The ICO exists to empower you through information.

Latest updates - last updated 10 February 2023

10 February 2023 - We have updated our Part 3 guidance on manifestly unfounded and excessive requests to align with our new policy lines on this topic in the UK GDPR right of access guidance.

At a glance

  • Under Part 3 of the DPA 2018, people have rights of access, rectification, erasure and restriction of their personal data. They also have the right for their personal data to not be subject to automated decision-making.
  • You could refuse to respond to a request if it is manifestly unfounded or excessive.
  • Alternatively, you could charge a reasonable fee for dealing with the request.
  • You must demonstrate why it is manifestly unfounded or excessive.

Checklists

Responding to manifestly unfounded and excessive requests

□ We understand when we can refuse a request and are aware of the information we need to provide to people when we do so.

□ We understand the considerations we need to account for when deciding if a request is manifestly unfounded or excessive.

In brief

What types of requests can we consider as manifestly unfounded or excessive?

People have the right to request:

  • access to their personal data;
  • rectification of their personal data;
  • restriction of the processing of their personal data;
  • erasure of their personal data; and
  • not to be subject to automated decision-making.

For further information about these rights, please see our Guide to Law Enforcement Processing.

If you process personal data for law enforcement purposes and you consider a request exercising any of these rights as manifestly unfounded or excessive, you could refuse to comply with the request.

Alternatively, you could charge a reasonable fee to deal with the request (see When can you charge a fee?).

What general considerations should we take into account when deciding if a request is manifestly unfounded or excessive?

You should determine whether a request is manifestly unfounded or excessive on a case-by-case basis. You should also consider the individual circumstances.

Whilst there may be characteristics that are indicative of a manifestly unfounded or excessive request, you should only use these as a guide. You must not presume that a request is manifestly unfounded or excessive just because someone has previously submitted manifestly unfounded or excessive requests.

The inclusion of the word “manifestly” means it must be obvious or clear that the request is unfounded or excessive. You must have evidence as to why you consider a request to be manifestly unfounded or excessive. You must be able to explain the reasons for your decision to the person and, if asked, to the Information Commissioner’s Office (ICO).

What does manifestly unfounded mean?

A request may be manifestly unfounded if the person clearly has no intention to exercise their right or if the request is malicious in intent. They may also use the request to harass an organisation, with no real purpose other than to cause disruption. The term ‘manifestly’ indicates that organisations should provide evidence which demonstrates why the request is unfounded.

Factors that may indicate a manifestly unfounded request include where:

  • the person explicitly states, in the request itself or in other communications, that they intend to cause disruption;
  • the request makes unsubstantiated or false accusations against you or specific employees which are clearly prompted by malice;
  • the person is targeting a particular employee against whom they have a personal grudge;
  • the person makes a request but then offers to withdraw it in return for some sort of benefit from the organisation; or
  • the person systematically or frequently sends different requests to you as part of a campaign with the intention of causing disruption, eg once a week.

This is not a simple tick list that automatically means a request is manifestly unfounded. You should consider a request in its own context, and consider all the circumstances. The onus is on you to demonstrate that a request is manifestly unfounded.

You should consider the particular situation and whether the person genuinely wants to exercise their rights. If they do want to exercise their rights, it is unlikely that the request is manifestly unfounded. In most cases, use of aggressive or abusive language does not, in itself, demonstrate a manifestly unfounded request.

Example

A person is unhappy with the outcome of a complaint to a regulator. They post online that they plan to make a request for the company to delete their information every day, until the employee that dealt with their complaint is fired.

You have already responded to their first erasure request. It is clear that their intention is to threaten or disrupt your organisation. You refuse these further requests on the grounds that they are manifestly unfounded.

What does manifestly excessive mean?

To determine whether a request is manifestly excessive, you should consider whether it is clearly or obviously unreasonable. You should base this on whether the request is proportionate, when balanced with the burden or costs involved in dealing with the requests.

This means taking into account all the circumstances of the request, including:

  • the nature of the information the request is about;
  • the context of the request and the circumstances of the relationship between you and the person;
  • whether a refusal to carry out the request or even acknowledge that you hold relevant information may cause substantive damage to the person, such as an adverse impact on their rights. You should think about rights broadly by considering any aspect of a person’s life;
  • your available resources;
  • if the request largely repeats previous requests and there has not been a reasonable interval since the last request;
  • whether it largely overlaps with other requests (although if it is about a separate set of information, it is unlikely to be excessive); or
  • where you have already provided a copy of the information to the person by alternative means.

In most cases, a request is not excessive just because the request covers a large amount of information, even if you find it a burden. As noted above, you should consider all the circumstances of the request. If it is a request for access, you could also consider asking them for more information to help you locate the information they are looking for.

