If your school has never dealt with a Data Subject Access Request (often referred to as a DSAR or SAR) before, and you are not sure where you would start if you received one, do not fear. We asked Claire Archibald, one of our Data Protection Officers for some no-nonsense, jargon-free advice to get you thinking about some of the key issues.
What are Subject Access Requests?
Under the UK GDPR, individuals have a right of access to their own personal data under their Privacy legislation. The legislation states that data subjects have the right to receive a copy of their personal data held by an organisation and that this information needs to be provided within one calendar month of the request.
When might a school receive a SAR?
Schools most commonly receive a SAR following a difficult process in school that a data subject may be unhappy about- whether that is a pupil incident, such as an exclusion, or a decision relating to special educational needs or safeguarding. Don’t forget in a school it is not just pupils and their parents that are data subjects; your staff and trustees/governors are also data subjects too. We are increasingly seeing SARs from aggrieved employees and these can be quite complex.
How would I recognise a SAR?
Requests can be made in any format, to any member of staff, so it’s really important to make sure all staff know that if someone makes a request, even verbally or via social media post, that they must pass that on to the person at school that is responsible for managing requests. Training staff is vital.
SARS can be as wide ranging as “I want a copy of everything you have about me” to “I want information relating to my sickness records for the last 3 months”. They don’t necessarily need to make reference to the relevant legislation- in fact, lots of requests we see mistakenly refer to the wrong legislation.
You only need to respond to the request with the information that you actually hold- you don’t need to create information if you don’t hold it in recorded format. So if a data subject wants notes of a meeting, but you didn’t create any notes, then you don’t need to create them for the purpose of the request.
Who can make a SAR?
SARs can be made by any person for whom you hold personal data. In schools, you have to be particularly aware of any issues around parents/carers making SARS about their children’s data. Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights.
If the request is from a parent, but you consider the child to be competent to exercise their rights themselves, then you may need to consider obtaining consent of the child for the release of the information, or releasing the information to the child instead of their parent(s). If the request is from a child and you are confident that the child can understand their rights, you should usually respond directly to the child.
In Scotland, a child over the age of 12 is presumed to be mature enough, but in England, Wales and Northern Ireland there is not this presumption- each request would need to be considered individually. It is complicated and you will need to work with pastoral and safeguarding staff to decide how to proceed, particularly in Secondary Schools.
I’ve just received my first SAR- what should I do?
Don’t panic! The first time a school receives a SAR it can feel quite alarming. As a DPO my first role is usually to calm staff down, especially if it is the first time they have received such a request. Your DPO should help you manage the SAR process.
Firstly, I would recommend writing back to the requestor, confirming that you have received the request, the legislation that you will be applying to the request (for my clients is the Data Protection Act 2018), and when you anticipate being able to fulfil the request. You may also need to agree with the requestor how you will send them that data (paper or electronic) and the right address to send it to.
If you need to check ID, clarify the request, or if you would like to invite the requestor to narrow the scope of their request (perhaps if you have hundreds of records but think they may only be interested in certain types of records- e.g. information about their special educational needs, but not information about their school uniform orders) then you can do so. However, you should continue to conduct searches for the personal data and prepare your documentation whilst you wait for a response from the data subject. Only if you genuinely cannot progress the search without this information/clarification can you ‘stop the clock’.
You should keep a track of the date you received the request. The GDPR states that requests must generally be responded to within one calendar month. All SARS should be recorded on a central log.
One calendar month is very short! What can I do?
Firstly, it is important to note that there are no special rules for schools- even if a request is received in a school holiday, the one calendar month rule still applies. So you need to be prepared to start working on a request immediately, do not delay.
Response times for requests that are complex can be extended by a further two calendar months. Reasons for complexity can be varied and there is no set list of what makes a request complex. Our regulator, the Information Commissioner’s Office of England and Wales (ICO), has produced some useful guidance on SARS including information about what might make a request complex. Your Data Protection Officer should refer to that guidance to help them manage the whole process, as well as work out if a request is complex.
