Are you prepared to manage subject access requests (SAR)? How many SARs have you received since May 25 when the Data Protection Act 2018 (DPA) – and the incorporated General Data Protection Regulation (GDPR) – came into play?
Chris Cook, partner and head of employment and data protection at SA Law, examines your legal obligations as a school, and provides advice on how you can ensure that you are compliant and protected in the case of a claim.
Under the Data Protection Act 2018 (DPA) – which now incorporates the General Data Protection Regulation (GDPR) – adults, children have the right to access their data. Alternatively, an adult with parental responsibility may seek to exercise any of their child’s rights under the DPA on their behalf.
From a school’s perspective a key concern is where pupils – or parents on their behalf – exercise the right to access data in problematic circumstances. For example, where a pupil has been expelled on potentially discriminatory grounds, the data obtained as a result of a subject access request (SAR) might later be used against the school.
Subject access requests
The Equality Act 2010 (EqA) states that the responsible body of a school is prohibited from discriminating against or victimising a pupil on the grounds of a protected characteristic by excluding the pupil from the school. In circumstances where a pupil is expelled, this might spur outrage either from the pupil themselves and/or their parents, encouraging them to make a SAR – particularly as employers can no longer charge a fee for a SAR in most circumstances since May 2018.
The Information Commissioner’s Office’s (ICO) guidance regarding SARs states that, if you are confident that a child can understand their rights, you should usually respond directly to the child. However, you may allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
The safety of the ‘paper trail’
It might be tempting for schools to avoid keeping a paper trail of sensitive information about pupils, for fear of repercussions if a discrimination claim is brought against them and potentially incriminating information is disclosed to their detriment. However, it is generally in a school’s interest to record as much information as is reasonably possible – not only as part of its regulatory obligations but also to provide evidence to help defend any claim which might be submitted against the school.
Under the DPA, in order for personal data to be adequate, relevant and limited to what is necessary for the purposes for which it is processed, the period for which the personal data is stored needs to be limited to a strict minimum. However, the ICO has considered that this does not rule out keeping information to protect against legal risk. Indeed, safeguarding information must be retained for a significantly longer period of time than other types of personal data on pupils.
Just and equitable archives
As there is the possibility that pupil records could be relevant to a future claim, schools will need to retain pupil records for a sufficient amount of time. Discrimination claims in an education context must be brought within six months of the date of the act complained of, or any other period that the County Court or sheriff thinks ‘just and equitable’; therefore, the school’s retention periods for pupil records should take into account this limitation period.
Inevitably, there will be a range of retention periods depending on the type of personal data the school retains. Further, schools will then need to embark on a culling process to make sure that the data retained is brought into line with the new retention periods.
The ICO does not necessarily expect schools immediately to be compliant in that regard, although they must be able to demonstrate that they are actively taking steps to manage their data within a reasonable period of time so as to be compliant with their pupil data retention periods.
Schools should bear in mind the importance of responding to SARs without delay and at the latest within one month of receipt, as required by the DPA. Failure to comply with the DPA could have very serious consequences, including the possibility of hefty fines, the maximum level of which has significantly increased since the DPA came into effect in May 2018.