How to Handle "Manifestly Unfounded or Excessive" Requests Under Updated ICO Guidance

The right of access is a fundamental pillar of UK data protection law. However, for Data Protection Officers (DPOs), there is a growing trend of the Data Subject Access Request (DSAR) being weaponised. Whether leveraged as a tactical manoeuvre in an employment tribunal, used to launch a "fishing expedition" for corporate data, or submitted purely to disrupt operations, these requests place an immense burden on privacy and legal teams.

Fortunately, the law provides a defence. Under the UK GDPR and the recently enacted Data (Use and Access) Act 2025 (DUAA), data controllers have the right to refuse to comply with a request—or charge a reasonable administrative fee—if they can demonstrate that the request is "manifestly unfounded or excessive."

However, applying this label is not a simple tick-box exercise. The Information Commissioner's Office (ICO) has set a high threshold for what qualifies, and getting the justification wrong can lead to immediate regulatory scrutiny. Here is how UK organisations can confidently navigate these complex requests in 2026.

Defining "Manifestly Unfounded"

The inclusion of the word "manifestly" is crucial; it means the unfounded nature of the request must be obvious or clear. The ICO guidance dictates that you cannot presume a request is unfounded simply because the individual has been difficult in the past.

A request is typically deemed manifestly unfounded if the individual clearly has no genuine intention to exercise their right of access, or if the request is explicitly malicious. Strong indicators include:

• Quid Pro Quo: The individual submits a sprawling DSAR but explicitly offers to withdraw it in exchange for a specific benefit, such as a higher severance package.

• Stated Intent to Disrupt: The requester states, either in the request itself or in surrounding correspondence, that their primary goal is to cause administrative chaos.

• Targeted Harassment: The request makes unsubstantiated accusations and specifically targets an individual employee against whom the requester holds a personal grudge.

It is important to note that the use of aggressive or abusive language by a disgruntled customer or ex-employee does not automatically render a request manifestly unfounded. The core test is the intent behind the request, which the controller must carefully document.

The Threshold for "Manifestly Excessive"

Determining if a request is "manifestly excessive" requires a proportionality test. You must evaluate whether the request is clearly or obviously unreasonable when balancing the burden or costs involved in dealing with it against the fundamental rights of the individual.

Common scenarios where a request may cross the line into excessiveness include:

• Overlapping Requests: The individual submits a new DSAR before you have even had the statutory one-month window to respond to their previous request.

• Repetitive Demands: The requester repeatedly asks for the same data without a reasonable interval having passed, or repeatedly demands the data in different electronic formats after having already successfully downloaded it from a secure portal.

Crucially, under the newly codified ICO guidance and the DUAA, a request is not automatically "excessive" simply because it yields a massive volume of data. However, the DUAA has provided a powerful counterbalance: controllers are now only legally required to conduct "reasonable and proportionate" searches. You are no longer expected to turn over every stone in legacy, hard-to-reach systems if doing so imposes a disproportionate burden.

"Stopping the Clock" and the New Complaints Procedure

Before jumping straight to an outright refusal, DPOs should leverage the procedural tools provided by the DUAA.

The most valuable of these is the codified "stop the clock" provision. If an individual submits a highly vague or incredibly broad request (e.g., "give me every email mentioning my name from the last ten years"), you are legally entitled to pause the one-month deadline to ask for clarification. The clock does not restart until the data subject provides reasonable parameters for the search.

If you ultimately decide you must refuse the request, transparency is mandatory. You must inform the individual of your reasons, explain the decision, and notify them of their right to complain. Bear in mind that under the DUAA provisions coming into force in June 2026, organisations must have an accessible, internal data protection complaints procedure in place. Data subjects will use this route before escalating to the ICO, meaning your initial refusal justification must be robust enough to withstand immediate internal review.

Managing the Borderline Cases with Automation

The reality for most UK privacy teams is that many frustrating DSARs fall into a grey area. They are incredibly burdensome, but just shy of meeting the strict legal threshold for "manifestly excessive." In these cases, you are legally obligated to process the data.

When you cannot refuse a complex request, the only way to protect your resources is to drastically reduce the cost of compliance. Relying on manual redaction using basic PDF editors or frame-by-frame video software transforms these borderline requests into massive financial liabilities. It also introduces the severe risk of "false redactions" (failing to remove underlying metadata), which can trigger data breach fines.

By integrating automated processing into your workflow, you neutralise the disruptive impact of high-volume requests. Advanced AI can discover relevant unstructured data, instantly identify and irreversibly redact third-party PII, and automatically blur faces in CCTV footage.

If your team is losing hours to borderline excessive requests, it is time to change your operational approach. Experience how AI-driven processing can protect your compliance budget by starting a free trial of Acuity AutoRedact today.