Cabinet Office Homepage

Data Protection Act 1998: Guidance for Cabinet Office Staff

Standards and Best Practice Handbook for Government Departments

5. Handling Open-ended Requests

Issue

Section 7(3) of the DPA provides that:

• “Where a data controller -
  1. reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks, and
  2. has informed him of that requirement,
• The data controller is not obliged to comply with the request unless he is supplied with that further information.”

2. If a data controller considers that a person making a request has not provided sufficient information to enable location of the information sought, and it is reasonable to require him to provide further information to help locate it, the data controller must inform the person that he requires such further reasonable information. He cannot simply ignore the request.

3. Departments vary on how they respond to the “give me everything you have on me” open-ended requests for information from data subjects. Some departments automatically go back to the data subject for a clearer steer on what is being sought while others search all or selected areas of their data holdings.

4. The amount of information being released also varies, with some departments adopting a more open approach than others. There is at times a difficult balance to be struck between being open, and thereby avoiding potential criticism, and disclosing something that arguably need not be disclosed. There is reference to “disproportionate effort” in section 8(2)(a) of the DPA but in relation to the method of supplying the information rather than undertaking of a search for information.

Standards

5. Where further information is required before a search can be undertaken, the data subject should be contacted as soon as possible. It is not good practice to wait until the prescribed maximum of 40 days have nearly expired before contacting the data subject.

Recommended best practice

6. Most departments tend to go back to ask a data subject for further information when faced with an open-ended request. This is the recommended best practice. The outline of a standard follow-up letter that seeks further information from the data subject and provides some guidance on the types of data held by the department is at Annex D. The draft letter should be modified for use where the data subject making the access request has some knowledge of the department concerned.

7. Departments should consider making use of the exemption at section 34 of the DPA in relation to information that is already available in the public domain by or under any enactment. Seeking further information from a data subject, where appropriate, should also help to narrow down the search and compiling process.

Data Protection Handbook [PDF, 710KB]

[Top]