Stop Doing All-Systems Searches: How Public Bodies Can Build Defensible, Proportionate DSAR Scoping

Navigating Special Cases in Personal Data for DSARs

“All-systems search” used to sound safe.
In 2025, under the Data (Use and Access) Act (DUAA) and updated ICO expectations, it is increasingly a red flag — over-broad, under-documented, and often indefensible when challenged.Public-sector organisations face mounting DSAR pressure, but searching every system “just in case” doesn’t reduce risk. It amplifies it.

“All-systems search” used to sound safe.
In 2025, under the Data (Use and Access) Act (DUAA) and updated ICO expectations, it is increasingly a red flag — over-broad, under-documented, and often indefensible when challenged.

Public-sector organisations face mounting DSAR pressure, but searching every system “just in case” doesn’t reduce risk. It amplifies it.

Why “All-Systems Searches” Create More Risk (Not Less)

DUAA amends UK GDPR to confirm that controllers must carry out reasonable and proportionate searches — not exhaustive, organisation-wide trawls.

“All-systems” searches now undermine compliance because they:

Create legal risk

If you cannot explain why you searched what you searched — and why you didn’t search other systems — you cannot evidence proportionality. This is a major weakness during ICO complaints or litigation.

Increase operational exposure

Exporting data from email archives, legacy EHRs, VLEs, case systems, shared drives, and chat tools inflates the review set. This slows responses and increases the likelihood of missing statutory deadlines.

Drive redaction failures

More data = more noise = more risk.
Organisations repeatedly see:

  • accidental disclosure of third-party data

  • over-redaction of the requester’s own information

  • metadata exposure

The ICO is now extremely attentive to redaction practices.

Fuel burnout and backlogs

Universities, NHS bodies, and councils are already stretched thin. “Search everything” culture creates unnecessary work that exhausts staff and expands queues rather than clearing them.

Searching more does not mean finding more.
It means risking more.

What DUAA and the ICO Expect Instead

DUAA puts proportionality on statutory footing. Controllers may limit searches where additional effort would be disproportionate — provided they can justify the decision and keep a clear record.

ICO guidance reinforces:

  • DSARs must be recognised across all intake channels

  • Clarification (“stop-the-clock”) must be used appropriately, not excessively

  • Controllers must maintain logs showing which systems were searched and why

  • Poor records management or under-resourcing is not a lawful excuse

  • Redaction must be accurate, consistent and supported by QA

  • Complaint-handling must be timely and fully documented

The regulator wants evidence-based decision-making — not maximalist searching.

Public-sector DSAR leads must shift from “search everything” to scoped, defensible, documented.

What “Reasonable and Proportionate” Looks Like in Real Cases

Proportionate searches are not about doing less — they are about doing the right searches, for the right reasons, and recording your rationale.

Targeted systems and timeframes

Limit searches to systems that plausibly contain relevant data.

Thoughtful search techniques

Use:

  • Names

  • Known aliases or nicknames

  • IDs

  • Event-specific terms

  • Concept-based search strings

This is especially crucial in unstructured data (emails, Teams, shared drives).

Evidence of clarification

Where a DSAR is broad or unclear, clarification should be sought early and documented.

Well-reasoned exclusions

If a system is excluded, the reason must be recorded — relevance, disproportionality, technical limitations, or absence of data for that individual.

Sector Examples (Integrated, Not Sectioned)

Universities

An exam-appeal DSAR should focus on:

  • Student records

  • Exam board minutes

  • VLE logs

  • Emails and Teams chats for relevant academics

Not entire school-wide email archives or every legacy learning system.

NHS bodies

A DSAR for a single clinical episode should concentrate on:

  • EPR

  • Relevant department-specific systems

  • MDT communications

  • Incident or complaint records

Not every Trust-wide Teams channel or all imaging systems unrelated to the episode.

Local authorities

A social care DSAR should include:

  • Case management

  • Safeguarding

  • Social worker communications

Not council-wide HR systems, parking records, or unrelated housing platforms unless relevant.

Why Public Bodies Fall into the “All-Systems” Trap

Cultural over-correction

After past ICO criticism, some organisations respond by swinging to the opposite extreme: search everything, always.

System sprawl and silos

DSAR teams often cannot see which systems hold what data, so they default to asking every department to “check everything just in case.”

Backlog panic

Under pressure to clear DSAR queues, organisations expand search scope rather than refine it — making the workload worse.

The result is predictable: delays, mistakes, staff burnout, and increasing ICO attention.

Building a Defensible DSAR Scoping Model

A sustainable DSAR model needs structure, documentation, and discipline.

1. System mapping

Create a DSAR-specific data map.
Not an enterprise architecture diagram — a practical index showing:

  • Which systems hold personal data

  • Who owns them

  • How data flows

  • Where unstructured content accumulates

This is the foundation of defensible scoping.

2. Context-based scoping

Every DSAR should begin with:

  • Who is asking

  • What their relationship was

  • What issue they reference

  • Which period is relevant

  • Which identifiers exist

Context reduces unnecessary system searches and prevents misalignment.

3. Documenting inclusions and exclusions

For every DSAR, record:

  • Systems included → with reasons

  • Systems excluded → with reasons (irrelevance, disproportionality, absence of data)

This documentation now matters as much as the search itself.

4. Applying proportionality under DUAA

Consider:

  • Marginal value — how likely is new, unique personal data?

  • Burden — does retrieving data impose extreme cost or manual effort?

  • Sensitivity — safeguarding, disciplinary, and clinical cases may justify broader search.

DUAA does not lower the bar; it makes the reasoning more important.

5. Targeted custodian selection

Search the people who were actually involved.
Not entire departments or all historic participants.

6. Concept-based search strings

Use DSAR-specific search terms tied to the context — module codes, ward names, case numbers, team identifiers, project titles.

Avoid broad surname-only searches.

7. Clarification and communication

Explain your proportionality approach in plain language.
Document all clarification exchanges.
Use DUAA’s stop-the-clock provisions responsibly.

8. Documentation and audit trails

A defensible DSAR file includes:

  • Intake and scope notes

  • Search terms and systems

  • Excluded systems with rationale

  • Proportionality assessments

  • Custodian lists

  • QA logs

  • Exemption decisions

  • Complaint handling history

If it’s not documented, regulators treat it as not done.

The Payoff: Less Risk, Less Burnout, Faster DSARs

Public bodies adopting proportionate scoping consistently report:

  • Lower redaction risk

  • Faster turnaround times

  • Smaller review sets

  • Fewer DSAR complaints

  • Greater consistency across cases

  • Significantly reduced staff burnout

DUAA doesn’t require organisations to do more, it requires them to do better, with clearer reasoning and less unnecessary effort.

If your team is overwhelmed or your DSAR risk is rising, DSAR.ai provides the structure, automation and defensibility modern public bodies now require.

Book a demo and see how proportionate, scalable DSAR handling actually works.