Skip to main content

Exemptions: When can we consider a part 3 request to be manifestly unfounded or excessive?

Contents

In more detail

Can we refuse to comply with a manifestly unfounded or excessive request?

You can refuse to comply with a SAR (wholly or partly) if it is:

  • manifestly unfounded; or
  • excessive; or
  • both manifestly unfounded and excessive.

The threshold for applying the manifestly unfounded or excessive provisions is high. However, you can interpret these provisions broadly. This means that you do not have to prove that a request is either manifestly unfounded or excessive, provided you can demonstrate that the provision generally applies in the circumstances, with reference to supporting factors. For example, a request may be either unfounded or excessive, or contain elements of both.

Alternatively, you could choose to respond to a manifestly unfounded or excessive request and charge the requester a reasonable fee.

What do we need to think about when deciding if a request is manifestly unfounded or excessive?

You should consider the following when deciding if a request is manifestly unfounded or excessive:

  • Deal with each request on its own merits – you should not have a blanket policy.
  • Do not assume that a request is manifestly unfounded or excessive simply because the person has previously submitted such a request.
  • You must treat a request made by a person's representative as if the person made it themselves.
  • If you decide a request is manifestly unfounded or excessive, you need to:
    • have strong justifications that you can clearly explain to the person and, if necessary, to us, and
    • have clear evidence supporting your decision.

You should consider all the circumstances of the request. This may include broader factors that are beyond the request itself or the right of access.

Broader factors may include whether a person has previously:

  • made FOI requests;
  • made service level complaints; or
  • exercised other data protection rights.

For these factors to be relevant, you should be able to show that these indicate a pattern of behaviour that shows that the SAR in question has been made for a purpose other than to exercise the right of access. For example, you may have evidence that the requester did not make the SAR in good faith, or made it to harass the organisation. This may be the case if this same person has contacted other departments within your organisation about this issue, with a clear intent to cause disruption.

Remember that there is a high threshold for applying these provisions. You should be able to show:

  • why these broader factors directly link to the request; and
  • that the person's actions or comments show a pattern of unreasonably repetitive or malicious behaviour.

Example

A person was seriously injured at work after operating machinery. As their employer failed to provide appropriate personal protective equipment and training, it may have breached health and safety legislation. The Health and Safety Executive (HSE) is treating the matter as a criminal investigation and seizes evidence from the employer. 

The person makes a SAR to the HSE, asking for all the information held about them in relation to this incident. Although the person does not say so, the HSE suspects that they want this information to pursue a civil claim for damages against their employer. However, a request is not automatically unfounded or excessive just because a person wants it for litigation purposes. The HSE cannot refuse to provide the information for this reason. 

The purpose behind a request is not relevant in considering whether a request is valid. However, the HSE can consider it as one of various factors for deciding if the request is manifestly unfounded or excessive, if it’s clear the person is abusing their rights. 

The HSE provides the information but redacts details about third parties and does not provide information that is covered by legal professional privilege. The person contacts the HSE and makes a duplicate request, specifically asking that the HSE does not redact the information this time. The HSE decides the follow-up request is manifestly unfounded or excessive because: 

  • the request repeats the previous SAR; and
  • the person has already been given the information they are entitled to. 

Remember that a SAR gives a person a right to access their personal information, some of which may be contained in documents. However, it does not necessarily give them a right to obtain documents, copies of documents or information about other people. This depends on the contents.

What does manifestly unfounded mean?

Manifestly unfounded means that:

  • the person clearly has no intention to exercise their right of access. For example, they make a request but then offer to withdraw it in return for some form of benefit from your organisation; or
  • the request is clearly malicious in intent and is being used to harass your organisation with no real purpose other than to cause disruption. For example, the person:
    • states explicitly in the request itself or in other communications that they intend to cause disruption;
    • makes unsubstantiated accusations against you or specific employees, clearly prompted by malice;
    • targets a particular employee against whom they have some personal grudge; or
    • sends different requests to you systematically (eg once a week) as part of a campaign with the intention of causing disruption.

This is not a simple tick list that automatically means a request is manifestly unfounded. You should consider a request in the context in which the person makes it. If the request appears to be a reasonable and genuine attempt to exercise the right of access, it's unlikely that the request is manifestly unfounded.

Aggressive or abusive language is not acceptable. However, the use of such language does not automatically make a request manifestly unfounded. You should:

  • consider all the circumstances of the request; and
  • take a reasonable and proportionate approach in deciding whether or not this is a relevant factor.

Example

A person is unhappy with the outcome of a complaint to a regulator. The person makes a SAR for all of the information held about them. The regulator is able to provide some information, but withholds other information because a restriction applies. It explains this to the person but the person is unhappy with this response. They tell the regulator that they plan to make a SAR for their information every day until the employee who dealt with their complaint is fired.

It is clear that this person's intention is to threaten or disrupt the organisation. The regulator refuses these further requests as they are manifestly unfounded.

What does excessive mean?

