Can you refuse to comply with a Data Subject Access Request (DSAR) under the GDPR and Data Protection Act 2018?
For any organisation, the overhead of responding to Data Subject Access Requests (DSARs) is considerable. Take, for example, the health service, which according to research by cyber firm Exonar citing responses from several NHS freedom of information requests, spends approximately £85,480 per annum per trust processing 800 DSARs, equating to a total cost of over £20m. Extrapolate this across all private and public entities across the UK, and it is easy to imagine the full scale of costs associated with processing DSARs.
Due to the cost and time associated with DSARs, many organisations desire clarification regarding whether a DSAR can be refused. The short answer is yes; there are DSAR exemptions.
The Information Commissioners Office (ICO) stipulates that an organisation cannot apply for exemptions in a “blanket fashion”. Each request should be decided on its own merits.
What are DSAR exemptions?
The GDPR and Data Protection Act 2018 define several exemptions from obligations to respond to DSARs. Specifically, there is no obligation to comply with a DSAR where:
- The request is for solely personal or household activity.
- A claim of legal professional privilege applies.
- The personal data being requested includes records of intentions in relation to negotiations between the employer and employee and complying with the DSAR would prejudice such negotiations.
- It relates to personal data used for management forecasting or planning and complying with a DSAR would reasonably prejudice the conduct of the business or activity. For example, the data relates to a staff redundancy which has yet to be announced.
- Information being requested relates to regulatory functions, judicial appointments and proceedings, the honours system, criminal investigations, tax collections, and various corporate finance services.
The ICO guidelines state that a DSAR can be refused if it is manifestly unfounded or excessive.
It is important to remember that the application of exemptions for a request must be decided on a case-by-case basis.
According to the guidelines, a DSAR is manifestly unfounded if:
- the individual clearly has no intention to exercise their right of access. For example, an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or
- the request is malicious in intent and is being used to harass an organisation with no real purposes other than to cause disruption
- the individual has explicitly stated, in the request itself or in other communications, that they intend to cause disruption
- the request makes unsubstantiated accusations against you or specific employees
- the individual is targeting a particular employee against whom they have some personal grudge; or
- the individual systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption.
A request may be excessive if:
- it repeats the substance of previous requests, and a reasonable interval has not elapsed; or
- it overlaps with other requests.
The guidelines state that if a data subject requests a large amount of additional information or additional data on top of the initial request, this does not necessarily constitute ‘excessive’.
Do I have to comply with a DSAR if the data contains information about another person?
One of the most common challenges with DSAR compliance is where the information requested discloses a third party’s data. For example, if an employee requests information from their employer, the data disclosed could contain remarks made by a manager regarding that employee.
The Data Protection Act 2018 provides that a DSAR which will disclose third party information does not need to be complied with unless:
- the third party gives their consent; or
- it would be reasonable to proceed without that consent
When considering whether proceeding without consent is reasonable, consideration should be made to:
- the type of information that you would disclose;
- any duty of confidentiality owed to the third party;
- your efforts in regard to obtaining consent;
- can the third party actually give consent; and
- any express refusal of consent by the other individual.
In B v General Medical Council  EWCA Civ 1497, the Court of Appeal stated that just because the third-party refuses to consent, this does not equate to a presumption the DSAR should not be complied with.
What steps should I take in refusing a DSAR?
If you choose to refuse a DSAR, you must document the reasons for your refusal, not only for the benefit of the data subject but also for the ICO. It is also imperative you inform the data subject of their right to complain to the ICO and seek legal advice.
In B v General Medical Council, the Court of Appeal ruled that the question for the court to ask is whether it is reasonable in all the circumstances for the data controller to refuse/comply with the DSAR. If the controller failed to conduct a reasonable assessment, then the Court has the discretion to make the assessment itself.
Therefore, it is essential that all DSARs are carefully considered on their own merits and the reasoning behind the decision to refuse/comply with the request is meticulously documented.
Lineal is a global leader in providing eDiscovery and DSAR support. To find out more about our services, please call us on +44 (0)20 7940 4799 or email firstname.lastname@example.org.
Click link below to download the our white paper for more practical guidance on how to manage DSARs.