Subject Access Requests and School Holidays – How to Handle Data Requests that Arrive as the Academic Year Ends

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 21st of June, with our Data Protection Consultants Bethany Parker and Sofia Mastrangelo. This session focused on the key differences between timescales for SARs and FOI requests received in summer; what to do during closure periods and how to be transparent with the requester; the effect retention has on SARs, and tips on using the summer period to achieve this; and the importance of having a key contact over closure periods and a clear process within your policies.

What are the key differences in timescales for Subject Access Requests (SARs) and Freedom of Information Requests (FOIs)?

For Subject Access Requests, the statutory deadline to respond to the request is one calendar month. This date begins on the exact date of receipt and there is no official, statutory guidance for extending the deadline due to school closures. There is guidance on when situations may arise where an extension is deemed proportionate and/or necessary.

For Freedom of Information Requests, the statutory deadline to respond is 20 school days (or 60 days whichever is shorter). Therefore, there is a statutory requirement that considers closure periods in which schools will take that additional time to fulfil the request.

For both requests your Data Protection Officer (DPO) would assist you in drafting a formal acknowledgement to set the deadline, to request ID, clarification and/or consent where appropriate. They would also draft a final response once the data has been collated and is ready to send.

Poll 1

What should schools do during closure periods and how can they be transparent with requesters?   

Below are some helpful tips on how best to prepare for SARs, especially when received while the school is closed or minimal staff is available on site.

1. Consistency – Judiciums advise schools to create a checklist for staff to use.
   • The checklist can be drafted by a DPO or the key contacts within the school.
   • It is used to set key areas that must be considered when carrying out a SAR. Of course, all SARs will not be the same, but having a starting point with a list of areas to check will help when carrying out a “reasonable” search.
2. Structured – Judicium’s best practice advice is to maintain organised, structured data within your organisation.
   • For instance, ensure your systems are managed effectively. Have processes in place such as only communicating about staff with initials or codes (similarly with pupils).
   • This means that when a SAR is received, it is more likely to be reasonable to search with the same processes you apply.
3. Accountable – This can apply in two ways:
   • Firstly, the organisation is accountable for ensuring requests are complied with not individuals. Judicium advise sharing the responsibility and dividing tasks to ensure this can be completed within the deadline.
   • Secondly, to ensure accountability, Judicium advise maintaining an accurate request log and to update this with any extensions, reminding yourself of the deadlines to complete.
4. Minimised – A key area that will assist in preparing for any data requests is retention.
   • Only retain data for as long as necessary for your intended purpose.
   • Have an email retention policy in place and review with your DPO how long it is necessary to store data.
   • Being transparent about retention processes and not storing data longer than necessary is highly beneficial for SARs.

Transparency during Closure Periods

Always be transparent with the requester and set reasonable expectations of when you will be able to provide them with the full response.

There is no statutory rule on extending SARs because of closures. If you are not able to deal with the request, especially during the summer break, you should let the requester know immediately.

Judicium recommend providing the reasons why you can’t deal with the request, the length of the delay, when you expect the response to be ready by and whether any information can be provided to them sooner.

Practical Steps to Notify Requester of any Delays

1. Send a newsletter or communication out to parents and staff or place a notice in the reception area.
   • Highlight how over the closure emails may or may not be monitored and therefore, SARs/ Data Requests may not be complied within statutory deadlines.
2. Have an out of office message stating:
   • The dates your school is closed from and to
   • Whether the inbox is monitored
   • A relevant alternative contact that can monitor throughout the period
3. Have a key contact who is working throughout the closure as the named individual on out of offices.
   • They can review with your DPO any extension wording so they can be transparent with the requester as quickly as possible.
4. You can have a dedicated data protection inbox, so SARs are easier to acknowledge and don’t get lost within generic emails.
5. Clearly state within your policies what your process is during school closures – especially summer.
   • If you are subscribed to our Data Protection service, this wording has been integrated into our data policies.

NB: The test for requiring an extension remains strict. Due to the legal restrictions, we recommend seeking advice from your DPO. If you are a Judicium Data Protection client, we will assist in drafting any appropriate wording.

Under what circumstances can a school have an extension for an SAR? 

Judicium has held discussions with the Information Commissioner’s Office (ICO) directly on this matter.  The ICO confirmed they are sympathetic to schools for the strict approach that has been adopted regarding extensions during closure periods. They confirmed that only under extreme, extenuating circumstances would a fine be imposed. However, an extension would only apply under the ‘complex request’ exemption as long as you had the correct processes in place, and you are being transparent.

This can only apply if the school is closed and there are no qualified staff on site to handle the SAR within the one calendar month. NB: This also applies if someone works across the period but doesn’t have access to the information to prepare all the requested data.

If you can, set out to the requester what data you can reasonably provide earlier and what will require additional time due to closure constraints. For instance, if some staff do have remote access and are able to provide some information, it is beneficial to do so, to evidence that you are taking steps to action within the initial statutory timeframe.

The complex exemption cannot be applied as a blanket exemption, but the above reasoning must be met. The exemption may not apply for requests at other points throughout the year. For instance, if a request is over a half term, there might still be an expectation it can be fulfilled.

Poll 2

How can a SAR Appendix in your data policy help? 

It is essential you are including wording of your SAR processes within your policies. You can then be transparent that during closures, you may require an extension as no staff will be on site to complete the request within the one calendar month.

The requesters will have this expectation from the outset and will be less likely to refer their request on to the ICO due to the delay.

NB: Speak to your DPO to draft the wording and to ensure it is specific.

How can a retention policy help with SARs? 

It is a legal requirement to keep a record of your processing activities. We recommend using a data map as it will assist you in reviewing your purposes for holding data and the lawful basis for certain data. If there is no purpose for storing the data, you are likely to breach the key principle of ‘data minimisation’ and as a result, data you hold longer than necessary will still be subject to a data subject access request.

Ensure staff are aware of how long data is stored, referring to your data retention policies or processes in place, including general file management and how long to keep staff records once they left school.

• Emails – Use a 2 or 3-year retention period set up on emails.
  • In most cases, you may hold data that has no necessary purpose to store and should be deleted.
  • Decide on a case-by-case basis where you feel there is a reason to store longer. These emails can be stored in a more organised way into your MIS, Safeguarding systems, your server, or folders.
  • Emails are often requested in a SAR. For schools without an email retention policy, the searches can yield thousands of results, which takes longer to process. You may feel an extension is warranted but, the guidance remains strict.
• Software - Data entered may form personal data. Take additional steps to remove leavers from other systems (where possible) to ensure that you are:
  • Restricting use and managing access rights
  • Removing their data.

TOP TIPS:

1. Utilise the summer period or quieter times to carry out the deletion of data and to review your HR and pupil records to ensure only necessary data is being kept.
2. Your retention policy should be easily accessible and have best practice guidance in place for staff to test what information may need to be held for longer.
3. Provide guidance on where to store emails when necessary to move away from emails becoming the filing system.

What about requests for exam information before results day? 

The simple answer is no.

The ICO have confirmed that SARs requesting this data do not need to be answered until after issuing the exam results.

We would advise sending a response to the requester to confirm that the results will remain confidential until after the results have been issued. You can confirm that you will contact the requester after the results are published to determine whether they still want to proceed with the subject access request. Your DPO should assist you in this.

Helpful Information:  

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

IRMS Toolkit for Schools

Previous Sofa Session Notes on SAR Redactions, Exemptions and Excessive Requests

ICO Preparation Guidance

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.