DSARS: WHAT COUNTS AS A REASONABLE AND PROPORTIONATE SEARCH?
We’ve all been there – the dreaded “I’d like to see all the data you hold about me” from a disgruntled former employee. The Data Use and Access Act 2025 is the first statutory footing confirming that employers need only carry out “reasonable” and “proportionate” searches. But what does that mean in practical terms when you get that vague request?
Attempt to narrow the search with your subject
Requests are usually made for one of two reasons: to cause a pain point, or as a fishing expedition. For the latter, data subjects are much more likely to receive what they are looking for if they can help you by identifying what they are after.
Identify your own parameters
More often than not, we know that co-operation isn’t on the cards. If your subject won’t narrow their request, then the ICO recognises that a subject is unlikely to receive a copy of “all” their information. It will be down to the employer to identify sensible parameters which is most likely to lead to the relevant information. Context is key. If you receive the request alongside the grievance, that grievance can be a helpful means of suggesting key terms or parameters – such as a relevant date range, the likely custodians, particular key words.
In doing so, remember that data protection expects transparency. Let your subject know how you intend to carry out the request.
Consider ways to look for relevant personal data effectively.
Does the subject already have access to documents?
If the subject can access their documents or emails (for example, a current employee accessing their payslips) then there is no need to provide access to them again in the context of a request. We can just point them to the means of accessing that information.
Is the data even going to be about them?
Focus on searching where personal data appears in the content of emails rather than as one of the addressees – really driving that search towards content that is substantively “about” the subject (and as a result, is actually their personal data). Being copied to an email does not mean the email is about that person.
Check out false hits
In your attempts to genuinely find data, keep your distance from those red herring terms that aren’t aiding your search. If its leading to false hits (like someone else with a similar name) then try keyword searches and cross-referencing to find those most relevant items.
Need support?
We offer tailored DSAR support, from ad hoc advice to full-service response management. Get in touch to discuss how we can help streamline your DSAR processes.
