In more detail
- What efforts should we make to find information?
- What about electronic records that aren’t easily available?
- What about archived information and back-up records?
- What about deleted information?
- What about information contained in emails?
- What about information stored in different locations?
- What about information stored on personal computer equipment?
- What about other records?
- What about personal data in big datasets?
- Can we amend or delete data following receipt of a SAR?
The GDPR places a high expectation on you to provide information in response to a SAR. You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. To determine whether searches may be unreasonable or disproportionate, you must consider:
- the circumstances of the request;
- any difficulties involved in finding the information; and
- the fundamental nature of the right of access.
The burden of proof is on you to be able to justify why a search is unreasonable or disproportionate.
Even where searching for certain information may be unreasonable or disproportionate, you must still search for any other information within the scope of a request. You should also consider whether further information from the individual will help you find the information they have requested. Please see the previous section for more information about clarifying a request.
You should ensure that your information management systems are well-designed and maintained, so you can efficiently locate and extract requested information and, where necessary, redact third-party data. For more information please see ‘What about our information management systems?’.
In most cases, you can easily find and retrieve information stored in electronic form. However, as it is very difficult to truly erase all electronic records, you may hold data that you do not have ready access to and that requires technical expertise to retrieve.
You are likely to have removed information from your ‘live’ systems in a number of different ways, by:
- archiving it to storage;
- copying it to back-up files; or
- deleting it.
Each of these is discussed in further detail below.
You may archive or backup information for a number of reasons. For instance, under Article 32 you must be able to restore availability and access to personal data in the event of an incident. Please read our guidance on security for more information.
The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. However, there is no ‘technology exemption’ from the right of access. You should have procedures in place to find and retrieve personal data that you have electronically archived or backed-up.
Search mechanisms for electronic archive and back-up systems might not be as sophisticated as those for ‘live’ systems. However you should use the same effort to find information to respond to a SAR as you would to find archived or backed-up data for your own purposes.
Remember that you cannot retain information indefinitely, just because you might find a use for it in the future. It may be more difficult for you to comply with a SAR if you have kept information longer than you need it. You should have defined retention periods setting out how long you keep archived or backed-up data. Please read our guidance on storage limitation for more information.
Information is ‘deleted’ when you try to permanently discard it and you have no intention of ever trying to access it again. The ICO’s view is that, if you delete personal data you hold in electronic form by removing it (as far as possible) from your computer systems, the fact that expensive technical expertise might enable you to recreate it does not mean you must go to such efforts to respond to a SAR.
The ICO will not seek to take enforcement action against an organisation that has failed to use extreme measures to recreate previously ‘deleted’ personal data held in electronic form. We do not require you to use time and effort reconstituting information that you have deleted as part of your general records management.
For more information please see our guidance on deleting personal data.
The contents of emails you store on your computer systems are a form of electronic record to which the general principles above apply. For the avoidance of doubt, you should not regard the contents of an email as deleted merely because a user has moved it to their ‘Deleted items’ folder.
It may be particularly difficult to find information related to a SAR if it is contained in archived emails that you have removed from your ‘live’ systems. Nevertheless, the right of access is not limited to personal data that is easy for you to provide. You may, of course, ask the requester to give you some context that would help you find what they want, if you process a large amount of information about them.
It can sometimes be difficult to determine whether an email contains an individual’s personal data. This depends on the contents of the email, the context of the information it contains, and what it is being used for. Ultimately it is for you to determine whether any of the information in the email is the individual’s personal data. However, you should remember:
- The right of access only applies to the individual’s personal data contained in the email. This means you may need to disclose some or all of the email to comply with the SAR.
- Just because the contents of the email are about a business matter, this does not mean that it is not the individual’s personal data. This depends on the content of the email and whether it relates to the individual.
- Just because the individual receives the email, does not mean that the whole content of the email is their personal data. Again, the context of the information and what it is being used for is key to deciding this. However, their name and e-mail address is their personal data and you should disclose this information to them.
