Does Your School Know How to Respond to a Subject Access Request?
Parents, pupils and staff have the right to receive the personal data which your school holds about them.
This is known as the right to make a subject access request (SAR) under the Data Protection Act 1998 (DPA). SARs are frequently made in the context of a parental or employee grievance, for example, in an attempt to find information which supports a complaint. Knowing how to recognise these requests and how to deal with them effectively could save your school time and resources.
Let's imagine that you receive an email from the parents of a pupil which states "we would like the information which the school holds about our son and specifically information relating to the incident on 12 February 2016".
How would your school respond to this request? This article will explore the main points to consider initially and some common misconceptions about SARs.
This blog was written in 2016 and it does not therefore take account of the GDPR and other new data protection laws which came into force in May 2018. We have produced new, and much more comprehensive, information on data protection for schools, which can be found via our On Stream portal. This includes detailed FAQs on subject access requests made under the GDPR.
Initial Points to Consider
Are you satisfied that this request has genuinely been made by the pupil's parents?
Requests are sometimes made fraudulently and it is therefore sensible to make reasonable checks. For example, you could check whether the email address has been used to correspond with the parents previously or call the parents to verify the request.
Is the pupil's consent needed to disclose his personal data to his parents?
When children are aged 12 or older, they are generally considered mature enough to exercise their own data protection rights. You should therefore consider if the pupil's consent is needed before making a disclosure of information to his parents.
Broadly speaking, what information about the pupil is covered by the SAR?
Individuals are entitled to their personal data. This is information from which they can be identified and which relates to them. For example, an email between staff discussing a pupil's behaviour would likely include that pupil's personal data.
People are also entitled to additional information about their personal data. For example, information about the recipients of their personal data and the purpose for which the school is processing their personal data.
Does your school require any further information from the parents to locate the personal data requested?
You are entitled to ask for information to help you locate the personal data requested.
For instance, if responding to the example request above, you may wish to clarify if the request is for all the personal data held about their son or simply that relating to the incident on 12 February 2016.
How long does the school have to provide this information?
Your school has 40 calendar days to comply with a SAR. This 40 days normally begins on the day that the request was received.
However, the 40 days will not start to run until you have received:
- any information asked for to satisfy yourself of the requester's identity
- any information requested to locate the personal data (so long as the school's request for further information is reasonable)
- the statutory £10 fee if you have asked for this
The 40 calendar day period is not extended because of the school holidays. For example, if a request is received on 10 July 2016 the deadline to respond is 18 August 2016 (subject to the points made above).
Individuals sometimes make requests immediately before the school holidays to cause maximum disruption. It is therefore important to promptly identify subject access requests and seek legal advice in good time where this is required.
Have you received the £10 statutory fee for dealing with the request and if not, will you ask for this?
Your school can charge a statutory fee of £10 for dealing with this request and the 40 day time period does not start until this is received. However, you should bear in mind that this fee should be requested promptly.
Common Misconceptions about SARs
Independent schools do not have to comply with SARs
This is not correct. Independent schools are not subject to the Freedom of Information Act 2000 nor to the Education (Pupil Information) (England) Regulations 2005. However, this does not mean that they are exempt from responding to SARs under the DPA.
SARs only apply to information held on a computer
Individuals are entitled to their personal data as explained above. Personal data comprises information held on a computer and which is held in a structured paper filing system. An example of a structured paper filing system would be a file about an individual which is sub-divided by category of information which means the specific information is readily accessible.
Certain health records fall within the definition of personal data even if they are not held on a computer or in a structured paper filing system.
The request must provide a reason why the individual wants their information
There is no requirement to provide a reason. The request must simply be in writing, which includes via email.
We do not have to disclose information which we received from a third party
Although there are some exceptions, individuals are generally speaking entitled to their personal data which is held by your school even if this information came from a third party.
However, if information is particularly sensitive (eg. came from social services, a medical professional or CAMHS) you should seek legal advice.
Only factual information about someone is disclosable
Personal data includes opinions about people. It also includes any indication of intentions in respect of a person.
There is no exemption for information which it would be embarrassing to disclose. For example, an email from a member of staff to a colleague criticising a parent might be disclosable if that parent made a SAR for their own information.
We do not need to comply with a request if it would take us a very long time to find the personal data requested
Your obligation is to make reasonable and proportionate searches. In practice, this means that you must carry out extensive searches but does not mean that you need to search every document or email on the off-chance that it might contain personal data about the requester.
Information which is also about someone else is not disclosable
This depends on the circumstances of the case. Where information is both about the requester and a third party, the information should only be disclosed if the third party consents or if it would be reasonable to do so without their consent.
There are various exemptions to your disclosure obligations. For example, examination scripts and references which you have given are not disclosable under a SAR. The exemptions are too numerous to detail here and therefore we recommend you seek our advice if you have any concerns about dealing with a SAR.