• Contact Us

Subject Access Requests - Disclosing Too Much Information Can Lead to a Fine

on Thursday, 15 September 2016.

The Information Commissioner's Office, or ICO, (the data protection regulator) has recently fined a GP surgery in Hertfordshire £40,000, for disclosing too much information when responding to a subject access request (SAR).

This is another case that demonstrates the importance of getting SARs right. The issues faced by this particular GP surgery highlight similarities with what schools have to contend with when dealing with SARs.

By way of reminder, individuals (including parents, pupils and staff) have a right to a copy of any information that a school holds about them (subject to a number of exemptions). This right is known as a SAR.

The Fine

The surgery, under pressure from the estranged partner of a female patient, released personal data about their son to him. The 62 page bundle that was released included the woman's contact details as well as those of her parents and information about an older child that the estranged partner was not related to. The bundle also included correspondence with social services and child protection reports. In this case, there had been explicit requests from the patient to take particular care to protect her details.

The ICO did not just hold one individual responsible, but identified the lack of proper procedure, guidance and training within the surgery as the real cause.

The ICO explained that the fine would have been greater if not for the fact that the partners were personally liable to pay the fine, as the surgery is a partnership. It would be likely that other organisations (such as companies, charities and public bodies) would have been issued with a much larger fine in the circumstances. The ICO has the power to fine up to £500,000.

Best Practice

Disclose too little and schools could end up breaching the requester's rights to their information, disclose too much and the school risks infringing the rights of third parties.

This is a particular problem for schools because much of the information they hold will be mixed in the sense that it will be about a number of different individuals. For example, a record of a safeguarding concern might contain personal data about a pupil, mother, father and possibly also members of staff.

If the father makes a SAR for the data, then the school will have to carefully balance the father's right to the personal data against protecting the rights of the pupil, the mother and possibly staff as well.

In the case of the GP surgery, the ICO found that staff had not been given sufficient guidance and supervision. This demonstrates the importance of ensuring that those individuals who deal with these requests are given sufficient training on the issues. In the school setting, this will likely include giving those staff responsible for SARs guidance on:

  • how to strike the appropriate balance when dealing with difficult cases (such as the safeguarding example above)
  • removing irrelevant third party information (such as information about other pupils, parents, etc)
  • what searches to carry out when retrieving information (eg. when key word searches would be necessary and so on)
  • under what circumstances third parties should be consulted (eg. social services, healthcare professionals) before making a disclosure

If you would like further information on subject access requests or data protection obligations generally, then please contact Andrew Gallie in our Independent Schools team on 0117 314 5623.