Part 6: Subject Access Requests

This part of the SWGfL GDPR Guidance focusses specifically on Subject Access Requests.

Important GDPR Definitions

The following definitions are used throughout the GDPR, and throughout the SWGfL GDPR guidance:

  1. Processing is any operation (including collection, recording, organising, storing, altering, using, and transmitting) performed on Personal Data.
  2. Personal Data is any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.
  3. Data Controller is a person, authority, agency or other body which determines the purposes and the means of Processing.
  4. Data Processor is a person, authority, agency or other body which undertakes Processing on behalf of a Data Controller.

Subject Access Requests

A Data Subject (e.g. a learner or parent) that wishes to examine their Personal Data under the rights set out in Article 15 will be performing something called a Subject Access Request.

Where the school is, or may be, undertaking Processing, the Data Subject has the right to:

  1. require the school to confirm whether or not their Personal Data is being Processed;
  2. require the school to provide a copy of their Personal Data; and
  3. be informed about the Processing (as set out in Part 5 of the SWGfL GDPR Guidance here).

Data Subjects are only entitled to request their own data (unless the information they are requesting is also about them, or they are acting on behalf of someone else).

Whilst many organisations provide an online form for Data Subjects to complete in order make a Subject Access Request (and this is recommended in the GDPR (Recital 59), particularly if the Processing is being undertaken electronically), Data Subjects are not required by the GDPR to use it, and a Subject Access Request is therefore valid whichever means the Data Subject chooses to use to raise it.

The GDPR does not set out any specific details in terms of making requests. A Data Subject can make a valid Subject Access Request, then, (a) verbally; (b) in writing; (c) by email; (d) through other channels that the school might use (e.g. social media); or (e) using any online forms you have provided.

Subject Access Requests could, therefore, be sent to any part of the school, and it is not necessary for it to be called a ‘Subject Access Request’ or even use that phrase in any part of the request. The Data Subject simply needs to make a clear request for their Personal Data.

Data Controllers should take appropriate steps to verify the identity of the person making the request, particular where requests are made in person/verbally, or using electronic means that do not uniquely identify the requestor. Note, however, that such identification steps should be limited to those necessary to confirm identity.

There are general factors affecting the management of SARs in schools, including:

  1. SARs may be issued by Data Subjects in any form;
  2. SARs may be issued by Data Subjects to any part of or staff member in the school;
  3. SARs do not need to be called ‘SARs’ by the Data Subject, and only need to make it clear that the Data Subject is requesting their Personal Data; and
  4. Identification steps may be required to confirm the identity of the requestor.

Subject Access Requests from Children (Learners)

Where learners are concerned, the right of access continues to apply, and though in practice it may more often be a parent making a request (on the child’s behalf), the child has the right to request their Personal Data. As per the ICO’s guidance here, schools may consider whether, in the case of a request made by a child, that child is mature enough to understand their rights. Where a school considers they are, the response should be made directly to the child, however it is also appropriate to respond to their parent(s) if the child authorises it or if the school believes that to be in the best interests of the child.

Note that in Scotland it is presumed that a person aged twelve or more is sufficiently mature to request access to their Personal Data and to understand the nature of that request. Whilst there is no equivalent position in England, Wales or Northern Ireland (and therefore a judgement based on the child’s level of understanding), it suggests an approach that may generally be considered reasonable.

The response should be in a concise, transparent and easy accessible form, using clear and plain language. This does not require that it can be understood by the requestor, but that it can be understood by the average person (or child).

Subject Access Requests need to be completed (in most cases, that means the Personal Data requested being provided to the requestor) within one month, and it usually not permissible to charge a fee (though in cases where the request is manifestly unfounded or excessive, a reasonable fee may be charged).

Where a request is for a large amount of Personal Data and lacks definition, it is permissible to ask the Data Subject to clarify their request, but this should be done without delay, and if the Data Subject declines to clarify the basis of their original request would remain valid.

Where a response to a request from one Data Subject will disclose the Personal Data of another Data Subject, the Data Protection Act 2018 (Para 16 of Part 3 of Schedule 2) provides the ability for the Data Controller to refuse the request unless:

  1. the other Data Subject has consented to their Personal Data being disclosed; or
  2. it is reasonable to disclose the Personal Data of the other Data Subject without their consent.

There are some complications in managing SARs in schools, including:

  1. learners may raise SARs, and the school would need to comply with such a request (either directly to the learner or to the parent if the learner is not considered mature enough);
  2. the response to a SAR needs to be clear and capable of being understood by the average person (or child);
  3. SARs need to be completed (i.e. responded to) within one month;
  4. SARs should be completed without charge to the Data Subject (unless manifestly unfounded or excessive); and
  5. schools can clarify SARs (particularly for very large or wide requests), but if no clarification is forthcoming the original request remains valid.

Subject Access Requests (SARs) in Schools

Schools may, based on this, find managing Subject Access Requests (SARs) challenging. The establishment of systems and provision of training to staff are likely to make the process simpler.

Whilst schools may envisage SARs being received and processed efficiently by an identified member of staff, given the multiple contact points that Data Subjects (including children and parents) have with school staff, it is possible (and probable) that a SAR could be received by a wide range of staff. Training all staff to recognise a SAR is likely to be the only effective approach to this.

Schools that have received Freedom of Information Act 2000 (FOIA) requests in the past may have already designed and implemented systems to help manage these requests. In a practical sense, the nature of an FOIA request and a SAR are not significantly different, and in whether or not such a system is in place, there is validity in the use of a system to help manage future requests.

This does not need to be an elaborate or expensive software solution, and indeed can work well if the right policy is established, and using existing technologies and information assets (such as email and MIS data), a methodology to record and track the process of a SAR (or FOIA request), and sufficiently skilled and trained staff to understand and manage the request.

It will be important, for many SARs, to be able to find the Personal Data in question. This is one reason why the creation of a ‘data map’ and monitoring of ‘information assets’ set out in part 4 of the SWGfL GDPR guidance, which can be found here, is important.

Schools can prepare certain information in advance that will be required in responding to a request. This information is that which the GDPR requires Data Controllers to provide as part of responding to a SAR (set out in the table (Articles 13 and 14) in part 5 of the SWGfL GDPR guidance, which can be found here).

In a similar way, schools could give consideration in advance to their response to a SAR from a learner: it is required that the, should the school respond directly to the child, that the language, format and style is appropriate, and preparing this ahead of time will help to avoid mistakes should such a SAR be received.

Schools should consider:

  1. training staff to recognise Subject Access Requests;
  2. creating a policy to set out the management of Subject Access Requests;
  3. ensuring that staff involved in responding to Subject Access Requests understand the nature of the right to access, when a SAR can be refused, and what to do when refusing a SAR;
  4. maintaining certain information in a ready state to enable responses to SARs;
  5. developing processes to ensure responses to SARs are completed within one month; and
  6. the language to be used in responses to children.