Data Protection Requests - How Should the School Respond?

SARs are frequently made in the context of a parental or employee grievance, for example, in an attempt to find information which supports a complaint. Knowing how to recognise these requests and how to deal with them effectively could save your school time and resources.

A Scenario

Let's imagine that you receive an email from the parents of a pupil which states 'we would like the information which the school holds about our son and specifically information relating to the incident on 12 February 2016'. How would your school respond to this request?

This article will explore the main points to consider initially and some common misconceptions about SARs.

Initial points to consider:

• Are you satisfied that this request has genuinely been made by the pupil's parents?

Requests are sometimes made fraudulently and it is therefore sensible to make reasonable checks. For example, you could check whether the email address has been used to correspond with the parents previously or call the parents to verify the request.

• Is the pupil's consent needed to disclose his personal data to his parents?

When children are aged 12 or older, they are generally considered mature enough to exercise their own data protection rights. You should therefore consider if the pupil's consent is needed before making a disclosure of information to his parents.

• Broadly speaking, what information about the pupil is covered by the SAR?

Individuals are entitled to their personal data. This is information from which they can be identified and which relates to them. For example, an email between staff discussing a pupil's behaviour would likely include that pupil's personal data. People are also entitled to additional information about their personal data. For example, information about who their personal data is shared with and the purpose for which the school is processing their personal data.

• Does your school require any further information from the parents to locate the personal data requested?

You are entitled to ask for information to help you locate the personal data requested. For instance, if responding to the example request above, you may wish to clarify if the request is for all the personal data held about their son or simply that relating to the incident on 12 February 2016.

• How long does the school have to provide this information?

Your school has 40 calendar days to comply with a SAR. This 40 days normally begins on the day that the request was received. However, the 40 days will not start to run until you have received:

• any information asked for to satisfy yourself of the requester's identity
• any information requested to locate the personal data (so long as the school's request for further information is reasonable)
• the statutory £10 fee if you have asked for this.

The 40 calendar day period is not extended because of the school holidays.

For example, if a request is received on 10 July 2016 the deadline to respond is 18 August 2016 (subject to the points made above). Individuals sometimes make requests immediately before the school holidays to cause maximum disruption. It is therefore important to promptly identify subject access requests and seek legal advice in good time where this is required.

The Statutory Fee

• Have you received the £10 statutory fee for dealing with the request and if not, will you ask for this?

Your school can charge a statutory fee of £10 for dealing with this request and the 40 day time period does not start until this is received. However, you should bear in mind that this fee should be requested promptly.

Important Things to Remember:

• Personal data comprises information held on a computer and  information which is held in a structured paper filing system. An example of a structured paper filing system would be a file about an individual which is sub-divided by category of information which means the specific information is readily accessible. Certain health records fall within the definition of personal data even if they are not held on a computer or in a structured paper filing system.
   
• There is no requirement to provide a reason for the request. The request must simply be in writing, which includes via email.
   
• Although there are some exceptions, individuals are generally entitled to their personal data which is held by your school even if this information came from a third party. However, if information is particularly sensitive (e.g. came from social services, a medical professional or CAMHS) you should seek legal advice.
   
• Personal data includes opinions about people. It also includes any indication of intentions in respect of a person. There is no exemption for information which may  be embarrassing to disclose. For example, an email from a member of staff to a colleague criticising a parent, might be disclosable if that parent made a SAR for their own information.
   
• It is your obligation  to make reasonable and proportionate searches. In practice, this means that you must carry out extensive searches but does not mean that you need to search every document or email on the off-chance that it might contain personal data about the requester.
   
• Where information is both about the requester and a third party, the information should only be disclosed if the third party consents or if it would be reasonable to do so without their consent. There are various exemptions to your disclosure obligations. For example, examination scripts and references which you have given are not disclosable under a SAR.

The detailed list of exemptions are extensive and therefore we recommend you seek our advice if you have any concerns about dealing with a SAR. As mentioned above, SARs are often made in the context of a parental or employee grievance.

If you have any concerns about SARs or would like further advice, please contact Andrew Gallie in our Academies team on 0117 314 5623.