Global menu

Our global pages

Close

ICO updates guidance on ‘manifestly unfounded’ and ‘excessive’ in the context of responding to individuals’ rights

  • United Kingdom
  • Privacy, data protection and cybersecurity

30-08-2019

What you need to know

UK regulatory guidance has been updated to explain what ‘manifestly unfounded’ and ‘excessive’ means in relation to the individual rights of data subjects under GDPR. This includes but is not limited to the right of access to personal data/subject access requests and affects rights under Articles 13-22 and Article 34.

Further detail

The Information Commissioner’s Office (“ICO”) updated its guidance this month (August 2019) on the meaning of these concepts. Click here to see the guidance.

What does ‘manifestly unfounded’ mean?

“Manifestly” means there must be an obvious or clear quality to the request being unfounded. If we use the example of an individual making a subject access request, it may be manifestly unfounded if:

- the individual clearly has no intention to exercise their right of access. The ICO gives the example of an individual making a request to an organisation and then offering to withdraw it in return for some form of benefit from the organisation. This may be relevant in the context of a customer dispute or indeed in an employment related dispute.

- the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption.

- the request makes unsubstantiated accusations against the organisation or specific employees.

- the individual is targeting a particular employee against whom they have some personal grudge.

- the individual systematically sends different requests to the organisation as part of a campaign eg. once a week with the intention of causing disruption.

Care is needed. The ICO makes clear in its guidance that this is not a simple tick list exercise that automatically means a request is manifestly unfounded. Each request has to be considered in the context in which it is made. Moreover, the fact the data subject has previously made this type of request does not mean his or her subsequent requests are manifestly unfounded or excessive. Each request must be assessed independently.

The golden rule is this: consider whether the individual genuinely wants to exercise his/her rights. If this is the case – it is unlikely the request will be manifestly unfounded. The ICO refers to this in its guidance.

What does ‘excessive’ mean?

A request may be excessive if it repeats the substance of previous requests and a reasonable interval has not elapsed or if it overlaps with other requests. It always depends on the particular circumstances. Again, care is needed. The ICO explains that a request will not necessarily be excessive just because the individual:

- requested a large amount of information. You (as the controller) might find the request burdensome. In that case, instead of immediately rejecting the request as excessive, consider asking the individual (promptly) if they are willing to provide more information to help you to locate the information they are seeking.

- wanted to receive a further copy of information they have requested previously. In this situation, instead of immediately rejecting the request as excessive, the controller can charge a reasonable fee to provide that further copy.

- made an overlapping request relating to a completely separate set of information. This is a request which has to be dealt with.

- previously submitted requests which were manifestly unfounded or excessive. Each request has to be considered on its merits.

How can a controller decide whether a reasonable interval has elapsed? The ICO suggests organisations consider: the nature of the data – eg it is particularly sensitive; the purposes of the processing – eg is it likely to cause harm to the requester if disclosed; and how often the data is altered – eg if information has not changed between requests, the controller might decide not to respond to the same request twice.

Final points

Care is needed when seeking to apply these concepts to GDPR rights requests. The burden of proof lies with the controller. It is key to record, for GDPR accountability reasons and for audit trail purposes, why the controller considers the threshold of ‘manifestly unfounded’ or ‘excessive’ to be met. The highest tier if ICO fines (4% annual worldwide turnover in the prior year or 20 million Euros whichever is higher) applies to infringement of GDPR individual rights.

As a reminder: the controller has the choice between refusing to act on the request or charging a reasonable fee when it is manifestly unfounded or excessive. When either is communicated to the data subject, he/she must be reminded by the controller about the right to complain to the ICO or another supervisory authority, the ability to seek to enforce the GDPR right through a judicial remedy, and the reasons why the controller is not taking action/is seeking the reasonable fee. The controller has to respond without undue delay and within 1 month of the request. UK regulatory guidance has been updated to the effect that the timescale for responding is one calendar month from the day of receipt of the request not the day after receipt. See our e briefing from earlier this month.

Action required

We recommend that you should take the following steps to check that your systems and processes are aligned with the GDPR’s requirements and UK regulatory guidance, as needed.

- Identify those areas of your business impacted by requests from individuals to exercise their rights under GDPR. Your Article 30 record of processing activities should help with this exercise.

- Work with business teams, as applicable, to ensure your policies, systems and processes enable requests to be dealt with in accordance with GDPR. In particular, ensure that any clarification request, or fee request is issued promptly and within one month of the request; and make sure that any fee request is reasonable and its calculation can be evidenced and justified in case of query or challenge.

For more information contact

< Go back

Print Friendly and PDF
Subscribe to e-briefings