A repeat request may not be excessive if a reasonable amount of time has passed since their last request. You should consider the following when deciding whether a reasonable amount of time has passed:

  • the nature of the data – this could include whether it is particularly sensitive;
  • whether the circumstances of the request have changed, for example, can you provide access to information you previously restricted, now that the circumstances have changed?; and
  • how often you alter the data.

If it is unlikely that there have been any changes to the information between requests, you could decide you do not need to respond to the same request twice.

If you have deleted information since the last request, you should let the requester know.

If you have collected new information since their last request then it may not be an excessive request (at least not for the new information).

Requests about the same issue are not always excessive. Someone may have legitimate reasons for making requests that repeat the content of previous requests. For example, if the organisation did not handle previous requests properly, or if a response to a previous request provided someone with new information that they were not previously aware of, prompting a new request. However, in other circumstances, a request which effectively repeats the substance of a previous request may be excessive. This depends on the circumstances.

A request may be excessive if someone makes a new request before you have had the opportunity to address an earlier request. However, this is only the case if the substance of the new request repeats some of the previous request. It is unlikely to be excessive if the overlapping request is about a separate set of information.

A request for information is not automatically excessive just because the information was previously made available as part of the criminal justice system. However, if a person has already received exactly the same information through an alternative statutory disclosure mechanism, this may be a factor to consider in deciding whether a request is excessive. In deciding whether such a request is excessive you should take into account the wider circumstances of the request, including:

  • Have you provided exactly the same information as the person has now requested?
  • Does the person already know this?
  • What would be the likely impact on the person’s rights, freedoms and interests, if you refused the request? Would they suffer substantive damage?

The rights that are impacted may vary in the circumstances. The amount of weight you attach to the person’s rights, freedoms or legitimate interests will depend on how compelling or trivial they are.

For further guidance on considering how people’s rights may be affected, see ‘What rights and interests may be impacted by restricting an individual’s right of access?’. For further information on handling requests where you have already provided the information, please see ‘Do we have to respond to the SAR if the person has an alternative means of accessing their information?’. These pieces of guidance are about the right of access. However the principles are also relevant to determining the impact to other Part 3 rights.

Example

One month ago, you responded to a person’s subject access request for their information, which included their conviction history. Since then, they have made a new request for their information and asked you to include their conviction history again. Since their last request, the only new information you have collected covers a call to your complaint department.

You consider the amount of time you need to provide all the information, including their conviction history which contains a lot of documents, compared to only providing new information. You decide that it would be excessive to provide all the information, especially because of:

  • the overlap in information;
  • the volume of information in their conviction history; and
  • the time elapsed since the last request.

You refuse to respond to the whole request again, and tell the person that their request is excessive. However, you do provide them with the new information that you have collected since their last request.

What should we do if we refuse to comply with a request?

If you refuse to comply with a request, you must inform the person of:

  • the reasons why you are not complying with their request;
  • their right to make a complaint to the ICO; and
  • their ability to seek to enforce this right through a judicial remedy.

As mentioned above, if you believe a request is manifestly unfounded or excessive you must be able to demonstrate this to the person and, if asked, to the ICO.

When can you charge a fee?

You could charge a reasonable fee if you decide that a request is manifestly unfounded or excessive, but you choose to respond to it. However, you are not required to charge a fee, and you can still refuse to deal with the request (on the grounds that it is unreasonable or excessive). This is the case even if the person tells you they are willing to pay a fee.

If you decide to charge a fee, you must notify the requester and explain why. You do not need to take further action in response to the request until you receive the fee. The time limit for responding to the request begins once you have received the fee. You should request the fee as soon as possible and, at the latest, within one month of receiving the request. You should not unnecessarily delay requesting it until you are nearing the end of the one month time limit. If you decide on a reasonable fee, you must be able to justify the cost, in case the requester makes a complaint to the ICO.

Section 53(4) allows for the Secretary of State to specify limits on the fees that organisations may charge to deal with a manifestly unfounded or excessive request by way of regulations. However, at present there are no regulations in place. As such, it is your responsibility as an organisation to ensure that you charge a reasonable rate.

For further guidance on the factors that you should consider when determining a reasonable fee and how you should respond to a request when you are charging a fee, you should follow our UK GDPR right of access guidance – ‘Can we charge a fee?’.

Example

An accused person repeatedly makes SARs for a file containing personal information about their arrest. You have given them the same file before, and you have not collected any more information since their initial request. The request is excessive, but you decide to respond to the request because you think they may have lost the file.

You tell the person you are charging them a fee for this information, based on administration costs. Once you receive the fee, you provide the information within one calendar month.