responding), but the guidance emphasises that these are narrow exceptions. 

A request may be manifestly unfounded if:

  • the individual clearly has no intention to exercise their right of access, e.g. offers to withdraw the request in return for a payment or benefit; or
  • the request is malicious/disruptive in intent. For example, the individual:
    • makes unfounded accusations which are clearly prompted by malice;
    • targets an individual in the organisation against whom they have a grudge; or
    • sends several requests to you as part of a campaign to cause disruption.

If the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.

To determine whether a request is manifestly excessive, controllers need to assess whether it is "clearly or obviously unreasonable", i.e. disproportionate to the burden or costs involved in dealing with the request.  However, the fact that a request may involve a large amount of data does not make it manifestly excessive.  The controller must also consider their own resources - large organisations can be expected to cope with requests involving large volumes of data. 

The guidance emphasises that 'manifestly' means that it should be clear and obvious that the request is unfounded or excessive.  Controllers wishing to rely on these exceptions should be ready to justify their approach to the ICO. 

The guidance is a helpful reference source for any organisation dealing with subject access requests. It indicates that the ICO has taken into account the concerns of organisations about the disruption which such requests can create.  Overall, it emphasises the need to assess requests on a case-by-case basis and balance the individual's privacy and access rights against the burden on the organisation.   This provides a helpful framework for employers and other data controllers. 

featured image