Exemptions: when can we consider a request to be manifestly unfounded or excessive?
-
This guidance has been updated to reflect changes to the right of access brought about by the Data (Use and Access) Act. Some of these changes are not yet in force. However, we think it is useful for it to be published now so that you are ready for these changes. In particular, they set out that you only have to carry out a reasonable and proportionate search in response to a SAR; and that you can ‘stop the clock’ when asking for clarification on a request.
In more detail
- Can we refuse to comply with a manifestly unfounded or excessive request?
- What do we need to think about when deciding if a request is manifestly unfounded or excessive?
- What does ‘manifestly unfounded’ mean?
- What does ‘excessive’ mean?
Can we refuse to comply with a manifestly unfounded or excessive request?
You can refuse to comply with a SAR (wholly or partly) if it is:
- manifestly unfounded; or
- excessive; or
- both manifestly unfounded and excessive.
Remember that there is a high threshold for relying on the manifestly unfounded or excessive provisions. However, you can interpret these provisions broadly by reference to other factors. This means that you do not have to prove that a request is either manifestly unfounded or excessive, provided you can show that the provision generally applies in the circumstances, with reference to supporting factors. For example, a request may be either unfounded or excessive, or have elements of both.
Alternatively, you may choose to respond to a manifestly unfounded or excessive request and charge the requester a reasonable fee.
What do we need to think about when deciding if a request is manifestly unfounded or excessive?
You should consider the following when deciding if a request is manifestly unfounded or excessive:
- Deal with each request on its own merits – do not have a blanket policy.
- Do not assume that a request is manifestly unfounded or excessive simply because the person has previously submitted such a request.
- A request made by a person’s representative must be treated as if it had been made by the person themselves.
- If you decide a request is manifestly unfounded or excessive, you need to have strong justifications that can be clearly explained to the person and, if necessary, the ICO.
Any decision that a request is manifestly unfounded or excessive needs to be supported by clear evidence.
You should consider all the circumstances of the request. This may include broader factors beyond the request itself or the right of access.
Broader factors may include if a person has previously:
- made FOI requests,
- made service level complaints, or
- exercised other data protection rights.
For these factors to be relevant, you need to be able to show that they indicate a pattern of behaviour that supports that the person made the SAR for a purpose other than to exercise the right of access.
Remember that there is a high threshold for applying these provisions. You need to be able to show why these broader factors are directly linked to the request, and that the person’s behaviour forms a pattern of unreasonably repetitive or malicious behaviour, which might indicate that their request is manifestly unfounded or excessive.
Example
A person who was injured at work makes a SAR to their employer. Although the person does not expressly say so, the employer suspects they want the information to pursue a civil claim for damages or to obtain legal advice. The employer is aware that the person may be able to obtain this (or similar) information through other legal mechanisms if they bring a claim, but they have not already done so.
The employer cannot refuse to provide the information just because it thinks the person wants it for litigation purposes. The purpose behind a request is not relevant in considering whether a request is valid. However, it may be considered as one of multiple factors in justifying whether the request may be manifestly unfounded or excessive — for example, if it’s clear the person is abusing their rights to further their position, whether in litigation or otherwise. The employer must respond within one month of first receiving the request.
The employer provides the information but redacts details about third parties and does not provide information that is covered by legal professional privilege. The person contacts the employer and demands copies of the unredacted original documents in which their personal information is contained. The employer decides that this request is excessive, as the person has already been given the information they are entitled to. They are not entitled to the documents, copies of documents, or information about other people they are requesting. The additional information contained in these documents is not information that relates to the requester.
Remember that a SAR gives a person the right to a copy of their personal information, some of which may be contained in documents. However, it does not necessarily give them the right to obtain documents or copies of documents. This depends on the contents.
What does manifestly unfounded mean?
‘Manifestly unfounded’ means that:
- the person clearly has no intention to exercise their right of access. For example, they make a request, but then offer to withdraw it in return for some form of benefit from the organisation; or
- the request is clearly malicious and is being used to harass an organisation with no real purpose other than to cause disruption. For example, if a person:
- explicitly states, in the request itself or in other communications, that they intend to cause disruption;
- makes unsubstantiated accusations against your organisation or specific employees, which are clearly prompted by malice;
- targets a particular employee against whom they have some personal grudge; or
- systematically sends different requests to you as part of a campaign (eg once a week), with the intention of causing disruption.
This is not a simple tick-list exercise that automatically means a request is manifestly unfounded. You should consider a request in the context in which it is made. If the request appears to be a reasonable and genuine attempt to exercise the right of access, it’s unlikely that the request is manifestly unfounded.
While aggressive or abusive language is not acceptable, the use of such language does not automatically make a request manifestly unfounded. You should consider all the circumstances of the request and take a reasonable and proportionate approach in deciding whether or not this is a relevant factor.
Example
A person makes a SAR to an online retail company for their personal information. They state that they are making a SAR in accordance with the UK GDPR, and that if the company credits their online account with a specified sum of money, they will withdraw their request. The company is correct to consider the request as manifestly unfounded.
What does 'excessive' mean?
To determine whether a request is ‘excessive’, you should consider if it’s clearly or obviously unreasonable. You should take into account all the circumstances of the request, including:
- the nature of the requested information;
- if it’s proportionate when balanced with the burden or costs involved in responding to it;
- the context of the request, and the relationship between you and the person;
- if a refusal to provide the information or even acknowledging if you hold it may cause substantive damage to the person;
- your available resources;
- if the request largely repeats previous requests, a reasonable interval hasn’t elapsed, and the person’s circumstances haven’t changed;
- if it overlaps with other requests made by the same person (although, if it relates to a completely separate set of information, it’s unlikely to be excessive); or
- if you have already provided a copy of the same information to the person by alternative means.
A request is not necessarily excessive just because the person requests a large amount of information. You should consider all the circumstances of the request.
If it’s a large request, you should consider asking the person for more information to help you find the information they want, and whether you can make reasonable searches for the information. See Can we clarify the request? and What efforts should we make to find information?
A repeat request may not be excessive if a reasonable amount of time has passed since the last request. When considering if a reasonable interval has elapsed you should consider the following:
- The nature of the information — for example, is it particularly sensitive to the requester.
- How often you alter the information — if the information is unlikely to have changed, you may not need to respond to the same request twice. However, if you have changed the information since the last request, you should inform the person of this.
Requests about the same issue are not always excessive - it depends on the circumstances. There may be valid reasons for making a request that repeats the substance of a previous one. For example, if the organisation did not handle previous requests properly, or if the response to a previous request revealed new information that the person was not previously aware of – prompting a new request.
However, in other circumstances, a request which repeats the substance of a previous request may be excessive. For example, a request may be excessive if someone makes a new request before you have had the opportunity to address their earlier request – as long as the substance of the new request repeats some of the previous request.
A SAR is not automatically excessive just because the information was previously made available in another way (eg through litigation). However, if a person has already received exactly the same information through another method, this may be a factor in deciding whether this exemption applies.
Remember, even where a copy of the personal information you hold has already been disclosed to a person via a separate mechanism, you must provide the other supplementary information.