Introduction
The Data (Use and Access) Bill, introduced on 23 October 2024, is a welcome move by this government to modernise and refine key elements of the data protection landscape. Among the proposed reforms, changes to data subject access requests (DSARs) have captured significant attention.
DSARs have long been a fundamental mechanism allowing individuals to verify the lawfulness of an organisation’s data processing practices and to gain insight into how their personal information is handled. However, from the perspective of solicitors’ firms, DSARs can pose practical, administrative, and strategic challenges—especially when used tactically in litigation. This was looked at by us in some detail in our article “Vexatious Subject Access Requests” in September 2024.
This article looks briefly at how the anticipated Bill might reshape DSAR obligations, the ramifications for UK law firms, and how it might impact upon the increasing prevalence of vexatious DSARs in contentious proceedings.
Context and Rationale for Reform
Subject access rights are currently governed primarily by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). These firmly establish the individual’s right to request access to personal data and to understand the purposes for which it is being used, thus ensuring accountability.
However, DSARs have increasingly been “weaponised” in contentious scenarios, particularly in litigation. As a result, solicitors frequently encounter DSARs from opposing parties, often with the intent to gain an advantage by:
- Extracting additional information: Requesting access to data not typically disclosed under litigation rules.
- Disrupting workflows: Overwhelming firms with voluminous or vague requests, diverting time and resources.
- Increasing pressure: Leveraging the administrative burden of compliance to compel early settlement or concessions.
While the UK GDPR allows organisations to refuse or charge for “manifestly unfounded or excessive” requests, these terms are often open to interpretation, leaving solicitors exposed to the risk of regulatory scrutiny or disputes with requesters. The lack of clear guidance on vexatious requests has made it difficult for firms to confidently push back against DSAR misuse.
The Data (Use and Access) Bill promises to bring additional clarity to the DSAR regime, ensuring that it both remains a critical transparency tool for data subjects and becomes more proportionate for organisations. One anticipated goal is to align subject access rights with broader government strategies on balancing individual data rights against legitimate business interests and operational realities. In other words, while individuals will retain strong protection, solicitors’ firms and other organisations should receive clearer statutory guidance on managing requests that appear insincere or purely strategic.
Proposed Adjustments to DSAR Exemptions
A key provision expected in the Bill is a revised definition or a more detailed explanation of requests that can be characterised as “vexatious.” In litigation contexts, certain DSARs can be used for “fishing expeditions,” seeking to uncover broader evidence than permitted via standard disclosure. It is not uncommon for a disgruntled party to deploy successive DSARs as a pressure tactic, in the hope of overwhelming a solicitor’s resources or exposing internal documents unrelated to the main dispute.
Under current rules, organisations may decline or charge a fee for requests that are “manifestly unfounded or excessive.” The proposed Bill, however, may replace or supplement this language with a clearer “vexatious or excessive” criterion. If enacted, solicitors’ firms could rely on more explicit legislative wording to push back against insincere or abusive requests. The Bill might also introduce factors to be considered when judging whether a DSAR is vexatious, such as the request’s purpose, frequency, and whether it contains duplicated elements intended to harass rather than to inform.
Implications for Solicitors’ Firms
(a) Administrative Efficiency and Compliance
Law firms face a dual challenge in DSAR compliance: first, identifying personal data within large volumes of case files and communications; second, reviewing that material to ensure no legally privileged or third-party information is inadvertently disclosed. The Bill may introduce new flexibility or clearer exclusions for privileged documents, enhancing efficiency. For example, more robust legislative language could confirm that legal professional privilege overrides the requirement to disclose certain records, thereby streamlining a firm’s redaction and review process. Whilst the current legislation does go some way towards acknowledging privilege, where the DPA 2018 has gone further than earlier legislation by including at paragraph 19 (b) of Schedule 2 provisions relating to “information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser”, regrettably this is not always sufficient to stem the abuse of vexatious DSARs. It is hoped that the new legislation will make this much clearer.
Nevertheless, even with improvements, solicitors will remain under tight deadlines to respond to DSARs—ordinarily within one month, extendable by a further two months for complex cases. Practices must maintain robust workflows and internal policies to ensure prompt compliance. Technological tools, such as e-discovery software and advanced data management systems, may see a surge in adoption to help handle these requests more seamlessly.
