Since the introduction of the GDPR, people are supposed to feel more in control of their data. That’s because you have the right to access your personal data, which is known as ‘subject access’, in order to understand how and why your data is being used. But what if you or your company are asked to provide information on an individual? Contrary to what most people may think, you may not have to provide information in every circumstance, and may even be entitled to charge administrative fees.
Under Part 3 of the Data Protection Act 2018 (DPA 2018), data controllers are allowed to refuse to respond to subject access requests if the request is demonstrably unfounded or excessive – particularly if they are repetitive in nature. If they do agree to deal with such a request, they may be permitted to charge a reasonable fee to cover the administrative costs required to retrieve the information.
In order to help determine when a request is unfounded or excessive the Information Commissioner’s Office (ICO) has issued guidance, which can be found here. The ICO recommends that data controllers consider each request on a case-by-case basis, rather than issuing any sweeping policies. In addition, where requests are refused, data controllers should inform the individual why they have not fulfilled the request, as well as their right to file a complaint with the ICO.