Out-Law News | 30 Mar 2012 | 9:22 am | 2 min. read
The UK's data protection watchdog issued the guidance (11-page / 264KB PDF) in a document explaining the lengths that organisations are obliged to go to under the Data Protection Act (DPA) in order to provide a copy of the personal data they hold about individuals to those people when they request it.
Under the Data Protection Act (DPA) an organisation in control of an individual's personal data is generally required to send that person a copy of that data "in an intelligible form" if that person has made a written request for the information and paid any fees chargeable to do so. The maximum that can be charged is £10. However, the organisation is not obliged to comply with this requirement if "the supply of such a copy is not possible or would involve disproportionate effort". The organisation is obliged to try and comply with the individual's request in another way though, the ICO said.
An organisation cannot refuse to comply with the individual's 'subject access request' on the basis that locating the information sought in the first place would require a 'disproportionate effort'.
"It is now common practice for data controllers to be required to search through both manual and electronic records (including emails) when responding to subject access requests," the ICO said in its guidance. "A data controller should have in place procedures for searching for any records on its ‘live’ computer system containing personal data about the data subject."
The ICO said data controllers are obliged to search for records stored on "stand-alone" as well as network computers and that "reasonable steps" must also be taken to look for personal data stored in archive systems.
"Where archived records are held on the data controller’s network such searching is unlikely to be significantly more problematic than a search of the ‘live’ system," the ICO said.
Data controllers that regularly archive data should have a "clear policy" on how that information can be searched and retrieved, the watchdog said. It said that organisations cannot delete personal data in order to avoid disclosing the information and that data controllers may still have to provide information to individuals that ask for it even if it has been deleted.
"Where electronically-held data has been deleted from the network (and from individual user’s archived files) it is likely to be extremely difficult (but maybe technically still possible) for the data controller to reconstitute data in order to provide a copy to the data subject," the ICO said.
"The Commissioner does not require a data controller to reconstitute data deleted in accordance with the data controller’s retention and deletion policies in order to respond to a subject access request. However, it is important to remember that, even where it would not be reasonable for the data controller to seek to retrieve and reconstitute deleted data, it may still be able to provide some information to the data subject in response to his request," it said.
"Being able to produce copies of established retention policies, or providing an account of the practices followed by the controller in previous cases, may assist a data controller in persuading the Commissioner that it has deleted data in accordance with its regular deletion arrangements and has not deleted data with the intention of preventing the disclosure of the data," the ICO said.