(b) Risk Mitigation
Law firms also risk reputational damage or regulatory fines if they fail to respond appropriately. Although the Bill may grant firmer footing to reject vexatious requests, it will likely also reinforce the obligation to justify that stance. If a firm decides a DSAR is vexatious and declines to comply, the new legislation may presumably require it to document how the decision was reached. Consequently, solicitors must be prepared to record in detail the evidence behind that refusal if a complaint or legal challenge follows.
Additionally, there is an expectation that data protection regulators – such as the Information Commissioner’s Office (ICO) – will be monitoring how law firms interpret these new standards. This can lead to heightened scrutiny of refusals, especially in high-stakes or publicised litigation.
(c) Impact on Client Relations
For solicitors, building strong client relationships involves managing expectations about data and privacy obligations. Clients involved in contentious matters might see DSARs as a strategy to gain an advantage over opposing parties or to extend discovery beyond typical disclosure rules. Firms may need to adjust their client advice protocols, discouraging or cautioning against overly aggressive or frivolous use of DSARs that might rebound against the client’s interests.
Conversely, in representing clients targeted by vexatious DSARs from the other side, solicitors must be prepared to defend the organisation’s legitimate interests. The Bill may facilitate stronger arguments when resisting spurious requests or demonstrating that the request serves no genuine data protection purpose.
It is hoped that clearer legislative language in the Data (Use and Access) Bill will reduce such manipulations. If the bar for refusing requests based on vexatiousness is lowered – or at least becomes more precise – law firms can focus resources where needed, rather than engaging in document reviews that add little real value.
Benefits for Solicitors’ Firms
The proposed reforms have the potential to transform how solicitors’ firms manage DSARs, particularly in contentious scenarios. Key benefits include:
(a) Reduced Administrative Burden
Vexatious DSARs often require significant time and resources to assess, process, and respond to. By enabling firms to reject or limit such requests more easily, the Bill could free up valuable resources, allowing solicitors to focus on their core legal work.
For example, a firm dealing with a DSAR that demands extensive email correspondence over several years could argue that the request is excessive or vexatious, particularly if it overlaps with ongoing litigation where disclosure rules already apply.
(b) Greater Certainty in Handling Requests
The clearer definitions of “vexatious” and “excessive” requests provide a more robust basis for decision-making. Firms can develop standardised policies and procedures for handling DSARs, reducing the risk of disputes and ensuring consistent compliance.
(c) Protection Against Tactical Abuse
The Bill’s emphasis on curbing vexatious requests is particularly relevant in litigation, where DSARs are often used as a strategic tool. By allowing firms to push back against such tactics, the legislation helps maintain the focus on substantive legal issues rather than procedural distractions.
(d) Safeguarding Legal Privilege
The explicit recognition of legal professional privilege and litigation exemptions strengthens solicitors’ ability to withhold sensitive information. This protection is critical in maintaining client confidentiality and ensuring fair litigation processes.
(e) Cost Savings
By reducing the time and resources required to handle DSARs, the Bill could result in significant cost savings for firms. This is particularly beneficial for smaller practices, where resources are often stretched thin.
Conclusion: Preparing for Change
Whilst details of the Data (Use and Access) Bill may evolve as it passes through Parliament, one theme is consistent: legislators are seeking a more balanced approach that upholds individuals’ fundamental right to understand and access their data, at the same time mitigating the administrative strain and potential misuse that DSARs can impose on organisations, including solicitors’ firms.
Law firms should begin preparing by revisiting their existing data protection policies and workflows. Staff training programmes may need updating to reflect new definitions of vexatious or excessive requests, as well as any additional guidance on timelines and privileges. Proactive investment in document management technology could minimise disruptions when responding to DSARs. Perhaps most importantly, firms will have to maintain clear, comprehensive records of how they handle and assess each DSAR to defend any refusal.
Ultimately, the Bill’s changes to DSAR obligations should be viewed as an evolution rather than a departure: subject access rights will remain a fundamental part of UK data protection law, but solicitors can expect more clarity—and potentially more leeway—when confronting requests that appear vexatious in the context of ongoing disputes. By staying abreast of legislative developments, strengthening internal processes, and advising clients judiciously about the proper (and improper) uses of DSARs, UK law firms will be well-positioned to thrive under the new regime.