Currently, a data controller can only refuse to comply with requests from individuals who wish to exercise their data subject rights if requests are “manifestly unfounded or [manifestly] excessive.” Under the Bill it is proposed that this threshold will be changed so that a data controller may refuse to comply if the request is “vexatious or excessive”.
The Bill gives examples of the factors which it is proposed may be relevant to the determination of whether a request is vexatious or excessive, which are:
- the nature of the request;
- the relationship between the individual and the data controller;
- the resources available to the data controller;
- the extent to which the request repeats a previous request made by the individual to the data controller;
- how long ago any previous request was made; and
- whether the request overlaps with other requests made by the individual to the data controller.
This list largely reflects the existing guidance of the Information Commissioner’s Office.
The Bill goes on to give examples of requests which it is proposed may be considered vexatious, which will include requests that:
- are intended to cause distress;
- are not made in good faith; or
- are an abuse of process.
It is clear that the intention behind these proposed changes is that employers and other data controllers should be entitled to refuse to comply with data subject requests more often than the law currently permits. This point is made expressly in the explanatory notes published by the government alongside the Bill, which explain that the change to the threshold “allows requests made without the intention of accessing personal information to be more easily refused or charged for than the existing threshold of ‘manifestly unfounded or excessive’.”
The addition of the possibility that requests may be refused where they are vexatious is potentially significant because currently it is clear that the motive behind a data subject request is irrelevant. The examples given of when a request may be considered vexatious under the Bill suggest that will no longer be the case. How significant the changes will be in practice remains to be seen and guidance on this issue from the Information Commissioner’s Office would be welcome if the Bill is passed. A key question on employers’ lips will be whether data subject access requests made once employment tribunal proceedings have been issued will always be “vexatious.” If not, where is the tipping point? What about a request that is made before any proceedings have been issued but where the employer believes a claim is likely?
How quickly the Bill becomes law (if at all) depends on a number of factors, but it looks like the government views it as something of a priority, having introduced it in the week before the summer recess of the House of Commons. The second reading of the Bill is scheduled for 5 September, the day that MPs return to parliament.