Matheson’s technology and IP law blog

Scoping Data Subject Access Requests

October, 2013


We have seen a substantial increase in the number of data subject access requests that our clients are receiving.  If you are not familiar with such requests, they represent the exercise of a key right under the Data Protection Acts which is for an individual to ask a data controller what personal data the controller holds about the individual and to obtain a copy of that data.

Data access requests are usually submitted in the broadest terms by individuals asking for a copy of all of their personal data that the controller holds.  Individuals are entitled to ask for this, but it can make searching for what is truly ‘personal data’ a lengthy and costly exercise.  It can also generate a very significant volume of documents (think emails in their thousands, particularly, for example, if the individual making the request is a past-employee).  It is fair to question whether that was the intention of the legislation when it enumerated the right, bearing in mind that the amount of personal data generated by and about people has grown exponentially since the era in which the legislation granting the right of access was drawn up (some 20 years ago).

Requests for information can of course be narrowed by agreement with the individual submitting the request.  That may not always be practical, naturally enough, and it should be kept in mind that the Data Protection Acts state that a controller must comply with the obligation to provide copies of documents containing personal data unless their supply “would involve disproportionate effort”.  This provision is very narrowly construed by the Office of the Data Protection Commissioner and should by no means be viewed as ‘get-out-of-jail card’ or be relied on as a way out of committing appropriate effort to searching for personal data and providing it.  However, it does present the possibility of taking a responsible, reasonable and pragmatic approach to searches and the supply of documentation that is within the spirit of the legislation and balancing that against what may be a request for data which, if complied with to the letter, would require excessive resource, time and cost commitment on the part of the data controller.  If you feel that this will be relevant to a data subject access request that you receive, you will need to be able to back this up, so be sure to keep a detailed record of the searches performed, the results of those searches and the resources and costs involved, as well as the equivalent of each if the request were strictly followed.