A subject access request (SAR) can be an effective weapon in the hands of an aggrieved employee, ex-employee or parent. Even if you find no unhelpful or embarrassing evidence, the time it takes to respond to the SAR can still prove to be a major inconvenience.
This guide explains what a SAR is, what has changed recently and how you can best prepare to make the process of responding to a SAR legally compliant and as painless as possible.
What is a SAR?
SARs, in one form or another, have existed for more than 20 years. They provide individuals with the right to find out what personal data an organisation (including a school) has on them, why the organisation is holding it and who sees their information.
The General Data Protection Regulation (GDPR), which came into effect in May 2018, did not make substantive changes to the SAR regime, but it did provide renewed publicity for these pre-existing rights. This publicity has, perhaps unsurprisingly, led to our members reporting an increase in the number of SARs they receive.
What has changed since the introduction of the GDPR?
Although the implementation of the GDPR in 2018 didn’t introduce many changes to the SAR regime, the following changes are worth noting.
You must respond to a SAR within a month, with a possibility to extend this period for complex requests. A process needs to be put in place to ensure compliance; for example, what provision will you have in place over the summer holidays? You will find some tips below about how to be ready to respond to a SAR and what options you have in relation to the summer break.
You can’t charge a fee for complying with a SAR unless the request is ‘manifestly unfounded or excessive’. You can charge a reasonable administrative-cost fee if you receive requests for further copies of the same information.
Where a SAR is ‘manifestly unfounded or excessive’, not only can you charge a fee for the request but also you can refuse to respond. If you take this approach, you will need to inform the individual within one month and remind them of their right to complain to the Information Commissioner’s Office (ICO). You must keep any relevant analysis and accompanying evidence of the assessment undertaken to establish that the SAR was ‘manifestly unfounded or excessive’.
It must be possible to make a SAR electronically. Where this happens, you should provide the information to the individual in commonly-used electronic form (eg on a memory stick) unless otherwise requested by the individual.
Steps you can take to make responding to a SAR as easy as possible
Proof of eligibility – check the identity of the individual making the request to ensure you don’t provide personal data to the wrong person. Ask the individual to present themselves with their passport for visual verification. If the SAR is on behalf of a child, check the individual’s relationship to the child, for example, ensuring that the individual is a parent with full legal rights and that no safeguarding issues would arise by providing this information
Timing is key – make sure you train all staff appropriately so that they can recognise a SAR, understand that it must be dealt with as a matter of urgency and know who to contact if they receive one
Follow a process – ideally you will have ‘mapped’ where you hold all your school’s data so that you can follow a systematic process to ensure you carry out a thorough and straightforward checking process. Create a list of the areas that you need to check. You can use this checklist to demonstrate compliance if needed
Who will respond? – it is helpful to have a nominated person available to take charge of the response to the SAR, but make sure that a response isn’t reliant on one person in case they are away or ill. The natural person to nominate is your school’s designated data protection officer if you have one
What happens in the holidays? – If you receive a request in the holidays, the letter of the law still requires you to respond within 30 days. However, if this subject access request proves impossible, then you can send an initial response confirming receipt of the SAR and requesting that appropriate identity checks take place before you can respond. The letter could state that you intend to respond fully to the SAR when the school reopens and all identity checks are complete. While the individual could, in theory, take issue with this and make a report to the ICO, we understand from a conversation with the ICO that unless the delay were significant or deliberate, it would be unlikely to take any action against the school
Preparing in advance – consider preparing template response letters to guarantee you comply with all elements of a response to a SAR. This should help make SAR responses more efficient and thorough
Less is more – with the increased use of SARs, it might be worth reminding staff of the need to record personal data only when necessary and ensure they record this information in the right (pre-agreed and ‘mapped’) place. It is also worth reminding staff that the new regime could result in the school having to provide direct copies of information held, so they should only record information they would be happy being seen by a wider audience
Check your response before sending – before sending, check the response in detail to establish if you need to disclose everything. For example, you might have to disclose only parts of particular documents; you may need to redact information about third parties or confidential legal advice. There may be other exemptions that apply in relation to the information you have to supply, so if you have any concerns about disclosing any material, you should confirm this with your data protection officer or the Information Commissioner’s Office.
About NAHT
NAHT is the leading union for school leaders’ and as a member you get access to legal support and advice, discounts and deals on your daily purchases, access to a mentoring scheme and savings on our highly-rated CPD courses and conferences. To join us, visit out membership page.