Rejecting subject access requests: changes on the horizon
In 2022, the government announced its intention to introduce reforms to the UK’s existing domestic data protection framework, a move which was promoted at the time as a “brexit benefit” and something that was generally welcomed by businesses, pending the final wording of such reforms.
After some delay, on 8 March 2023 the revised Data Protection and Digital Information Bill (“DPDI Bill”) was introduced to Parliament by the Secretary of State for Science, Innovation and Technology following consultation with businesses and data privacy stakeholders.
The DPDI Bill introduces a variety of privacy-related changes, with the broad aims of reducing the administrative burden on businesses, promoting innovation, and reforming the ICO. However, this article’s focus is on the specific issue of data subject access requests (“DSARs”) which, under the DPDI Bill, are going to become easier for data controllers (such as employers, in the context of an employee raising a DSAR) to reject requests.
This article will focus on this employment context of DSARs which are often used as a tactical tool by aggrieved employees to elicit crucial information relevant to their case from their employer at an early stage of proceedings. From the employer’s perspective however, they can be highly frustrating, time-consuming, and expensive to deal with if they are brought with animosity (i.e., perhaps not to protect their data rights but as a method of attaining leverage in settlement discussions).
The current test to reject a DSAR: manifestly unfounded or excessive
Under the existing legislation (i.e., the UK GDPR and the Data Protection Act 2018), where a DSAR is manifestly unfounded or excessive, the employer may either: i) charge a reasonable fee, or ii) refuse to act on the request. In these circumstances, the employer must be able to demonstrate to the ICO that the request is in fact (and not just in the employer’s opinion) manifestly unfounded or excessive. The ICO will look closely at the employer’s reason not to respond to the request, and the ICO’s Rights of Access Guidance states that when considering whether a DSAR is manifestly unfounded or excessive, employers should: i) consider each request individually, ii) not presume a request is manifestly or unfounded simply due to the employee previously submitting a manifestly unfounded or excessive request, iii) understand that there must be obvious or clear quality to the unfoundedness or the excessiveness, and iv) ensure that they have strong justifications for determining a request manifestly unfounded or excessive.
For example, suppose an employee (the data subject) has repeatedly made requests for access to their personal data, and the employer (the data controller) has already provided this information on several occasions. However, the employee continues to make requests for access to their personal data without providing any specific reason or justification for doing so. In this case, the employer may determine that the requests are manifestly unfounded and/or excessive, as the employee has already been provided with the requested information multiple times without providing any valid reasons for the continued requests.
Another example could be a situation where an employee requests access to an excessive amount of personal data, which would require a disproportionate amount of time, effort, and resources for the employer to gather and provide. In such cases, the employer may refuse to comply with the request, or may request a reasonable fee to cover the cost of providing the information.
However, where aggrieved employees make a DSAR to elicit crucial information relevant to their case from their employer, the employer is usually not able to refuse the request so long as it does not reach the threshold of being manifestly excessive, such as the example above of requesting excessive amounts of information. Therefore, under the current legislation, DSARs are often a readily available and tactical weapon in the employee’s armoury in the context of disputes with their employers.
Proposed new test to request DSAR: vexatious and excessive
To help the government put into effect its vision of a more efficient and streamlined approach to data protection, and to “reduce burdens on businesses and deliver better outcomes for people”, the government proposes to reduce the threshold for refusing to respond to (and charge a reasonable fee for) DSARs which are vexatious or excessive. The removal of the word “manifestly” is the key change, given that “manifestly” means that there must be an obvious or clear quality to the unfoundedness or the excessiveness.
Under the DPDI Bill, whether a request is vexatious or excessive is determined by having regard to the circumstances of the request, including (so far as relevant):
- the nature of the request;
- the relationship between the data subject and the controller;
- the resources available to the controller;
- the extent to which the request repeats a previous request made by the data subject to the controller;
- how long ago any previous request was made; and
- whether the request overlaps with other requests made by the data subject to the controller.
The DPDI Bill states that examples of requests that may be vexatious include requests that: i) are intended to cause distress, ii) are not made in good faith, or iii) are an abuse of process.
In the context of aggrieved employees making a DSAR to elicit crucial information relevant to their case from their employer, this new vexatious test may mean that requests can be refused. Under the proposed legislation, the use of a DSAR in a dispute with an employer as a pre-litigation disclosure exercise, or to cause disruption to the employer whilst the claim is being brought, may fall foul of this new test, given the examples stated in the DPDI Bill (i.e., and abuse of process and not made in good faith). Whether such requests will always be capable of being rejected once employment tribunal proceedings have commenced, is unknown. If not, it will be interesting to see what threshold is applied in such cases.
BPE comment
Ultimately, whilst the proposed new test to charging for / rejecting requests of vexatiousness and excessiveness will allow for more DSARs to be rejected, the extent to which they do so will come down to the Government and any case law following the introduction of the legislation. Given that the Government’s aim is “reducing burdens on businesses” it seems likely that the right to reject will be sufficiently expanded.
That said, skilled lawyers are likely to find ways around this rule, and it may well come down to how the courts assess the test in subsequent case law. Watch this space for an update once the final legislation is introduced, and case law updates that may follow.
Recommended Reading
https://publications.parliament.uk/pa/bills/cbill/58-03/0265/220265.pdf
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.