Addressed to: [log in to unmask]
              [log in to unmask]

** Reply to note from [log in to unmask]         Sat, 3 May 2003 18:59:45 +0100


You'll get two views on this.

1. It applies to anything gthe controller does want to give you :-\ or can't be
bothered to look for;

2. everything should be given irrespective.

> > In any case, the "disproportionate effort" clause does not apply to the
> > question of whether or not information should be supplied, only to the way
> > in which the permanent copy of the information is provided.

Right.  But then the controller would like to extend it to more than the quantity of
paper or similar needed to provide hard copy.

>
> Can anyone shed more light on the whole issue of "disproportionate
> effort"?
>
> I've seen several places claim that they will not provide certain
> information at all, using this exemption:
>
> The University of Bristol, for example, claims on its Data Protection
> page (http://www.bris.ac.uk/Depts/Secretary/subaccess.htm) that:
> "The University's policy is that to supply deleted emails as part of
> a subject access request amounts to disproportionate effort, and will
> only be done in exceptional circumstances or as required by law."

Hmmm, they say they will not supply them and then that they will supply them.

I have argued the line that restoring  data from back up tapes at best is
difficult and in this example it can be a wild goose chase.  If the controller
has a rough idea of when  the information is likely to have existed then
disproportionate effort _probably_ cannot be claimed.

1. Backup Tapes may be recycled too quickly (eg. every 14 days or 28 or ...)
so tapes from the period you want may not exist anyway.

2. Tapes cannot be searched (I mean they can be searched for filenames but
not for the content of those files) so the data would have to be restored at a
different location and searched there.

3. if the data are supposed to be in a db system it is even worse.

If the SAR was specific enough, eg. covering a particular time then restoring
and searching could not be seen as disproportionate.

In the case of universities, say ours (Bristol is bigger) we are talking 3000 PCs,
and numerous servers which could have email. Even if backups existed (our
backups are for disaster recovery) there is no guarantee an email would have
been backed up at all as it may have been taken off the server onto the client
machine or might have been deleted before the nightly backup run.

>
> This seems to be in line with the Compliance Advice on "Subject access
> to personal data contained in e-mails."
> "To summarise, the Commissioner's approach is that where e-mails are
>         held on live systems and can be located, she will seek to enforce
>         subject access if this has been denied. Where data are held elsewhere,
>         the Commissioner will weigh the interests of the data subject against
>         the effort that the controller would have to take to recover the data
>         and in many instances may be likely to decide not to take action."

Live systems there is no excuse.  Searching live servers (even if they have
loads of undeleted emails) is easy.  If you asked an organisation to search
also ALL 3000 pcs (my example) the answer (from me ... but I am demobed
now) would be no.  If you identified some persons etc then disproportionate
effort cannot be claimed.

On data held elsewhere (eg. back ups) you will have a dispute to be
resolved,. as the text you quoted says.  On the one hand they are accessible
records (since the end of the first Transitional Period) on the other hand it could
be too difficult to produce.

Look at the commissioner's web site for DPA98.pdf (Legal Guidance)  It has a
couple of paras on disproportionate effort.

Basically the narrower (time span) the request the least likely the controller
will be able to claim disproportionate effort for looking for past emails.

Wait for the specialists ;-) to check their mail and tell me they disagree with me
:-)
 Charles


==============================================
Charles Christacopoulos, Management Information Officer,
Planning & Information, University of Dundee, Dundee, DD1 4HN,
Scotland, United Kingdom. Tel: 44(0)1382-344891. Fax: 44(0)1382-201604.
http://www.somis.dundee.ac.uk/

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^