Schools are as entitled as any other organisation to refuse to respond to a subject access request (SAR), whether wholly or partly, if it is “manifestly unfounded” or “excessive”, a stance effectively endorsed by the High Court in a recent case brought by a Lloyds Bank customer.
The High Court went as far as to comment on the SARs made by the customer, Mr Lees, in a way that will be useful to schools faced with repetitive SARs.
The GDPR allows schools to charge for responding to SARs if they fall into one of the above categories – the ICO is clear that a repeated SAR can be considered “excessive” as long as a reasonable interval has not elapsed since the initial request was made. A “manifestly excessive” SAR can be refused where the requestor has no intention to exercise their right of access or is malicious in intent. Each request must be considered separately to determine if the legal criteria is satisfied.
Schools should be aware that requestors may take issue with a refusal to respond to their request (or to charge for responding to it) on this basis – they could refer their SAR to the ICO. So schools should be prepared to explain their reasons for refusing to respond in case this happens. The ICO guidance on its website is helpful in this area.
In the High Court case, the claimant alleged that his bank had failed to respond fully to his SARs contrary to the Data Protection Act 2018 and the GDPR. In total, Mr Lees had made over 70 SARs to Lloyds Bank, some of which were made when the Data Protection Act 1998 was in force.
The court disagreed with Mr Lees and held that the bank had responded adequately to the SARs (and so did not make an order against the bank). Interestingly, the court’s decision did not stop there and went on to comment on the court’s position if Lloyds Bank had not provided adequate responses to Mr Lees’ SARs.
Faced with this situation, the court opined that there were “good reasons” for the court to exercise its discretion and refuse to order Lloyds Bank to adequately respond to the SARs in light of:
- Mr Lees’ numerous and repetitive SARs, which were abusive
- the real purpose of the SARs was to obtain documents rather than personal data
- the SARs served collateral purposes (namely to litigate against the bank)
- the data sought would have been of no benefit to Mr Lees.
This ruling comes as welcome news to many organisations and schools. It restates the court’s discretion in making orders on SARs, and it acknowledges the burden that these requests place on organisations. The court has also chosen to use the case to make a clear statement as to the disingenuous motive behind Mr Lees’ SARs and the abusive nature of his repetitive requests.
But the comments in this decision are not binding on the courts, and it does appear to be inconsistent with the ICO’s approach on the matter. It is unclear at this stage whether the ICO will factor this ruling into any revised guidance on what constitutes a “manifestly unfounded” or “excessive” request.