Can you refuse to comply with a data subject access request (DSAR) under the UK GDPR and Data Protection Act 2018?
For any organisation, the challenge of responding to Data Subject Access Requests (DSARs) is considerable. For example, the NHS, according to research by cyber firm Exonar discusses this.
They cited responses from several NHS freedom of information requests, that spend approximately £85,480 per annum per trust processing 800 DSARs. This adds up to over £20m. Therefore if you calculate this across all private and public entities across the UK, it is easy to imagine the full scale of costs associated with processing DSARs. Therefore can you refuse to comply with a data subject access request (DSAR) under the UK GDPR and Data Protection Act 2018?
Many businesses need clarification regarding whether a DSAR can be refused. This is due to the cost and time associated with DSARs. The short answer is yes. There are DSAR exemptions.
The Information Commissioners Office (ICO) stipulates that an organisation cannot apply for exemptions in a “blanket fashion”. A request must be considered on its own merits.
What DSAR exemptions are there?
The EU & UK GDPR and Data Protection Act 2018 define several exemptions from obligations to respond to DSARs. Specifically, there is no obligation to comply with a DSAR where:
- The request is for solely personal or household activity.
- A claim of legal professional privilege applies.
- The personal data being requested includes records of intentions in relation to negotiations between the employer and employee and complying with the DSAR would prejudice such negotiations.
- It relates to personal data used for management forecasting or business planning. If complying with a DSAR would reasonably prejudice the conduct of the business or activity. For example, the data relates to a staff redundancy which has yet to be announced.
- Information being requested relates to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections, and various corporate finance services.
Guidelines from the ICO state that a DSAR can be refused if it is manifestly unfounded or excessive. However, definitions for these terms are not clear. Here are the guidelines.
A DSAR is manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example, an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption
- the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption
- the request makes unsubstantiated accusations against you or specific employees
- the individual is targeting a particular employee against whom they have some personal grudge; or
- the individual systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption.
A request may be excessive if:
- it repeats the substance of previous requests, and a reasonable interval has not elapsed; or
- it overlaps with other requests.
The guidelines state that if a data subject requests a large amount of additional information or additional data on top of the initial request, this does not necessarily constitute ‘excessive’.
Do I have to comply with a DSAR if the data contains information about another person?
One of the most common challenges with DSAR compliance is where the information requested discloses a third party’s data. For example, if an employee requests information from their employer, the data disclosed could contain remarks made by a manager regarding that employee.
A DSAR which discloses third party information does not need to be complied (DPA 2018) with unless:
- the third party gives their consent; or
- it would be reasonable to proceed without that consent.
Consideration when proceeding without consent is reasonable, consideration should be made to:
- the type of information that you would disclose;
- any duty of confidentiality owed to the third party;
- your efforts in regard to obtaining consent;
- can the third party actually give consent; and
- any express refusal of consent by the other individual.
What steps should I take when I refuse to comply with a Data Subject Access Request?
If you choose to refuse a DSAR, you must document the reasons for your refusal. This is not only for the benefit of the data subject but also for the ICO. It is also imperative you inform the data subject of their right to complain to the ICO and seek legal advice.
DSARs should be considered very carefully and a process documented and followed. Where possible, the requestor should be identified. Whilst awaiting confirmation of this, you should begin your data gathering.
Therefore, if the request meets one of the exception criteria above then this must be communicated to the requestor without undue delay. Whilst you don’t need to explain in detail why you are not complying, you should be ready to defend your decision as and when required. The right of appeal does exist and you need to be ready. It is worth pointing out that you should not judge a DSAR solely from the requestor’s point of view but also any third parties involved.
It is essential therefore, that all DSARs are carefully considered on their own merits. The reasoning behind the decision to refuse or comply with the request must be meticulously documented.