Sarah Briscall, commercial solicitor at Shulmans LLP, provides an update on how schools should respond to subject access requests
A subject access request (SAR) is a request made by an individual, or another individual on their behalf, for details of the personal data held about them by an organisation, and the purposes for which it is being processed.
As data controllers, education providers are likely to process significant amounts of personal data in relation to students and staff – such as health records, payroll data and CCTV footage of the school grounds.
There is no set format for making a SAR and, no matter the reason, or how it is made, the request must be dealt with in line with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). If a request is made by a parent or guardian on behalf of their child it is worth considering whether the request should come directly from the child or whether the child’s consent is needed in order for you to respond.
Changes to legislation and exemptions
Under the new legislation SARs must be dealt with within 30 days and, whilst organisations could previously charge a nominal fee of £10 for providing a response, they can no longer demand this sum. Where a request is particularly onerous, or involves a large number of documents, there is the option of seeking a reasonable extension of up to two months. However, this must be done as soon as possible and only applies in exceptional circumstances – not as a result of manageable delays such as school holidays or not seeking legal advice in reasonable time.
Once the organisation has established that they are responsible for processing personal data concerning the subject, detailed searches of all electronic systems and hard copy files need to be carried out. This must also include information compiled and sent to third parties, for example, as part of a relationship with a local authority.
There are exemptions to disclosing personal data within the GDPR and DPA 2018; these cover issues such as third-party confidentiality, and potential harm to third parties or to the data subject themselves. When it is decided to not disclose personal data this should be clearly signposted, with reference to the thought process and the legal exemption relied upon.
Preparing a response
In order to provide a comprehensive and compliant response to a SAR, it is vital to consider:
- the scope of the searches undertaken;
- the search terms used;
- the date ranges; and
- the data locations – such as emails, HR records and other online systems in which searches were, or are, to be carried out.
The response should confirm:
- the purpose of data processing;
- the categories of personal data concerned;
- the recipients to whom the personal data has, or will be, disclosed; and
- the envisaged period for which data will be held.
The SAR response must also explain to the recipient that they have the right to request rectification, erasure of personal data or a restriction on its processing – along with the right to lodge a complaint with a supervisory authority, identification of the source of data not collected directly from the data subject and the existence and details of any automated decision-making based on the data.