Tricky Subject Access Requests

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 14th of February, with our Data Protection Consultant Sam Hall. This session covered complying  with a SAR if the worker has signed a non-disclosure or settlement agreement, complying with a SAR if the worker is going through a tribunal or grievance process, CCTV footage and what happens if a requester isn’t happy with their SAR response.

Poll 1

Back to Basics: Steps to Take Once a Request is Received

1. Recognise the request:

• It does not need to say Subject Access Request (SAR), and it might even say Freedom of Information (FOI).
• It can be written or verbal.
• It can be submitted to anyone in the school.
• It does not need to use a specific form, but you can request this for ease.
• You should contact your DPO for support and advice.

 2. Acknowledge the request:

• Confirm the deadline.
• Request clarification / ID / consent.
• Confirm parental responsibility.
• Require Form of authority? (Solicitors).
• If no clarification – confirm reasonable searches.
• You should contact DPO for advice and draft response.

 3. Search parameters:

• If they have asked for everything, conduct a reasonable search.
• Unstructured records - In some limited circumstances they may need to be disclosed. Although this rarely comes up, if it does contact your DPO.
• Search any systems containing personal data.
• Keep note of searches and terms used. NB: This is important for complex searches and keeping transparency.

 4. Is the request complex? (as defined by the Data Protection Act and Information Commissioner's Office Guidance)

• You may not know this at the start so keep this under review.
• If it is a complex request, communicate this to the requester.
• You can extend the deadline by up to 2 months. However, you should only extend for a period that is reasonable in the circumstances.

When is a Request Complex?

The size and resources of an organisation are likely to be relevant factors. However, a request is not complex just because it will take you a long time to respond to. There is an obligation to have systems in place which allow you to respond to SARs in a timely manner, and within one calendar month.

Requests for large amounts of data may add to the complexity, but a request is not complex just because it is for a large amount of information.

Also, a request is not complex because you need to rely on a processor to provide the information you need.

Below are some of the key criteria from the Information Commissioner’s Office (ICO) regarding complex subject access requests:      

• Technical difficulties in retrieving the information (For example, if the data is electronically archived.)
• Applying an exemption that involves large volumes of particularly sensitive information.
• Clarifying potential issues around disclosing information about a child to a legal guardian.
• Any specialist work involved in obtaining the information or communicating it in an intelligible form.
• Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
• Needing to obtain specialist legal advice. If you routinely obtain legal advice, it is unlikely to be complex. Discussing the SAR with your DPO does not make a request complex). However, there may be some circumstances when advice is sought from solicitors.
• Searching large volumes of unstructured manual records

If the subject access request is complex, you can extend your deadline for up to two months, meaning you have three months to comply. You must confirm whether the SAR is complex as soon as possible and no later than the initial one-month deadline.

Extensions for complexity

Safeguarding records are an area where there may be added complexity and additional time may be needed. This would include clarifying potential issues around disclosure to a legal guardian and applying exemptions to large volumes or particularly sensitive information.

If a request is complex and you need to extend the timeframe of your response, you should still seek to disclose any easily disclosable personal data within the initial one calendar month.

Responding to the Request

Redactions:

This can be the most time-consuming aspect of responding to a SAR. Ensuring you have excellent data minimisation practices and a data retention policy will save you time.

You must remove third-party data including:

• Names etc.
• Contact details.
• Opinions.
• Witness statements.
• Separated parents/family disputes. NB: Never assume family members are aware of information about each other.

You should also remove any duplicates and the information that is not within scope of the SAR (administrative or operational documents and/or group emails).

You should also redact any safeguarding data.

Data subjects have a right to their data, not the document it is contained in. Therefore, you can extract the data if it makes more sense. However, some requestors may see this as an attempt to conceal information which leads to time consuming follow up questions and complaints.

Generally, it’s good idea to keep redactions to a minimum to ensure transparency.

We recommend you keep a record of the information you have redacted and the reasons for the redaction. This is important for the more contentious SARs, as you can defend your decisions. When in doubt, contact your DPO for advice.

Applying exemptions:

The primary exemptions include:

1. Personal data processed for the prevention or detection of crime.
   • This only applies to the extent that complying with the SAR is likely to prejudice this purpose.
2. Child abuse data: information about whether the data subject is or has been the subject of, or may be at risk of, child abuse.
   • Abuse in this context includes physical injury (other than accidental), physical and emotional neglect, ill treatment or sexual abuse, of an individual under the age of 18.
   • This will generally apply where the request has been made by a parent and complying with the request would not be in the best interests of the child.
   • You should discuss the request with your designated safeguarding lead when needed along with your DPO.
3. Confidential references: if the request is received from an ex-staff member following a dispute.
   • This only applies if the reference was given in confidence.
   • It applies regardless of whether you sent or received the reference.
4. Serious harm: this exemption applies to the extent that complying with the request would be likely to cause serious harm to the physical or mental health of any individual.
5. LPP: litigation privilege and legal advice privilege.