When deciding whether a request is excessive, you should consider whether it's clearly or obviously unreasonable. You should take into account all the circumstances of the request, including:

  • the nature of the requested information;
  • the context of the request and the relationship between you and the person;
  • whether a refusal to provide the information or even confirmation whether you hold the information may cause substantive damage to the person, or adversely impact their rights;
  • whether it's proportionate when balanced with the burden or costs involved in responding to it;
  • your available resources;
  • whether the request overlaps with other requests from the same person (although if it relates to a completely separate set of information, it's unlikely to be excessive);
  • whether the request largely repeats previous requests, a reasonable interval hasn't passed and the person's circumstances haven't changed; and
  • whether you have already provided the person with a copy of exactly the same information by other means.

A request is not necessarily excessive just because the person requests a large amount of information. You should consider all the circumstances of the request.

If it's a large request, you should consider:

  • asking the person for more details to help you locate the information they want; and
  • whether you can make reasonable searches for the information.

(See Can we clarify the request in part 3? and our UK GDPR right of access guidance What efforts do we need to make to find information?.)

Repeat requests

A repeat request may not be excessive if a reasonable amount of time has passed since the last request. When considering if a reasonable interval has passed, you should consider the following:

  • The nature of the information (eg whether it is particularly sensitive because of the requester's circumstances).
  • Whether the circumstances of the request have changed (eg if a restriction you previously used is no longer applicable).
  • How often you alter the information. If it's unlikely to have changed, you may not need to respond to the same request twice, and you should explain this to the person. However, if you have changed the information since the last request, you should inform the person of this.

Requests about the same issue are not always excessive – it depends on the circumstances.

There may be valid reasons for making a request that repeats the substance of a previous one. For example, a new related request is likely to be reasonable if:

  • you did not handle previous requests properly; or
  • your response revealed new information that the person was not previously aware of.

A repeated request is unlikely to be excessive if:

  • the request is the same (or a substantively similar) request to a previous request by the same requester; and
  • you have not provided a response to the previous request within the time limit.

However, a request that repeats the substance of a previous request may be excessive. In particular, this might be the case if:

  • the requester makes a new request before you have responded to their previous request; and
  • you are still within the time limit to respond to the previous request.

Information previously provided by other means

A request is not automatically excessive just because the information has already been provided to the person by other means. However, if they have already received exactly the same information through another method, this may be a relevant factor in deciding if this exemption applies.

Remember, even where the personal information you hold has already been disclosed to a person by another means, you must provide the other supplementary information.

(For further information on handling requests where you have already provided the information, please see Do we have to respond to the SAR if the person has an alternative means of accessing their information?.)

Rights and interests of the person

The rights that are impacted may vary in the circumstances. The weight you attach to the person's rights, freedoms or legitimate interests depends on how compelling or trivial they are.

(For further guidance on considering how people's rights may be affected, see What rights and interests may be impacted by restricting an individual's right of access?.)

Example

A person makes a SAR to the police for all of their personal information relating to a criminal investigation. One month after receiving a response, they submit a new SAR, again asking for all of their information.

Since the previous SAR, the only new information the police have collected relates to a call the person made to their switchboard, and how that call was handled.

It would be excessive for the police to provide the same information again because the new SAR:

  • repeats a previous request that they have already responded to; and
  • was made after only a short amount of time had passed since the previous SAR.

The police refuse to provide the information previously provided on this basis. However, they provide the new information collected since the previous request.

When can we charge a fee?

You may charge a reasonable fee to respond to a manifestly unfounded or excessive request. However, you do not have to, and you can still refuse to deal with the request on these grounds. This is the case even if the person offers to pay a fee.

If you choose to charge a fee, you must tell the person and explain why. The time limit for responding to the request begins once you have received the fee. You do not need to comply with the request until you have received the fee.

You should request the fee as soon as possible and at the latest within one month of receiving the request. The longer it takes for you to ask for a fee, the less likely it is that this is reasonable. It's unreasonable to ask for a fee as a way of extending the time you have to respond to the request.

If you charge a reasonable fee, you must be able to justify the cost.

Under section 53 of the DPA, the Secretary of State can make regulations that:

  • specify limits on the fees that organisations may charge to deal with manifestly unfounded or excessive requests;
  • require certain controllers to produce and publish guidance about fees they charge for dealing with SARs; and
  • specify what the guidance needs to include.

However, at present there are no regulations in place. As such, it's your responsibility to ensure that you charge a reasonable rate.

For further guidance on the factors that you can consider if you plan to charge a fee, you should follow our UK GDPR right of access guidance (see Can we charge a fee?).

Example

A person repeatedly makes SARs to the police for personal information about their arrest in an investigation that is now closed. The police have given them the same information before, and have not collected any more information since their initial request. The police consider the request to be excessive, but decide to respond because they think the requester may have lost the information.

The police tell the person they are charging them a fee for this information, based on administration costs. The police provide the information within one month of receiving the fee.