SARs are frequently made in the context of a parental or employee grievance, for example, in an attempt to find information which supports a complaint. Knowing how to recognise these requests and how to deal with them effectively could save your school time and resources.
Let's imagine that you receive an email from the parents of a pupil which states 'we would like the information which the school holds about our son and specifically information relating to the incident on 12 February 2016'. How would your school respond to this request?
This article will explore the main points to consider initially and some common misconceptions about SARs.
Initial points to consider:
Requests are sometimes made fraudulently and it is therefore sensible to make reasonable checks. For example, you could check whether the email address has been used to correspond with the parents previously or call the parents to verify the request.
When children are aged 12 or older, they are generally considered mature enough to exercise their own data protection rights. You should therefore consider if the pupil's consent is needed before making a disclosure of information to his parents.
Individuals are entitled to their personal data. This is information from which they can be identified and which relates to them. For example, an email between staff discussing a pupil's behaviour would likely include that pupil's personal data. People are also entitled to additional information about their personal data. For example, information about who their personal data is shared with and the purpose for which the school is processing their personal data.
You are entitled to ask for information to help you locate the personal data requested. For instance, if responding to the example request above, you may wish to clarify if the request is for all the personal data held about their son or simply that relating to the incident on 12 February 2016.
Your school has 40 calendar days to comply with a SAR. This 40 days normally begins on the day that the request was received. However, the 40 days will not start to run until you have received:
The 40 calendar day period is not extended because of the school holidays.
For example, if a request is received on 10 July 2016 the deadline to respond is 18 August 2016 (subject to the points made above). Individuals sometimes make requests immediately before the school holidays to cause maximum disruption. It is therefore important to promptly identify subject access requests and seek legal advice in good time where this is required.
Your school can charge a statutory fee of £10 for dealing with this request and the 40 day time period does not start until this is received. However, you should bear in mind that this fee should be requested promptly.
The detailed list of exemptions are extensive and therefore we recommend you seek our advice if you have any concerns about dealing with a SAR. As mentioned above, SARs are often made in the context of a parental or employee grievance.