A Guide to Subject Access Requests in 45 minutes

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 17th of January, with our Data Protection Consultant Laura Butler. This session covered recognising a request, the steps to take once a request is received, and when a request can be refused.

Poll 1

Recognising a Request

To be able to recognise a request, you must first understand what a subject access request is. A subject access request (SAR) is a request for personal information. It is one of the eight individual rights under the DPA 2018. In a school setting, these requests commonly come from staff members, parents for data on themselves, their children, or both.

There is no formal or set way that an individual can make a subject access request. Subject access requests can be made both verbally and in writing.

The most common way that schools receive subject access requests are over email. However, they can also be made over the following:

• Social media, for example, Twitter, Facebook messenger, Instagram page;
• Written letter received by post;
• Through the ICO;
• For Judicium Clients, through Jedu, if you have shared the link for making a SAR.

Do individuals need to mention the words ‘subject access request’ or Data Protection Act 2018’ to make a SAR valid?

There is not set wording or words an individual has to say for the request to be valid. For example, a parent could approach a teacher at the end of a school day and say, “I want all the information the school hold on my child.” This would be a valid subject access request. All staff should be able to recognise the SAR and know the next steps to take.

Sometimes a subject access request can get confused with a Freedom of Information request. However, if the requester has asked for personal data, it should be treated as a subject access request. You should also outline you will be handling it as a subject access request to the requester.

There is no requirement for individuals to send a subject access request to a certain email address. Therefore, any member of your staff could potentially receive a subject access request in their inbox.

Some SARs may be hidden within a long email. Therefore, it is important that all emails are read carefully. We have seen cases where schools have missed subject access requests due to being in a long email about another issue.

Top Tip: It can be helpful to provide a SAR form to individuals. However, the request is still valid even if they refuse to fill out the form.

The Steps to Take Once a Request is Received

Once a request is received, the school or Trust has one calendar month to respond to the SAR. We would recommend contacting your DPO in the first instance, so they can assist you throughout the SAR.

Key questions to ask before you start taking steps to comply with the subject access request are:

1. What has the requester asked for? Do you need to ask them to narrow down what they want?
2. Who has made the request? Are you confident in the requester’s identity, i.e., the email address they made the request with, does it match the one you have on record?
   • NB: The timeframe for dealing with the request, does not start until you are satisfied in the requester’s identity.
3. If the request has come from a parent, does the parent have full parental responsibility?
4. If the request has come from a parent, what is the age of the child whose data has been requested? If the child is over the age of 12, do they have the maturity to understand their data rights? If yes, consent will need to be requested.
   • NB: The timeframe for dealing with the request does not start until consent has been received.
5. If the request has come from a parent, are there safeguarding concerns relating to the individuals?
6. If the request has come from a parent, are there any court orders in place restricting access to the data?
7. If the request has come from a staff member, are there any ongoing grievances, disciplinaries that may have an impact on what is provided?

Can requests also be made through third parties?

Some requests may also come from solicitors on behalf of an individual. In these cases, you will also need to look at whether they have given a form of authority.

In addition, we have worked with schools who received requests from family members like aunts,  uncles, or grandparents. In these cases you will need to be satisfied that either the parent has given consent for the information to be sent to the requester or whether they are their official carers and can request the information.

What should you do next?

Once you have asked yourselves the questions outlined above, send an acknowledgement to the requester. For our Judicium Data Protection clients, we can draft an appropriate acknowledgement for you. When acknowledging the request, it is important do the following:

• Acknowledge receipt of request
• Confirm what was requested
• Ask for proof of ID (if needed)
• Ask for further clarification (if needed)
• Ask for consent (if needed)
• Outline how you will provide the information
• Outline the timeframe for complying with the request

Once you have sent the acknowledgement, the school or Trust will need to decide on the search parameters. You will need to search the requesters name (full name, first name, surname and initials if used).

Depending on what was requested, you may need to search the following areas:

• Email accounts
• Shared drives
• Record management systems (such as SIMS)
• Structured paper files
• Safeguarding systems (CPOMS, MYConcern)
• Social media.

We recommend keeping a note of the search terms used and the methods used to identify the relevant data. 

Redaction

Once you have located all the information, you will need to redact all third-party information as the requester is only entitled to access their own personal data (or their child’s).

Redacting the data can be the most time-consuming part of dealing with the subject access request, especially if the request is large. To reduce the time required, we recommend removing duplicates or information that you do not necessarily need to provide, such as when the individual was copied into an email but nothing in the email is about them. NB: We always recommend getting in contact with your DPO for advice on redaction.

If you come across any information you are concerned about disclosing, you may be able to withhold some data under an exemption.  We will be discussing this in further depth at our Sofa Session on Tricky SARs on the 14th February.

Top Tip: We recommend diarising the request in your calendar and setting time aside each day to chip away at the request to ensure it’s complied with within the one calendar month time frame.

Once you have all the information together, you will need to send the data to the requester, with a response letter, outlining the following:

• Searches carried out, i.e.. what search terms were used, names of systems searches, departments contacted, period of the search
• How the information will be provided
• If you are relying on any exemptions or have redacted information
• An outline of what exemptions you relied on

It’s important to log this on your internal data request log. This is important for compliance with the accountability and transparency principles. It may also help if you receive a complaint as it details how the request was handled.

Poll 2

When Can a Request be Refused?

It can be difficult to refuse a request entirely and the threshold for being able to do so is extremely high.

There are some exemptions you can rely on to partly or wholly refuse a subject access request. However, these need to be applied on a case-by-case basis and cannot be used as a blanket exemption.

Schools or Trusts can refuse a request if it is considered manifestly unfounded or manifestly excessive.

What do you mean by manifestly unfounded?

The Information Commissioner’s Office (ICO) states that a request can be manifestly unfounded if:

• The individual clearly has no intention to exercise their right of access. For example, an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation.
• The request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual:

• • explicitly states, in the request itself or in other communications, that they intend to cause disruption.
  • makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice.
  • targets a particular employee against whom they have some personal grudge.
  • systematically sends different requests to you as part of a campaign, e.g. once a week, with the intention of causing disruption.

Even if it meets these criteria, you cannot automatically withhold the data due to it being manifestly unfounded.

What is meant by manifestly excessive?

For a request to be considered manifestly excessive, the ICO state that you should take into account all the circumstances of the request, including:

• the nature of the requested information.
• the context of the request, and the relationship between you and the individual.
• whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual.
• your available resources.
• whether the request largely repeats previous requests, and a reasonable interval hasn’t elapsed.
• whether it overlaps with other requests (If it relates to a separate set of information, it is unlikely to be excessive).

You wouldn’t be able to use manifestly excessive simply because the request is large. You must consider all circumstances.

In these circumstances consider asking the requester to narrow down or clarify what they want or provide you with more information in order to locate what they want.

At Judicium we have seen often an individual doesn’t really know what they are asking. Once you have a conversation with the individual, it can sometimes become apparent there is only a small amount of information they want.

We would always recommend seeking advice from your DPO before applying any of these exemptions or before deciding to withhold all the data.

Helpful Information:  

Summary Notes on Handling SAR Redactions, Exemptions and Manifestly Unfounded/Excessive Requests

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.