How do we find and retrieve the relevant information?
-
This guidance has been updated to reflect changes to the right of access brought about by the Data (Use and Access) Act. Some of these changes are not yet in force. However, we think it is useful for it to be published now so that you are ready for these changes. In particular, they set out that you only have to carry out a reasonable and proportionate search in response to a SAR; and that you can ‘stop the clock’ when asking for clarification on a request.
Latest updates - 08 December 2025
08 December 2025 - the right of access guidance was updated.
In more detail
- What efforts do we need to make to find information?
- What about electronic records that aren’t easily available?
- What about archived information and backup records
- What about deleted information
- What about information contained in emails
- What about information we store in different locations?
- What about information stored on personal computer equipment?
- What about other records?
- What about personal information in big datasets?
- Can we amend or delete information following receipt of a SAR?
What efforts do we need to make to find information?
You must make a reasonable and proportionate search to respond to a SAR. This means that you must make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information. To determine whether searches may be unreasonable or disproportionate, you should consider:
- the circumstances of the request;
- the volume of information you may need to search in order to respond;
- any difficulties involved in finding the information; and
- the fundamental nature of the right of access.
You must be able to show why a search is unreasonable or disproportionate.
Even where searching for certain information may be unreasonable or disproportionate, you should still search for any other information within the scope of a request. You may ask the person for further information to help you find the information they have requested. See Can we clarify the request? for more information.
You should ensure that your information management systems are well designed and maintained, so you can efficiently locate and extract requested information and, where necessary, redact third-party information. For more information, see What about our information management systems?
What about electronic records that aren’t easily available?
In most cases, you can easily find and retrieve information stored in electronic form. However, as it’s very difficult to truly erase all electronic records, you may hold information that you do not have easy access to and that requires technical expertise to retrieve.
You may have removed the required information from your active systems in a number of different ways – for example, by:
- archiving it to storage;
- copying it to backup files; or
- deleting it.
Each of these is discussed in further detail below.
What about archived information and backup records?
You may archive or back up information for various reasons. For instance, you should be able to restore availability and access to personal information in the event of an incident. Read our guidance on security for more information.
The process of accessing electronically archived or backed-up information may be more complicated than the process of accessing ‘live’ information. However, there is no technology exemption from the right of access. You should have procedures in place to find and retrieve personal information that you have electronically archived or backed up.
Search mechanisms for electronic archive and backup systems might not be as sophisticated as those for active systems. However, you should use the same effort to find information to respond to a SAR as you would to find archived or backed-up information for your own purposes.
Remember that you cannot retain information indefinitely, just because you might find a use for it in the future. It may be more difficult for you to comply with a SAR if you have kept information for longer than you need it. You should have defined retention periods for how long you keep archived or backed-up information. Read our guidance on storage limitation for more information.
What about deleted information?
Information is ‘deleted’ when you try to permanently discard it and you have no intention of ever trying to access it again. Our view is that, if you delete personal information you hold in electronic form by removing it (as far as possible) from your computer systems, the fact that expensive technical expertise might enable you to recreate it does not mean you need to go to such efforts to respond to a SAR.
We will not seek to take enforcement action against an organisation that has failed to use extreme measures to recreate previously deleted personal information held in electronic form. We do not require you to use time and effort reconstituting information that you have deleted as part of your general records management.
What about information contained in emails?
It can sometimes be difficult to determine whether an email contains personal information. This depends on the contents of the email, the context of the information it contains, and what it’s being used for. Remember:
- Just because the requester is the recipient of an email does not mean the whole content of the email is their personal information.
- The right of access only applies to the personal information in the email that relates to the person making the SAR. This means you may need to disclose only some of the email to comply with the SAR.
- An email has not been deleted just because a user has moved it to their ‘Deleted items’ folder, as it’s still easily accessible in this location.
- Emails about a business matter may still contain personal information. This depends on the content of the email and whether it relates to the person.