These are a selection of the exemptions that most commonly apply to schools. There are more, and we advise always seeking advice from your DPO.

Other considerations:

It is always important to consider the best interests of the child. If there is evidence that disclosing data to a parent would not be in the best interests of a child, the data should not be disclosed.

Similarly, if there is evidence that it is in the best interest of the child to disclose to a parent, you should do so, e.g. if you are aware that a refusal to disclose data to a parent would result in detriment to the child or young person.

Next steps:

Complete a response letter (Your DPO can prepare it). It should include:

• Confirmation of the searches completed.
• Confirmation if there is any other data to follow.
• Explain any exemptions.

CCTV

CCTV footage is personal data and falls within the scope of a SAR. If a request is received, make sure you preserve the footage.

CCTV footage will often contain images or personal data of people other than the requestor.

1. If this is the case, you should first consider whether it is possible to remove the images or data of other people so they can no longer be identified from the footage. This can be done by using software to blur out, crop or redact other people from the footage. The ICO expect organisations to be able to do this.
2. If it is not possible to remove data relating to other people, you will need to consider whether you have consent from those people who can be identified. It is good practice, where possible, to seek consent from third parties.
   • However, you are not obliged to ask and in some circumstances it is not appropriate to do so, e.g., if you don’t have their contact details, it would potentially disclose personal data of the requestor to the third party that they were not already aware of, or it would be inappropriate for the third party to know that the requestor has made a SAR.
   • If you obtain consent from all third parties who are identified in the footage, you can disclose it.
   • If you receive a request for footage that includes many people, it is unlikely to be appropriate to seek consent. This may be because it would be very difficult to contact everyone. It also may be because it is not appropriate to inform so many people about the SAR. If you do need to seek consent from many people, this may add to the complexity of the request.
   • It’s possible to ask whether third party consents to the footage being shown in school but not sent to requester.
3. If you do not receive consent, or consent is refused, you must decide whether it is reasonable in the circumstances to disclose the footage in the absence of consent. It is relevant to consider whether consent was refused or there was no response.
4. You should also consider what is included in the information.
   • If the third party is walking in public, it will be more likely to be reasonable to disclose than if they are in an area with a greater expectation of privacy.

Important considerations:

• The importance of the footage to the individual is also a relevant consideration.
• If the third party is a school employee, it will usually be reasonable to disclose without consent.
• Determine if the information is already known to the requestor.
• You can consider whether it would be reasonable to allow the footage to be viewed in a controlled environment in school rather than being disclosed to the requestor.

Always document the reasons for your decisions, consider CCTV retention periods and if you receive a request, contact your DPO.

When Can a Request be Refused?

Manifestly unfounded:

This is when the individual clearly has no intention to exercise their right of access. For example, if an individual makes a request but then offers to withdraw it in return for some form of benefit.

Also, when the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption, e.g., the requester explicitly states that they intend to cause disruption, or they systematically send different requests to you as part of a campaign with the intention of causing disruption.

NB: You must consider the context of the request; if the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.

Whilst the use of aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.

Manifestly excessive:

Is the request clearly or obviously unreasonable?

It’s important to note that this will rarely apply. The inclusion of the word ‘manifestly’ means that there must be an obvious or clear quality to the excessiveness.

Can we refuse if the SAR is from a worker who has signed a non-disclosure or settlement agreement? or Can we refuse a SAR if the worker is going through a tribunal or grievance process?

No – the data subject still has a right to the information. If the request is genuine, the purpose of the request is irrelevant. However, keep the exemptions in mind, particularly litigation privilege and legal advice privilege.

We always advice discussing these with your DPO and/or legal representative. 

What if the Requestor isn’t Happy with the SAR Response

Ensure you have recorded defensible decisions.

• Listen to their concerns – can they be resolved internally?
• If the requestor believes data is missing, ask them to describe the information including time frames and where it may be stored if known. If you have recorded your searches and informed the requestor of these, you can explain that further searches can be conducted for the information that is missing.
• If the requestor remains unhappy with your response, they have the right to complain to the ICO.
• If a complaint is made to the ICO, you will be contacted by them and asked to provide a response. This is why it is important to keep a record of the reasons for any decisions, e.g., to withhold information and to record the searches conducted. There is an obligation on the school to be able to demonstrate compliance.

Top Takeaways

1. Data minimisation.
2. Good communication and transparency.
3. Defensible decisions – document your reasons.
4. Consult your DPO.

Helpful Information:  

Summary Notes 'A Guide to Subject Access Requests in 45 Minutes'

Summary Notes 'Handling SAR Redactions, Exemptions and Manifestly Unfounded/Excessive Requests'

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.