This article outlines some simple actions to make the initial stages of dealing with a Subject Access Request (SAR) more straightforward.
A SAR can be made to any staff member, in writing or orally and does not need to use any particular form of words, or in fact even mention that it is a SAR. Training staff to recognise SARs and pass them to your school's data protection lead immediately is essential.
Reminding staff to not write embarrassing or unprofessional comments should be an 'easy win'. Often, staff do not realise that their work emails (and other written comments) are potentially disclosable. When a SAR is made in the context of a complaint (which they often are) having to disclose these comments can put your school in a difficult position.
Having rules about where to store different types of information and documents and ensuring that staff follow the rules make it easier to search for the requested information.
We often find that staff within a school will store the same types of information in different locations, eg, some on their desktop, some in a departmental drive and some on their cloud account (eg, OneDrive). This can make it very difficult to collate the information needed to respond to a SAR and also has wider implications for data protection compliance
SARs are often broad and unclear, but fortunately when the requester is asking for a large amount of information, you are able to ask them for clarity on what they are seeking.
If you have any doubts about the authenticity of a request, consider whether it would be reasonable to ask for identification. There could be serious consequences if you provide personal data in response to a fraudulent request.
Parents are entitled to make requests on their child's behalf. However, if the child can understand their data protection rights, (usually from the age of 12) then the child's authorisation may need to be sought. The child should fully understand what they are authorising so it is often best to clarify the scope of the request (as above) before speaking to the child.
If you have asked for clarification or ID then the timeframe for your response does not begin until you have received it. Make sure that you ask for it promptly to avoid criticism from the Information Commissioner's Office.
The standard timeframe for your response is one calendar month. However, you're allowed to extend the timeframe by up to an additional two months for complex requests.
Speaking to us when you first receive a SAR can save you time and legal costs in the long run. It is also the case that SARs are usually made against a contentious background and our data protection specialists work closely with other specialists at VWV to provide strategic advice that covers all angles.
In the next edition of our Schools Law Brief, we will cover preparing and sending out your response.