InfoLawUpdate - The Problems with Unstructured Data
Burnetts' information law solicitor Natalie Ruane discusses subject access requests.
One of the main rights for individuals under both European Data Protection Law and UK Data Protection Law is to be able to access their personal data by making a “subject access request”.
While that sounds straightforward, it can be difficult to comply with in practice. Data Controllers have had to cope with the growth of unstructured electronic data such as emails. Responding to requests from individuals for “all the personal data held” about them which includes unstructured data can be very difficult.
There are a number of reasons for why complying with such a request can be difficult:
Volume. Lots of unstructured data sets can be huge. Large organisations are likely to have hundreds of millions of emails. Searching across such a large data set presents a lot of logistical challenges. This is aggravated by the fact that this data is likely to be stored in a number of different formats such as back-ups, live in-boxes and archived data. Recovering backed-up or archived data can be costly.
Lack of Indexation. Another current problem is the difficulty of identifying information about a particular individual. Individuals in unstructured data sets can be referred to in a number of ambiguous and different ways e.g. Mrs M Brown could be referred to as Mrs Brown, Mrs M Brown or Maureen. Locating and extracting information about a particular individual can be a lengthy and costly process.
Mixture of Information. Often unstructured data contains a mixture of different types of information. Emails might contain information about a number of different topics or about a number of different individuals. This again adds to the difficulty of responding to subject access requests as you have to manually redact irrelevant information from any documents supplied and in particular redacting personal data about others.
To combat some of these problems Data Controllers tend to rely on some provisions of the Data Protection Act 1998, for example the Data Controller can ask for further information necessary to locate the information the individual seeks or need not provide copies of the personal data if it would involve a disproportionate effort.
This means that a selection of search parameters attempting to limit the search normally is necessary. Ideally such search parameters should be agreed with the individual. If they are not, then by limiting the search, this may lead to further controversy between the organisation and the individual. Guidance from the Information Commissioner suggests that it is still necessary to use “extensive efforts” to search for personal data. However it is recognised that it is not necessary to leave no stone unturned. The Guidance also suggests it is necessary to conduct a reasonable search of non-live data particularly if the individual has provided details of the information they are seeking to locate which they believe to be in archived data.
The decision in Elliott v Lloyds TSB Bank Plc & Another in 2012 showed that in order to indicate that you had undertaken a proportionate search and therefore weren’t required to conduct further searches, the Bank had spent around 188 hours searching for the personal data about the individual before further searches became disproportionate.
When faced with a subject access request for “all personal data held about me” from an individual, whilst the temptation may be to say that you couldn’t possibly find all the personal data that is held about them, you need to consider the guidance about undertaking a proportionate search and using extensive efforts to search for the personal data. The other way to deal with it is to ask for further information necessary to locate the information or for more details about the information to try and narrow the search parameters in agreement with the individual.
About the author
Natalie is a Partner and leads the Employment Law & HR team and specialises in education.
Published: Tuesday 23rd September 2014
Categorised: Information Law