Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Searching for data when you receive a Subject Access Request
Photo of archive on a keyboard and folders on the keyboard, search box on a computer, magnifying glass on a computer keyboard, hands searching through a paper folder. Recevied an information request but not sure where to search in white text on a blue background. Data protection education logo. Latest advice from the ICO in orange tex
Best Practice Updates

Searching for data when you receive a Subject Access Request

We are often asked for advice on where to search for information and data when you receive an information request. The ICO has published a checklist with guidance.
It's important to locate all information you have when responding to an information request. To comply with legislation, you should conduct reasonable searches.

Consider what systems you have and where you hold information, as your request will be much easier to handle if you know where your data is.

Before you start the search, check you have a clear understanding of the parameters of the search and what is in the scope of the request.   You might need to ask colleagues to conduct searches.  Everyone should have a clear timeframe of when you need the information.

Conducting Searches Checklist:

  • Check your retention schedule  - you should only be keeping data for as long as it is necessary.  Some data may be in an archive and might need to be included in your search.  Review our Retention Schedule and Records Management Best Practice Area.
  • You may need to use a number of search items i.e. different words or phrases relevant to the request when searching digital content.  The ICO advises that you could also consider using software, including AI, to help you with the search.  We would advise that you do any due diligence on any third party products you might use for this, given you are searching for personal data.
  • Search archives and storage areas.  This might need to include personal archives.  You might also need to include backups of digital data.
  • Include searching your organisation's public facing website, especially if you are working on an FOI.
  • Search your organisation's intranet, internal website and network - ensure you have enough access rights to do this.  You may need IT support to help with this.  This might include shared files.  IT support can search personal cloud files such as OneDrive.
  • Search relevant computer systems that stores your organisation's data, such as an HR system.
  • Search physical paper folders and files.
  • Search correspondence, both physical and electronic - this might include online messages (i.e. Teams), text messages, Whatsapp messages, letters and emails.  IT support can search everyone's email mailbox.  

Ways to reduce future searches:

Ensure you have a good retention schedule and it is applied to all areas in the organisation, including email.

Avoid saving personal information about other people in your mailbox.  Once an 'incident' is moved to the relevant system, i.e. employee information moved to the HR system, then all conversations should be deleted from your email.

IT should ensure that sent and deleted emails are regularly deleted (not archived) for the whole organisation.

Further help and advice can be found in our Subject Access Requests Best Practice Area.

ICO Guidance can be viewed: 👉
Finding and preparing information
©2024 Data Protection Education Ltd.

Search

  • News