A recent High Court decision, Ashley v HMRC, can help controllers understand their obligations when information is scattered across multiple platforms and in different formats.

We’ve looked at how to design for DSARs, whether to resist a DSAR, searching staff devices and systems, DSAR obligations beyond data, and the traps of AI transcription.

The next challenge is understanding how DSAR responses work in a multi-channel world. Whether it’s Teams, Slack, CCTV, audio calls and recordings, databases, mixed media, or even piles of paper, personal data may be scattered in various formats across a range of platforms, leaving controllers to make difficult decisions about what’s in and what’s out.

Reasonable and proportionate search

The starting point is to understand how far the search needs to extend in the first place. When a controller receives a data subject access request, the starting point is that they must make “reasonable and proportionate” efforts to retrieve the requested information. What does this mean in practice?

According to the UK’s Information Commissioner’s Office (ICO), whether searches are reasonable or proportionate depends on the circumstances of the request, any difficulties in finding the information, and the fundamental nature of the right of access. This does not mean a controller can say no because the search “feels” disproportionate to them; the key test is whether the search is disproportionate to the importance of providing access. Essentially, the more important the information, the harder you have to look. 

The burden of proof is on the controller to justify why a search is unreasonable or disproportionate, so decisions should be carefully logged to reduce compliance risk.

In practice

What constitutes a reasonable and proportionate search will depend on the specific media type to be searched. 

Emails

The search should cover the “deleted items” folder as these emails are equally in scope.

Instant messaging or social media platforms such as Teams/LinkedIn

Any personal data processed for business purposes or on behalf of an employer, including on platforms such as Teams or relevant pages of sites such as LinkedIn, are potentially within scope of the DSAR. Therefore, such platforms and sites must be searched. More information about how this works can be found in our article DSARs at work: when is personal data private?

CCTV

• footage of an individual is their personal data and is therefore within scope of a DSAR;
• the ICO cautions that when installing CCTV, controllers should ensure they choose a system that facilitates retrieval and extraction of personal data and redaction of third-party images.

Audio/call recordings

Audio recordings, most commonly created as a result of call recordings, will often fall within the scope of what is proportionate and reasonable to search.

Archive or back-up records

• there is no DSAR “technology” exemption for archived or back-up data;
• however, the ICO acknowledges that search functions on archive or back-up systems may not be as effective as those on ‘live’ systems, and advises controllers to “use the same effort to find information to respond to a SAR as you would to find archived or backed-up data for your own purposes”.

After the search: what to disclose? 

Mixed data 

• if the requester’s personal data is completely mixed up with someone else’s in a way which cannot be redacted (such as an HR file about an employee that also contains identifying information about their manager) then a controller must only disclose the mixed personal data if they have the other individual’s consent to do so, or if it is reasonable to disclose it without their consent;
• deciding whether disclosure is reasonable in the absence of consent involves balancing the right of access against the rights of the other person involved. The ICO provides guidance on doing this; for example where the requester already knows the information, it is more likely to be reasonable to disclose it.

Emails

• an entire email is not someone’s personal data just because they received or were copied into it. Broadly, only information “relating to” them is personal data and within a DSAR. A recent High Court case has approved the ICO’s approach to this, which can be summed up as: is the information about them, or about something else entirely?
• the right of access only applies to the personal data of the requester, so other protected content such as confidential business information or other people’s personal data may need to be redacted.

Audio/call recordings

• where a controller makes audio recordings, the controller can disclose any personal data in the form of transcripts of the relevant conversations or by providing an actual copy of the recording, or parts of it;
• it is reasonable to supply a transcript if it exists, but the ICO does not expect controllers to create new information to respond to a DSAR;
• if transcriptions are automatically generated, these will potentially increase the DSAR footprint substantially – for more information, see Is AI transcription a DSAR time-bomb?

CCTV

If a CCTV system does not have redaction functionality, and redaction is required, the ICO suggests stills of the footage should instead be disclosed with any required redactions.

Contextual information

• Controllers are expected to give additional information to aid understanding if necessary. However, this is not intended to be unduly onerous: so controllers are not expected to translate information.
• As the High Court just confirmed, providing mere “snippets” of information (such as initials or a name with no context) in a DSAR response may not suffice if additional information is essential for the requester to assess the lawfulness of processing or to exercise their rights – transparency is the key.

And piles of paper?

At least in the private sector, DSAR rules cover digital information, and non-digital information which is in a current or intended “filing system”. So paper records and microfiches which are either stored in some searchable way, or awaiting more formal storage, may be within DSAR rules. Notepads containing random unstructured scribbles, probably not.

In Europe, the Italian regulator has ruled that even a single stray piece of paper may be covered by the GDPR. While confident controllers may take a pragmatic view, there’s no incentive to leave hard copies lying around in the hope that they will escape scrutiny.