Data Protection: Individual Rights - The Right of Access

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 9th of March, with our Data Protection Consultant Laura Butler. This session focused on how to handle data access requests, common pitfalls to avoid, and whether a request can be refused.

Individual Rights - The Right of Access (also known as Subject Access Requests or SARs) 

It’s important to start with the eight principle rights an individual has regarding their data. These are the right to be informed, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, rights in relation to automated decision making and profiling, and the right of access, which is also known as subject access request.

A subject access request is a person’s right to obtain a copy of their personal data, as well as other supplementary information. At Judicium we have seen a steady rise in SARs at schools over the past few years.

Live Session Polls

How to handle data access requests:

Contact your DPO as soon as possible. They will be able to provide guidance on where to search for the data and what information to redact.

If you are a Judicium DPO client, we will draft acknowledgements and responses for you, help you discuss whether we need to rely on any exemptions, request ID, get consent, and make the process as stress-free as possible.

What timeframe is required to handle the request?

Organisations must respond to the request without undue delay and no later than one calendar month from the day the request was received. If the response date falls on the weekend or public holiday, the one calendar month ends the next working day.

If the request is complex, you can extend the response by an additional two months. If you do need to extend the time limit, it is important that this is communicated to the requester that you will be extending and provide your reasons.

Clarifying the request if you process a large amount of information about the individual to specify the information their request relates to can help with the processing time.

NB: At this point the clock stops until you get this clarification. If you don’t get clarification, it is then important to detail what you will be searching (and what you feel constitutes a reasonable search).

Clarification should only be used if you genuinely need it. For example, if a new parent makes a request three months in, you have had little interaction with them and it’s unlikely you could rely on clarification to extend the timeframe.

What if the child is over the age of 12?

In Scotland, a person aged 12 or over is presumed to be of a sufficient age and maturity to understand their own data rights. However, this does not apply in England, where you have to make a decision based on their level of understanding. Always get in contact with your DPO as they can assist you in making this determination.

Checking Identity

The school can ask for proof of identification. It can be a copy of their licence, council tax bill, passport, etc. Your school must be satisfied the requester is who they say they are.

NB: The time to deal with the request is paused until you are satisfied in their identity.

Can you charge a fee?

Yes, you can. The school can charge a reasonable fee to cover their administrative costs. However, this is only if you feel the request is manifestly unfounded or excessive.

But what does it mean to be manifestly unfounded or excessive?

• It has been made with no real purpose except to cause them harassment or disruption.
• The person making the request has no genuine intention of accessing their information, e.g., they may offer to withdraw their request in return for some kind of benefit, such as a payment from the organisation.
• It overlaps with a similar request they are still addressing.

• From parents who are appealing an admission or EHCP
• From parents whose child has been suspended or excluded
• From staff members who are going through a disciplinary or grievance process. Their union rep will normally advise them to take this step.

Top tips for handling SARs

1. Act quickly – the time period is one calendar month.
2. Preparation is key!

• • It is important to know what they are asking for, and if you are unsure, ask them to clarify. You will likely have data in so many places, your MIS system, emails, social media, CCTV, tracker tools, physical files, on phones and memory sticks.
  • As you may have data in a variety of places, create a timeline for when you need to get tasks completed, i.e., timeframe for searching for data, redacting data, etc.

3. Diarise the response date and set reminders in your calendar to deal with the request.
4. Set aside time each day to deal with the request.
5. Initial awareness is important.

• • Individuals do not need to mention subject access request or data protection for a request to be valid. They could even call them an FOI. They can just ask for personal data that relates to them or their child.
  • People can make requests verbally and to anyone. Its important people know what requests are and who to report them to.
  • For example, a parent could come up to any staff member at the end of the day and ask for all information the school holds on their child. That would be classed as a SAR and the time limit starts as soon as that has been mentioned.
  • Judicium provide school specific training sessions on SAR requests. For more information visit the data protection tab

6. Have a policy in place that covers subject access requests.
7. Privacy by design – make sure your systems are designed to be able to retrieve information easily.
8. Log your request internally. If you are a Judicium client, you can log on them on the Jedu portal.

Common Pitfalls to Avoid 

1. Wrong exemptions have been applied or they have been applied incorrectly.
2. Not being fully transparent with the requester about delays.
3. Not acknowledging the request.
   • It is important you acknowledge the request. This helps outline timeframes for responding or whether you need any further information.
4. Not seeking clarification if unsure about what an individual is requesting.
5. Redaction has been done inappropriately. Redaction is on a case-by-case basis. We may need to consider consent from third parties to provide data.
6. Redacting too much so that the information does not make sense.
   • You do not need to provide everything in its original format, i.e. emails, you can copy and paste the relevant parts that mention the requester.
7. Not communicating to the requester what exemptions have been applied and whether third party data has been redacted or not.
8. Initials –
   • Just because an employee gives you search terms doesn’t mean you have to use them if they are too broad.
9. Email retention
10. Knowing the difference between two requests

Always contact your DPO for guidance as soon as you receive a request.

Can a Subject Access Request be Refused?

A request can be refused wholly or partly due to an exemption.

There are a large number of exemptions that can be applied to the data requested. However, not all of these are applicable to school settings.

• Child abuse data
• Negotiations with the requester
• Confidential references
• Exam scripts and exam marks

You can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive.

The right to access also extends to confirming whether you process a particular type of data. Even if an exemption exists you should at least inform them if you hold it.

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.