Example
An employee makes a SAR for all the information you hold about them. During your search for their personal information, you find 2,000 emails that they are copied into as a recipient. Other than their name and email address, the content of the emails does not relate to the employee or contain their personal information.
You do not have to provide the employee with a copy of each email. Since the only personal information that relates to them is their name and email address, it is sufficient to:
- advise them that you identified their name and email address on 2,000 emails; and
- disclose to them the name (eg John Smith) and email address (eg [email protected]) contained in those emails.
Alternatively, you could provide one email with other details redacted as a sample of the 2,000 emails you hold. You should also clearly explain to the person why this is the only information they are entitled to under the UK GDPR. Remember, you must also provide them with supplementary information about how you use their personal information (eg retention periods for the emails).
However, if any content within any of the emails relates to the employee, you must provide them with a copy of those particular emails, redacted if necessary.
For further information on this, see our guidance on personal information — what is it?
What about information we store in different locations?
The right of access applies whether the personal information you hold is stored in one location or in many different locations.
It may be helpful to combine all your information stores in different locations into a single information store. This may help you in various ways, including for dealing with SARs. However, whether this is appropriate for you depends on your circumstances.
What about information stored on personal computer equipment?
If you are the controller, you must provide personal information in response to a SAR. In most cases, you do not have to supply personal information if someone else is storing it on their own computer systems (except where that person is your processor or if your staff have stored the requester’s personal information on their personal devices).
It is not usually appropriate for your staff to hold information about customers, contacts or other employees on their personal devices (eg in private email accounts, smartphones, home computers or private instant messaging applications). You should have a policy which makes this clear, particularly as there may be security risks if staff keep information on devices that you do not control.
If you do permit staff to hold personal information on their own devices, they may be holding it on your behalf. This means that this information may be within scope if you receive a SAR. If you have a good reason to think your staff are holding personal information about the requester on their personal devices, you should ask them to search their private emails, devices or instant messaging applications, as appropriate.
What about other records?
Information held in other records can include:
- information held in non-electronic form (eg in paper files or on microfiche records); and
- information that was in an electronic record, but that you have removed from your live systems and archived in non-electronic form.
Whether information in hard-copy records is personal information depends primarily on whether the non-electronic records are held in a ‘filing system’. This is because the UK GDPR does not cover information which is not, or is not intended to be, part of a filing system.
‘Filing system’ means any structured set of personal information which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
However, under the DPA, personal information held in unstructured manual records by public authorities is covered by the right of access. This includes paper records that are not held as part of a filing system. Therefore, public authorities may have to search this information to comply with SARs. For more information about this, see Unstructured manual records.
What about personal information in big datasets?
The volume and variety of big data, combined with the complexity of data analytics, may make it more difficult for you to meet your obligations under the right of access. However, these are not classed as exemptions and are not excuses for you to disregard these obligations.
Similarly, if you process information from a range of information sources, including unstructured information, this can pose difficulties when you need to produce all the information you hold about one person. This can be further complicated if you make use of observed or inferred information (ie information that a person does not provide to you directly). For example, if you generate insights about a person’s behaviour based on their use of your service, where this information is identified or identifiable (directly or indirectly), then it’s personal information and subject to the right of access.
In these situations, it’s even more important that you practice good information management, not just for facilitating the right of access but also to ensure you meet the UK GDPR’s legal requirements on accountability and documentation. You should have:
- adequate metadata;
- the ability to query your information to find all the information you hold about a person; and
- knowledge of whether the information has been truly anonymised, or whether it can still be linked to a person.
Can we amend or delete information following receipt of a SAR?
A SAR is about the information you hold at the time you receive the request. However, in many cases, routine use of the information may result in it being amended or deleted while you are dealing with the request. So, it’s reasonable for you to supply the information you hold when you respond. This may be different from the information you held when you received the request.
However, it’s not acceptable to amend or delete the information if you would not otherwise have done so. Under the DPA, you are committing an offence if you make any amendment to requested information with the intention of preventing its disclosure.