When is a SAR truly ‘excessive’?

I’ve been working with SARs for several years now and one of the key things I notice time and again is that Data Subject gets a bit of a rubbish deal due to poor records management by the Data Controller.

Time and again I’ve seen a request where the Data Subject (or just a requestor if it wasn’t the Data Subject making the request) will ask for everything a Controller holds about someone. A Legitimate thing to ask for under Article 15 of the GDPR would you not agree? However, when the ‘SAR coordinator’ (the person dealing with it) then goes looking for their data, what they find is thousands and thousands of instances where ‘Bob’ (let’s use Bob as an example here) appears.

Those instances of Bob will include legitimate records and instances. However, it will also include duplicate copies, pointless uses of Bob’s data, old copies, etc. What is known as ROT in the IRM (Information and Records Management) world. Redundant, Obsolete, and Transient stuff that should legitimately not exist anymore. And yet, for far too many organizations, it does, and in bucket and bucket loads.

So let us assume for the minute that Bob is a reasonable human being simply exercising his right under Article 15 for access to all Personal Data currently being processed by a Data Controller. If we, the Data Controller, were to go back to Bob and say (in essence), “sorry mate but we’ve just got too much c**p, you need to narrow down your request”, how is that even remotely fair to the Data Subject? It’s not their fault the Data Controller hasn’t taken care of its records, is it?

How can we say that the request is ‘excessive’ and something we could, ultimately, refuse? To me, that just legitimises poor records management and the fact the ICO seems to condone it just undermines one of the key elements of proper Data Protection.

Let me explain my point as I know that will divide opinions amongst DPOs.

I’ve been that person many times wading through 10,000 emails so I know that the default position by practitioners is to not want to do trawl through all those email. And that is a perfectly normal human position to take. You’d be a very special person that ‘wants’ to trawl through 1000s of documents. However, is that frustration directed to the wrong place?

First off, I don’t mean those requestors that genuinely have lots of data about them and use that to cause disruption. Those people exist and they annoy all of us as they misuse their rights for personal gain/vendetta. Those requests, where you can indeed prove that the requestor (and therefore the request) is indeed ‘excessive’ or ‘manifestly unfounded’, should indeed be rejected for the nonsense they are.

What I want to talk about are the majority of requests, because those annoying ones are very much the minority.

These requests are the ones where the requestor has made an otherwise legitimate request (for whatever reason and it certainly not presenting any of the signs for being unfounded or excessive. You may even know why they want the data and there is a lot of it for 1 reason or another. But not for reasons that are the Data Subject’s fault!

‘Excessive’, according to the ICO guidance on ‘manifestly unfounded or excessive’, is defined as follows (quoted directly from their online guidance as of 3^rd February 2023);

To determine whether a request is manifestly excessive you need to consider whether it is clearly or obviously reasonable. You should base this on whether the request is proportionate when balanced with the burden or costs involved in dealing with the request.

This will mean taking into account all the circumstances of the request, including:

• the nature of the requested information;
• the context of the request, and the relationship between you and the individual;
• whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual;
• your available resources;
• whether the request largely repeats previous requests and a reasonable interval hasn’t elapsed; or
• whether it overlaps with other requests (although if it relates to a completely separate set of information it is unlikely to be excessive). 

I don’t like this ‘burdensome’ element to defining it. Where it is genuinely not the requestor’s fault the Controller has so much Personal Data on them how is it a ‘burden’ on the Controller to find it all and give it to them? The Controller was the one managing it in that way in the first place (rightly or wrongly). To label the requestor or request as ‘excessive’ in those circumstances seems a bit unfair to me.

I’ve worked with micro-organisations where they have gotten themselves in a pickle and tried to argue that they don’t have the resources to deal with this person’s request and therefore it is excessive. However, my counter argument would be well is that the Data Subject’s fault? In most cases from what I’ve seen, no, it isn’t. The fault for that rests firmly on the organisation concerned. And if a small charity (like HIV Scotland for example) can be fined for not adequately securing its records, then how can you also argue it is not reasonable for them to ‘manage’ their records properly?  

On the flip side I can also see the argument/frustration that there is just so much there and is it ‘reasonable’ to expect the SAR coordinator to sort through all that? Both sides seem to be right so who wins/loses? Just the Data Subject from what I can see.

For those that know me and work with me, you know I’m not a Data Protection “puritan”. I am a pragmatist in my heart and rarely engage in absolutes as the world just doesn’t work like that. Laws are written for a perfect world and therefore are not perfect by their very nature. This would be one area where, I don’t think I’m completely absolute, but certainly an area where I would passionately advocate not dismissing a request simply because you have too much stuff and your Controller is not giving it the resources and time it needs.

Instead, I would be using it as yet another case for investing in good Records Management and taking care of the data, information, and records within any organisation. Not using a part of the law to get out of not doing another part of the Law. I’d also say that the ICO really should be talking about this more in their guidance. As well as giving tips on how to narrow down the request with the requestor, why not a section on ‘if you’re not effectively managing the records, can you really enforce excessive on a requestor’. And how poor RM controls may well go against you in the ICO deciding on any ‘appropriateness’ of your refusal.

But then the ICO taking RM seriously is a pipe dream, so maybe I’m just shouting into the abyss. Who knows!

Maybe it boils down to this. The next time you are dealing with a large request with thousands of documents, take that frustration that comes with it and aim it at the organisation concerned that has allowed it to get that way, not the requestor (assuming it’s a legitimate ‘Bob’ of course and not a genuine pest’).