If you consider a request to be complex then you need to tell the requestor that and tell them the revised date for response. If I need to do this, I make sure to tell the requestor that we will still do our best to deal with their request as quickly as possible.
I’m really worried about releasing some documents, I don’t want the requestor to read them…
You don’t have to release everything and there are some important “Exemptions” that apply to SARS. This may mean that you can withhold in their entirety, or partially redact documents. These exemptions are set out in the Data Protection Act 2018. You may need your Data Protection Officer to help you work out what exemptions apply and what to withhold or redact from a SAR release.
If you do withhold or redact documents, you should keep an internal note of your reason for doing so; have this ready if you are later challenged regarding your reasoning. It can be REALLY difficult to decide whether a document should be withheld/redacted- your Data Protection Officer should be able to help with this.
When you release the SAR, you also need to give extra information. This information should also be in your Privacy Notice, so you may decide to include a copy of or link to the relevant Privacy Notice.
There are some records that don’t cast us in a good light, can I leave them out?
You can’t withhold personal data if you feel embarrassed about or regret the ‘tone’ of any written records. In the words of Mark Twain: “Dance like nobody’s watching; love like you’ve never been hurt. Sing like nobody’s listening; live like it’s heaven on earth.” but also “Text and email like a judge is reading it”. Make sure your staff are aware that they should ensure written communications are professional and factual and that they are aware that they may one day be read by a data subject! If you do discover records that you wish weren’t ever recorded, do not hit the delete button or pop papers in the shredder- it is a criminal offence to do this and you could end up with a criminal record.
I’m concerned about students requesting information relating to exam assessments, it’s a big issue for us this year due to the Coronavirus pandemic…
This is an important exemption for schools and allows data to be withheld/redacted where it is personal data consisting of information recorded by candidates during an exam.
The exemption is not limited to written exams. It includes any academic, professional or other assessment that teachers use to determine a candidate’s knowledge, skill or ability or make an assessment of their performance. This is really important, particularly during the Covid pandemic where exam gradings are being decided by teachers in schools using a variety of evidence.
The exemption means that candidates are not eligible to receive copies of information they record themselves during an exam or assessment. This includes their answers to exam questions or their own written work and assessments.
This exemption does not cover other relevant information to a student’s grade (such as their teacher assessments and relating comments). If a student requests this information before the final results are announced the exemption allows for longer response times:
Wow! SARS sound like a lot of work! What can I do to prepare for a SAR?
It is inevitable that all organisations will receive a SAR at some point- people are becoming more aware of their information rights. Please don’t wait until a SAR is received to start thinking about how you would respond. The best thing schools can do is to consider how they manage personal records for their pupils and staff- so that if a request is made then you are able to collate information quickly.
Good records management is essential- make sure every member of staff knows where to store records and how long they should be retained for. If you have deleted personal data in line with your Retention Policy then that makes a SAR response significantly easier. If you should have deleted data but haven’t got around to it, then you will still need to provide it to the requestor.
Managing emails and other communication systems
The most difficult aspect of SARS in many cases is searching through emails and other messaging services. It is also many ‘unprofessional’ communications happen that can be of embarrassment to an organisation who is forced to reveal them in a SAR.
Remember that your email system is designed to be a postbox, not a filing system in itself, so encourage staff to save emails in an appropriate filing system (e.g. paper/sharepoint/folder on your server), to ensure communications are professional and ensure your Retention Policy covers the retention and deletion of emails. Items in a deleted folder of an email system are not truly deleted and are still searchable in the event of a SAR, so make sure you ask your IT support team for help with the retention and management of email account content.
Ensure that more informal methods of communication (that staff WhatsApp group for example) are used appropriately- you should not have a mix of formal communications about work-related issues and personal communications. Ensure staff who may communicate directly to pupils and parents through email, or systems such as Class Dojo do so in an appropriate and professional way.