In 2025, “reasonable and proportionate” is more than a line in ICO guidance — it’s now a legal expectation shaped by the Data (Use and Access) Act 2025 and reinforced in updated ICO Right of Access guidance.

For organisations handling DSARs, this marks a real shift.
The requirement is no longer “search widely.”
It’s search intelligently — and be able to justify every decision.

1. What Has Actually Changed?

Three big shifts define the 2025 DSAR search standard:

a—The phrase is now statutory.

DUAA 2025 places “reasonable and proportionate” into law, meaning organisations must demonstrate it, not merely aspire to it.

b—Justification matters more than volume.

You don’t get credit for searching everything — only for searching the right places and being clear about your reasoning.

c—Exclusions must be defendable.

Avoiding searches because they are time-consuming, messy, or difficult is no longer acceptable without a solid, contextual explanation.

---

2. The Three Questions Every DSAR Search Must Answer

a. Where is the personal data genuinely likely to be?

This is the foundation of proportionality.

If a DSAR relates to a staff grievance, for example, personal data is almost certainly sitting in:

• HRIS

• The line manager’s mailbox

• HR’s Teams channels

• Investigation notes

But likely not in systems used by unrelated teams or departments.

Similarly, a university disciplinary DSAR will almost always involve:

• The student records system

• The case management system

• The email accounts of panel members

• Shared folders used in the disciplinary process

What 2025 doesn’t require is dredging through every academic mailbox on campus or exploring systems with no logical connection to the incident.

The emphasis is on relevance, not reach.

---

b. How deep should the search go based on the scenario?

Depth is dictated by impact.

Where the consequences for the individual are serious — such as clinical care concerns, exclusion decisions, or redundancy outcomes — the search must naturally be more thorough.

A negligence-related DSAR in the NHS, for instance, will almost always require searching:

• Core EPR systems

• Specialty systems tied to the episode of care

• Governance and incident systems

• Emails where the patient was discussed

Meanwhile, a DSAR asking for a copy of a contract typically demands far less:
a narrow search of HRIS or payroll, and that’s it.

The 2025 test is simple:
Search deeply where it matters deeply.
Search practically when the request is low-impact.

---

c. Can the search approach withstand scrutiny?

This is the heart of the proportionality test.

If the ICO asked tomorrow “Why did you search these systems and not those?”, could your DSAR file tell a coherent story?

A defensible record includes:

• Which systems were searched

• Who performed each search

• The keywords, filters, time periods used

• Systems excluded with clear reasoning

• How clarification influenced scope

For instance, if a local authority receives a DSAR about social care involvement, excluding the social care case management system must be justified — and is almost never acceptable.
But excluding long-archived legacy backups can be proportionate if you can clearly explain why they are unlikely to contain relevant data.

The regulator wants to see thought, structure, and evidence — not guesswork.

---

3. What a Reasonable & Proportionate Search Looks Like 

A DSAR search that meets the 2025 benchmark feels like this in practice:

• The request arrives, and intake captures the context — for example, a workplace harassment allegation or a parent–school dispute.

• The team maps out the systems clearly linked to that context: HRIS, complaint logs, the manager’s mailbox, or safeguarding records.

• Related channels where decisions were made — like a Teams thread or a SharePoint folder — are included because they contain commentary, drafts, and decision notes.

• Systems with no logical connection are left out — not because the search is “too big,” but because there is no realistic likelihood of relevant personal data.

• Search terms are tied to the incident: names, dates, case numbers, project titles, or clinical episode identifiers.

• Every search step is logged.

• If a request is so broad it covers years of unrelated records, the team pauses the clock, asks for clarification, and documents how the clarified scope shaped the search.

---

4. The Red Flags 

Organisations fall short when they:

• Apply blanket rules like “we never search emails” or “we never search Teams.”

• Assume volume alone makes a search disproportionate.

• Rely on chaotic filing systems as a justification for excluding repositories.

• Search only one system even when the DSAR clearly spans multiple.

• Skip governance systems (in healthcare), panel communications (in universities), or case folders (in councils).

• Label broad requests “manifestly excessive” without a clear burden–benefit analysis.

The ICO expects DSAR teams to be forensic — not fearful.

---

5. What a Good 2025 DSAR Search File Contains

A defensible DSAR record includes:

• Intake and context

• Clarification (if used)

• Systems included and why

• Systems excluded and why

• Search terms and dates

• Notes on proportionality

• Decisions on exemptions and redactions

• Final review and sign-off

Good documentation isn’t just a compliance requirement — it’s your strongest protection if a DSAR becomes contentious.

---

The 2025 Bottom Line

A “reasonable and proportionate” DSAR search is no longer about searching everything.
It’s about searching purposefully — guided by where the data actually lives, how important it is to the individual, and whether your approach can stand up to scrutiny.

When done right, it protects:

• The requester’s right of access

• The organisation’s time and resources

• The DSAR team’s ability to justify its decisions with confidence

Staying compliant under the 2025 DSAR rules doesn’t have to be complex.
See how DSAR.ai helps organisations perform accurate, proportionate, and fully documented searches.
Request a demo today.