After a few years where data protection laws in the United Kingdom were settled, the Data (Use and Access) Act 2025 (DUAA) is ushering in a period of change.
For those of you who have only just recovered from the GDPR, the news that data protection laws are changing again may not be entirely welcome.
The good news is that many of the changes DUAA is bringing in are intended to make your life easier, rather than introducing complex new obligations and – while some things are changing – much remains the same.
This series of blogs from the IT & data team at Mills & Reeve aims to help you understand the impact that DUAA will have on established ways of doing things.
If you need a reminder about the meaning of some of the key data protection terminology used (eg personal data, data subject, data controller, processing), please refer to Mills & Reeve's glossary.
This first blog in the series considers one of the few changes which has already started to apply.
Subject access requests: How hard must you try to find the information requested?
DUAA has inserted the below into the UK GDPR at Article 15 (1A):
“the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search…”
What constitutes a ‘reasonable and proportionate search’? Surely it’s somewhat in the eye of the beholder? When I'm leaving the house in the morning, my wife and I sometimes disagree whether I've carried out a reasonable and proportionate search before asking her to help find my keys. She's been known to question how thorough a search I've done before calling for her assistance (why didn’t I look on the hook? In my trouser pockets, work bag or the front door?) I'm usually reluctantly compelled to conclude that my wife is right and that my searches have fallen short of the appropriate standard.
Anyone who is responding to a DSAR would do well to take a leaf out of my wife’s book. The “What efforts should we make to find information” section of the current ICO guidance says that:
“The UK GDPR places a high expectation on you to provide information in response to a SAR... However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information… The burden of proof is on you to be able to justify why a search is unreasonable or disproportionate.”
This guidance is not new, it was in place before DUAA came into force and is expressed in a similar manner to the new wording in UK GDPR Article 15 (1A). That being so, has anything really changed? Not really, it would seem. There's still plenty of room for disagreement between the data subjects making DSARs and the data controllers responsible for responding to them, about what counts as a reasonable and proportionate search.
From time to time, the courts will be asked to intervene and rule on whether a data controller has tried hard enough to find the information requested (the recent case of Ashley v HMRC was an interesting example of this, where HMRC was told that limiting its search for information about Sports Direct founder Mike Ashley to one department within the organisation fell short of the reasonable and proportionate standard). It may be that the courts find new shades of meaning in the updated UK GDPR, but in our view it's more likely that they will continue to apply established precedents in this area.
Comment
We’ll return to the subject of SARs later in the series, watch this space…
Please get in touch if you'd like to discuss any of the issues raised by this article (unless it’s about what constitutes a reasonable and proportionate search for your keys!).
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.