Subject access requests are on the rise and you'll likely find one made in almost every dispute situation, from employment issues to parents unhappy with the school.
Subject access requests can be time consuming and expensive, not just in finding and collecting the material but also in the review and redaction process. Fortunately, the Data (Use and Access) Act 2025 codified the common law approach to 'reasonable and proportionate searches'. The Act says that 'the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data.'
The Act only covered 'the search'. But what about reviewing the data, applying the exemptions and make redactions? That can take a great deal of time and be very expensive. Can an organisation argue that the review and redaction process is also unreasonable and disproportionate?
Yes it can.
I refer you to the High Court, King's Bench, decision of Ashley v HMRC from January 2025 (https://www.judiciary.uk/wp-content/uploads/2025/01/Ashley-v-HMRC.pdf).
In this decision, the court stated:
I have summarised the legal principles identified in Dawson-Damer at para 125 above. As Arden LJ (as she then was) indicated, the question of whether disproportionate effort is involved in responding to a subject access request is not limited to a consideration of the time spent in searching documentation for the data subject's personal data; it may also encompass difficulties which occur in the process of complying with the request.
It appears to be that this would include, for example, time
spent addressing whether exemptions applied to any of the personal
data identified and addressing the extent to which the data should
be redacted.
The question is an objective one, judged by reference to the
fact-sensitive circumstances of the case.
However, if the controller made a cogent and reasoned assessment at the time that a particular search was disproportionate, then that is likely to support the proposition that undertaking the additional steps would have been unreasonable.
Following this reasoning, it could be argued that a controller would have to find the search to be unreasonable and disproportionate in order to further argue that the review/redaction process is unreasonable and disproportionate. However, the court went on to apply Dawson-Damer and said:
In Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74, [2017] 1 WLR 3255 ("Dawson-Damer") the Court of Appeal found that the defendant solicitor's firm had not shown that complying with the subject access request would involve "disproportionate effort" in the circumstances (para 23). Both parties accepted that the guidance provided by the Court of Appeal in this case was applicable to the response of the controller that is required under the UK GDPR.
Giving the leading judgment Arden LJ (as she then was) made the following points:
i) It falls to the data controller to show that the supply
of a copy of the information would involve disproportionate effort
(para 75);
ii) Difficulties that would render the effort disproportionate
are not limited to those that arise in the process of producing a
copy of the document, "but include difficulties which occur in
the process of complying with the Request" (para
76);
iii) It was a question for evaluation in each case as to
whether disproportionate effort would be involved in finding and
supplying the information as against the benefit that it might
bring to the data subject (para 77); and
iv) As shown by the recitals to the Directive, there are
substantial public policy reasons for giving people control over
data maintained about them, meaning that, so far as possible,
subject access requests should be enforced. Data controllers can be
expected to know of their obligations and to have designed their
systems accordingly, to enable them to make most searches for
subject access request purposes (para 79).
Based upon the case law, it's my view that a controller could successfully argue that the process of review and redaction of subject access material could amount to an unreasonable and disproportionate effort. If the search is unreasonable and disproportionate, then it follows that the review and redaction of the search material would be the same. That one is pretty straightforward.
However, I would also argue that, based upon Dawson-Damer, the review/redaction process can be unreasonable and disproportionate in and of itself, independent of the search. For example, it may not take too long for IT to find all of the emails, but it would be unreasonable and disproportionate for someone like me to review and redact 50,000 emails.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
