Organisations should ensure that the data they hold about individuals is searchable so that they can meet their obligations under the Data Protection Act, the Information Commissioner’s Office has said.
Under the DPA, individuals can request all the data that an organisations, known as a subject access request, as long as it does not involve ‘disproportionate effort’ to retrieve.
In a recent guidance document, the ICO clarified that organisations should be able to search any live (i.e. non-archived data) in case they are served with a subject access request.
"A data controller should have in place procedures for searching for any records on its ‘live’ computer system containing personal data about the data subject," it said.
Data controllers should also take ‘reasonable’ steps to search archived data. "The data controller should also take reasonable steps to search archived records. Where archived records are held on the data controller’s network such searching is unlikely to be significantly more problematic than a search of the ‘live’ system."
The ICO also clarified that the "disproportionate effort" clause does not mean organisations can turn down subject access requests without trying to locate the subject’s data.
"Data controllers are obliged to make extensive efforts to locate personal data relevant to a subject access request," it said.
However, "having made such efforts, a data controller is not obliged to leave no stone unturned".
In its most recent annual report, the ICO revealed that subject access requests were the cause for 28% of the complaints that it received relating to the DPA – more than any other cause.
An investigation by Which? Money last year found that 272 complaints to the ICO about subject access requests sent to the UK’s eight major banks in 2010 were valid.
Under the UK’s Data Protection Act, data subjects have the right to request all the data an organisation holds about them in one go, and companies can respond in paper form.
However, the EU’s proposed data protection reforms include a clause that would allow data subjects to request specific records and in electronic form.
“To further strengthen the control over their own data and their right of access, data subjects should have the right…to obtain a copy of the data concerning them also in commonly used electronic format,” the reforms, subject to European parliamentary approval, propose.
Meawhile, the UK government has developed a voluntary scheme, called midata, in which organisations grant individuals greater access to their data. Organisations that have signed up to the scheme include British Gas, MasterCard and RBS.