An employee makes a SAR for all of the information you hold about them. During your search for their personal data, you find 2000 emails which the employee is copied into as a recipient. Other than their name and email address, the content of the emails does not relate to the employee or contain the employee’s personal data.
You do not have to provide the employee with a copy of each email (with the personal information of third parties redacted). Since the only personal data which relates to them is their name and email address, it is sufficient to advise them that you identified their name and email address on 2000 emails and disclose to them the name contained on those emails, eg John Smith, and the email address contained on those emails, eg JohnSmith@org.co.uk. Alternatively you could provide one email with other details redacted as a sample of the 2000 emails you hold. You should also clearly explain to the individual why this is the only information they are entitled to under the GDPR, but remember to provide them with supplementary information concerning the processing, eg retention periods for the emails.
However, if any of the content within the email relates to the individual, you should provide them with a copy of the email itself, redacted if necessary.
For further information on this, see our guidance on ‘What is personal data?’.
The right of access applies irrespective of whether the personal data you process is stored in one location or in many different locations. Consolidating disparate data stores may assist you, not just for subject access but in other ways. However, whether this is appropriate for you depends on your circumstances.
You are only obliged to provide personal data in response to a SAR if you are a controller for that data. In most cases, therefore, you do not have to supply personal data if someone else is storing it on their computer systems rather than your own (the exception being where that person is a processor). However, this may not be the case if the requester’s personal data is stored on equipment belonging to your staff (such as smartphones or home computers) or in private email accounts or private instant messaging applications.
It is good practice to have a policy restricting the circumstances in which staff may hold information about customers, contacts or other employees on their own devices, in private email accounts or on private instant messaging applications. Some organisations enable staff to access their systems remotely (eg via a secure website), but most are likely to prohibit the holding of personal data on equipment the organisation does not control. Nevertheless, if you do permit staff to hold personal data on their own devices, they may be processing that data on your behalf, in which case it is within scope if you receive a SAR. The purpose for which you hold the information, and its context, is likely to be relevant. We do not expect you to instruct staff to search their private emails, personal devices or private instant messaging applications in response to a SAR, unless you have a good reason to believe they are holding relevant personal data.
If you hold information about the requester in non-electronic form (eg in paper files or on microfiche records), you need to decide whether it is covered by the right of access. You need to make a similar decision if you have removed electronic records from your live systems and archived them in non-electronic form.
Whether the information in hard-copy records is personal data accessible via the right of access depends primarily on whether the non-electronic records are held in a ‘filing system’. This is because the GDPR does not cover information which is not, or is not intended to be, part of a ‘filing system’.
‘Filing system’ means any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
However, under the DPA 2018, personal data held in unstructured manual records processed by public authorities is covered by the right of access. This includes paper records that are not held as part of a filing system. Therefore, public authorities may have to search this information to comply with SARs. For more information about this please see ‘Unstructured manual records’.
The volume and variety of big data, coupled with the complexity of data analytics, could make it more difficult for you to meet your obligations under the right of access. However, these are not classed as exemptions, and are not excuses for you to disregard these obligations.
Similarly, if you process data from a range of data sources, including unstructured data, this can pose difficulties when producing all of the data you hold on one individual. This can be further complicated if you make use of observed data or inferred data - data that an individual does not provide to you directly. For example, if you generate insights about an individual's behaviour based on their use of your service, where this data is identified or identifiable (directly or indirectly) then it is personal data and subject to the right of access.
In these situations it is even more important that you practice good data management, not just for facilitating the right of access but also because of the GDPR's legal requirements on accountability and documentation. You need to have:
- adequate metadata;
- the ability to query your data to find all the information you have on an individual; and
- knowledge of whether the data you process has been truly anonymised, or whether it can still be linked to an individual.
It is our view that a SAR relates to the data you held at the time you received the request. However, in many cases, routine use of the data may result in it being amended or even deleted while you are dealing with the request. So it is reasonable for you to supply the information you hold when you respond, even if this is different to what you held when you received the request.
However, it is not acceptable to amend or delete the data if you would not otherwise have done so. Under the DPA 2018, it is an offence to make any amendment with the intention of preventing its disclosure.