• Contact Us

Using Data Rights As a Weapon - What Can an Organisation Do?

on Wednesday, 20 July 2022.

Many organisations will have experienced that sinking feeling when a data protection request comes in hot on the heels of a dispute.

The most common example of this is a subject access request made at the beginning of, or during, a complaints process, but you might also receive requests for rectification and erasure too. Whilst the context of the request can't be taken into account when you are responding, Vicki Bowles (partner and barrister in our information law team) has some top tips to assist before you receive these requests, and for when you're dealing with them.

Intention to Frustrate

If you can show that the individual making the request has no real interest in the request, and the purpose is to frustrate the organisation, you may be able to refuse to deal with it. This is a largely untested area, and requires you to be able to justify this decision with evidence to support your conclusions. It is also worth considering whether the potential reaction to such a refusal outweighs the benefits of the action before committing. However, it is an option if you do have some evidence that the purpose of the request is to cause disruption, rather than to obtain information or rectification etc.

Prevention Is Better Than Cure

It may be a cliché, but it's also very true when it comes to dealing with information law requests. Having in place good data practices, and good data hygiene will make the experience much less painful in the long term.

Good data practices include:

  • detailed privacy notices that match the lawful basis to the purpose
  • filing systems for electronic information
  • regular data cleanses
  • professionalism in communications

With some of the rights, the lawful basis that you have chosen for the use of the information will determine whether the right applies. If your privacy notice is silent on this issue, or doesn't link the basis to the purpose, then you have an additional hurdle to get over before you can refuse to deal with a request. Having your purpose linked to your lawful basis in the privacy notice will prevent this issue from arising, and make dealing with requests much easier.

Having in place filing systems for electronic information means that you can easily access the information you need to search if a request comes in. What these systems look like will depend upon your specific organisation and the type of information you collect, but they can be really useful when looking at the initial searches. You are only required to carry out a 'reasonable' search, and not a complete search, but if all emails and documents are filed, then this process will be much easier.

Regular data cleansing is good practice because it helps keep your systems clear of unnecessary information, and allows you to comply with the principle of data minimisation. Whilst you should never delete relevant information once you have received a request, if you carry out regular archiving, you may end up with less information to review if a request is made.

The final point is one which usually only really hits home when it's too late. At the time, sending an email with a set of exclamation marks at the end (!!!!!!!), or perhaps the use of ellipses to make an unsaid point can seem harmless... But all too often these seemingly harmless comments or punctuation choices end up inflaming an already tense situation. All those who use your systems - employees, volunteers, shareholders, work experience… should all be aware that there is always a risk that the individual they are writing about will see their email, and think twice about how they phrase things. Unfortunately, there is no exemption for embarrassing remarks (or swear words!).

DP staff know how to avoid a data breach

Subject Access Requests v Litigation Disclosure

If there is the prospect of litigation, individuals will often make a subject access request for the purpose of uncovering further evidence to support their claim. Whilst there is nothing to prevent an individual from doing this, the rules of disclosure and what you are entitled to under a subject access request are very different, and it is important not to confuse the two.

In a nutshell, disclosure entitles you to documents that are relevant to the claim. A subject access request entitles you to your own personal data. There is no entitlement in a subject access request to the document in which the personal data appears, but there are exemptions to the release of information in both cases.

Having said this, if you know that you are going to have to disclose a particular document in the near future, but it would be exempt under the subject access regime, you may want to release it in advance. This ensures transparency, and can avoid accusations that you were attempting to 'hide' relevant information. Whether this is appropriate will depend upon the circumstances of the individual case, but it is worth bearing in mind that just because an exemption does apply, you don't always have to use it.

When the Request Is Over…

When the request is finished, this is not necessarily the end. We are increasingly seeing individuals making a second request, shortly after the first one, for any information created whilst dealing with their previous request. If you are complying with the rules around professionalism in communications, then this shouldn't be an issue, but it is worth bearing in mind that this is a possibility.


Individuals can, and do, use their rights under data protection law in the context of complaints or disputes. Whilst you can't prevent this from happening, you can:

  • Link purpose to lawful basis in your privacy notices.
  • Take steps to make sure that the location of information is easier.
  • Ensure that you remove information from your systems that you no longer need.
  • Remind those who use your systems of the need for professionalism in the way that they communicate.
  • Understand the difference between disclosure and a subject access request, and what these entitle the individual to see.

For more information about this, or any other data protection related queries, please contact Vicki Bowles in our Data Protection team on 0117 314 5672, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input