Date updated: Wednesday 3rd April 2024

What is the change?

At present, circumstances in which organisations may outright refuse to comply with a subject access request (“SAR”) are limited to when the request is manifestly unfounded or excessive. This has historically proven difficult to rely on in practice, due to uncertainty around what is meant by “manifestly unfounded”. The Data Protection and Digital Information Bill (the “Bill”) proposes to amend this threshold for refusing a SAR – or accepting it but charging a reasonable fee – to “vexatious or excessive”.

What could it mean?

The Bill changes, and potentially broadens, the circumstances in which controllers may refuse or make a reasonable charge for responding to a SAR. The Bill states that it is for the controller to demonstrate that any request meets the threshold of being vexatious or excessive. 

What do you need to do?

The Bill requires that controllers must be able to demonstrate that they have taken into account the circumstances of the request when the determination that a SAR is vexatious or excessive has been reached. The Bill’s new provision is akin to the Freedom of Information Act 2000 (“FOIA”), which allows public authorities to refuse requests for information which are vexatious or repeated. This is a high hurdle and Stone King has developed an assessment tool which assists evaluation of FOIA requests that may be vexatious or excessive. Stone King’s SAR Tracker allows controllers to keep records of every stage of the process of responding to a SAR. Stone King can also advise on the evaluation of potentially manifestly unfounded or excessive SARs, and on keeping accountability records when such a determination is made. 

For further guidance on handling subject access requests, please contact the Information Law Team.