We have a DSAR from an employee . She has requested a search for emails relating to her . One of her requests was to search by her initial, which just so happens to be MS . There is a habit in our place of calling Teams , MS teams . So the results of the search is 10,000 emails plus .
At what point can we say this particular search is excessive ?
In terms of resources it is just myself !
Thanks in advance
When can you say a DSAR email search is excessive ?
Share
Simon
Primarily when multiple requests are made within a short period of time and/or overlapping. The ICO’s guidance sets out that excessive is unlikely to cover a request for a large amount of information. You could search by email addresses that the person is likely to have emailed/received emails from, or email addresses from individuals who are likely to have emailed about her.
It’s worth using (or working with those with access) some of O365’s tools which can help narrow it down.
https://docs.microsoft.com/en-us/compliance/regulatory/gdpr-manage-gdpr-data-subject-requests-with-the-dsr-case-tool
In the past I’ve used Adobe to compile emails into PDFs so that I can sift through the information more easily.
Stephen Lark
Your case is far from unique. Imagine the case when the initials were IT, or the same as the companies name eg MS Automotive when a search would bring up very single email.
From a DSAR perspective the volume of data is not relevant.
You can request a time extension.
The skill is getting the right search. Depending on the search capability you may have to do it one search at a time – hopefully you can use multiple strings
Here is what I would do:
Her full name
Her surname (as long as it was unique) – dedupe it
Her email – dedupe it
then search MS and dedupe against the results above
You are now left with all emails containing MS that do not contain her name, surname or email.
Then filter out those that also contain keywords/strings such as ‘MS Teams’ .
Hopefully that should eliminate the false positives and give you a manageable number of emails.
Also don’t forget the work is not completed until you have redacted other PII from the collected emails before you send to her!
Andrea
Whilst I agree that volume alone will not determine whether the request is excessive, you also bear in mind that the courts also look at a ‘reasonable and proportionate test’.
Barry Moult
I had a request that turned out 17k emails. I went back to the requestor and asked if there are certain people who emails went to or from that might be of interest it dropped the number down to less than 400.
Dean
Hi There.
From the information that the ICO provides, a SAR isn’t automatically excessive based on the volume of information, which is what Stephen Lark & @AndrewBrenton have highlighted.
It might be worth letting the individual know that due to the volume of data, you may need to extend the response time past the normal one-month timeframe.
Also worth bearing in mind that whilst we can’t ask an individual to narrow the scope of the request, with the aim of reducing the amount of work we have to do, the ICO do advise that we can go back to the individual and ask them to clarify what it is they are looking for, which is about trying to help the individual, rather than reducing time/resource expelled by the organisation.
Of course, this may have already been done, but, depending on the state of the relationship, you could ask the individual to clarify, the individual might appreciate the intention to understand what they are after.
Stephen Lark
Excellent response – spot on and well written.
If you are running o365 on web, you can use the compliance centre to do very powerful search refinements. I have just done a SAR that returned 200,000 emails, with 88,500 emails going back to the requestor. As someone said earlier, the ‘excessive’ part is not about volumes, it is about the number of repetitive requests made.
Yorkie82
The practical question, depending on the program you use have you tried to narrow your search criteria for better searches?
E.g. in Outlook you can do “MS” NOT “MS Teams”
Items containing MS, along with all variations will show, but not MS Teams.
Other products and programmes have also much better narrowing capabilities.
Otherwise, if you have established who is actually using initials to refer to a person you can reasonable narrow the search to these teams or people.