We seem to be entering an era of increased flexibility for data controllers, where the scope for refusing to comply with unreasonable or excessive data subject access requests (“DSARs”) is widening. The courts have always been more hesitant than the Information Commissioner’s Office (“ICO”) to order a data controller to supply data to a data subject. However, the ICO too is now broadening the circumstances in which compliance will not be required, as set out in its updated guidance (which we write about here). The case of Lees v Lloyds Bank PLC is also a timeous reminder of the limits of the use of data subject activism in furthering their cause.
In this case, Lloyds (the data controller) had granted Mr Lees (the data subject) three buy-to-let mortgages. The data controller and the data subject subsequently became involved in a dispute, which resulted in the data subject submitting:
- One DSAR to the data controller on 23 November 2017;
- Four DSARs to the data controller on 13 March 2019; and
- One further DSAR to the data controller on 20 April 2019.
The court found that the data controller had complied with all of their obligations. However, even if the data subject could show that there had been a failure to respond, the court could have exercised its discretion in determining whether or not to order the data controller to comply.
In this case, the court found that good reasons for declining to exercise discretion in favour of the data subject would have been:
- The data subject had submitted numerous and repetitive DSARs, which was an abuse of process;
- The real purpose of the DSARs was to obtain documents, rather than his personal data; and
- There was a collateral purpose in making the claims (that is, to assist the data subject in litigation against the data controller).
The court would therefore have refused to order the data controller to respond to the latter DSARs, if they had not already.
The Information Commissioner’s Office
Fortunately, ICO guidance seems to be catching up with the courts in preventing the misuse of DSARs by data subjects.
Previous ICO guidance on DSARs stated that a data controller should be ‘motive blind’ when responding to DSARs, i.e., the intention of the data subject when making requests is irrelevant.
However, the new ICO guidance on DSARs sets out circumstances in which a request may be ‘manifestly unfounded’ and therefore exempt from the duty to respond. Such examples include that:
- The data subject clearly has no intention to exercise their right of access (e.g. they make a request, but offer to withdraw it in return for some form of benefit); or
- The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the data subject:
- explicitly states that they intend to cause disruption (which is unlikely);
- makes unsubstantiated accusations which are clearly prompted by malice;
- targets a particular employee against whom they have some personal grudge; or
- systematically sends different requests as part of a campaign, e.g. once a week, with the intention of causing disruption.
While this is still a fairly high bar and the initial presumption should always be that a data controller must respond to a DSAR, it represents a helpful shift for data controllers away from the previous ‘motive blind’ advice. Data controllers now have more scope to refuse to comply when such requests are received.
The vast majority of DSARs will be, or will be framed in such a way that they appear to be, in pursuit of information relating to how a data subject’s personal data is being processed. However, the assertion that a DSAR is made for the exercise of data subject rights becomes less convincing after the second, third, etc. DSAR. This case is a useful indicator of how the courts approach the use of multiple requests by data subjects. While we are yet to see how the ICO will react to a data controller refusing to respond to the latest in a string of DSARs, this case will certainly be a useful tool in the arsenal of data controllers who are faced with repeated, unwarranted (never ending even) DSARs.
"Data controllers now have more scope to refuse to comply when such requests are received".