The recent decision of Lees v Lloyds Bank comments on excessive and abusive DSARs and when responses are required. In this case, the data controller, Lloyds Bank, had already provided responses, but the data subject continued with requests; repeating essentially the same questions in what was clearly a fishing expedition underpinning an attempt to make a collateral challenge to other unsuccessful litigation.
While some commentary suggests that the decision has extended the circumstances in which responses can be refused, it was in reality simply reaffirming the guidance already available from the ICO on the circumstances in which a response can be refused. Provided that written notice is given, it has always been possible to refuse manifestly excessive or unreasonable requests.
The decision has, however, taken on greater interest in light of the up-dated ICO guidance published today on the circumstances in which a data controller can genuinely refuse to comply with a request on the grounds of the request being excessive or unreasonable (see the linked Tweet from my colleague Will Richmond-Coggan). This, arguably, does extend the circumstances in which such a refusal might be sustained.
Generally speaking, however, and as was the case in Lees v Lloyds, a controller is more likely to be successful in defending their refusal where they have already complied as fully as they can with valid subject access requests. Even if elements of a request are thought to be unreasonable or excessive, it will always be advisable to respond to the request as far as possible rather than supplying a blanket refusal.
The Court found that Lloyds had adequately responded to all of the Claimant’s requests and found against the Claimant stating that: the DSARs issued were numerous and repetitive;the data sought would be of no real benefit to the Claimant; andthe real purpose of the DSARs was to obtain documents rather than personal data to use in litigation against the bank and therefore the DSARs were abusive.