We cover the “basics” of Subject Access Requests (SARs) in our training including what a SAR is, how to recognise one, and how to respond. But sometimes we are asked more in depth questions regarding SARs so we have put together this guide to include the answers.
More detail can be found in the ICO’s own guidance found here: Right of access | ICO
And if you have any specific questions regarding SARs, we would be happy to answer them and add those answers to our guide as well!
What are the common exemptions that may apply in the case of a Subject Access Request?
Answered November ’21.
When preparing data for a Subject Access Request, it is important to remember that there are a number of exemptions that could apply to the data. This list is by no means exhaustive but it includes the exemptions we think are most likely to apply to data requested of a school. Any, all, or none of these exemptions may apply to your data when requested and, if you are unsure, please speak to us as DPO:
- Information about others. There is an exemption in the DPA 2018 that says the school does not have to comply with a SAR, if doing so means disclosing information which identifies another individual, except where the other individual has consented to the disclosure, or it is reasonable to comply with the request without that individual’s consent. For example, information about witnesses to an incident would apply here.
- Confidentiality. A duty of confidence arises where an individual discloses genuinely ‘confidential’ information (ie information that is not generally available to the public) to the school, with the expectation that it remains confidential. This tends to apply in specific situations such as during a counselling session, medical appointment or similar. The SAR guidance and DPA 2018 do provide examples but the list is not exhaustive. As data controller, you can decide if you think there is an expectation around the confidentiality of data.
- Crime and taxation: general. Personal data processed for crime purposes is exempt from the right of access. These purposes are the prevention or detection of crime, or the apprehension or prosecution of offenders. This exemption applies only to the extent that complying with a SAR is likely to prejudice one of these crime purposes. Unlikely in the case of most education establishments but is possible.
- Child abuse data. Child abuse data is personal data consisting of information about whether the data subject is or has been the subject of, or may be at risk of, child abuse. This includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.
- Education data – processed by a court. This exemption can apply to education data (personal data in an educational record) processed by a court which is relevant in this case. The exemption applies if the education data is supplied in a report or evidence given to the court in the course of proceedings; and those proceedings are subject to certain specific statutory rules that allow the education data to be withheld from the individual it relates to.
- Education data – serious harm. This exemption applies to the extent that complying with the right of access would be likely to cause serious harm to the physical or mental health of any individual.The key phrase here is “any individual”. So if you think there is a risk of harm to “any individual” in releasing certain data, this data becomes exempt. That could be a risk to the requester themselves or anyone else mentioned (or not) in the data. Or any other individual linked to the data.
- Confidential References. This exemption applies to personal data consisting of a reference given (or to be given) in confidence for the purposes of education, training, or employment of the data subject; the placement of the data subject as a volunteer; the appointment of the data subject to any office; or the provision by the data subject of any service. This is also applies to the “prospective” enactment of any of these options.
- Exam scripts and exam marks. Personal data consisting of information recorded by candidates during an exam is also exempt, as well as data consisting of marks or other information processed for the purposes of determining the results of an exam or in consequence of the determination of the results of the exam. There is more detail to this within the DPA 2018 which also explains time limits for providing certain types of data relating to exams so, if exam data is included in a request, we recommend reading that (link below) or speaking to us directly.
So any data that falls under one of those exemptions would be redacted and not included. You should always record what exemptions you are relying on for each data and why. You should also explain to the data subject which exemptions you have applied and why. However, it may be that giving that information prejudices the use of the exemption so there are some instances where you may have to tell the data subject that you can’t tell them exactly what has been redacted, why, and under which exemption. You also have to be able to defend your decision if they challenge it and/or complain to the ICO.
Remember, our role is to help you apply the legislation correctly and we will provide you with advice and guidance as to how to do that. Please ask!
Are there any conditions under which we can legitimately extend the deadline for a Subject Access Request?
Answered November ’21.
The short answer is that yes, you can. You can extend the time to respond by a further two months giving you a total of 3 months to respond to the request. There are a number of conditions for this but the one that is most likely to be relevant for you is if the request is “complex”.
You should calculate the extension as three months from the original start date, ie the day you receive the request, fee or other requested information.
If you decide that it is necessary to extend the time limit by two months, you must let the individual know within one month of receiving their request and explain why. It is important to note that you don’t have to ask them if you can extend it, the decision is yours to make as the data controller. However, an open dialogue with the data subject about this will help the process go smoothly and hopefully keep the situation from ending in animosity or a formal complaint. It also may be appropriate to provide some of the data by the initial deadline with the more complex data to come later.
Here is further information about complex requests taken from the ICO guidance –
When can we refuse to comply with a request? | ICO
When is a request complex?
Whether a request is complex depends upon the specific circumstances of each case. What may be complex for one controller may not be for another – the size and resources of an organisation are likely to be relevant factors. Therefore, you need to take into account your specific circumstances and the particular request when determining whether the request is complex.
The following are examples of factors that may, in some circumstances, add to the complexity of a request. However, you need to be able to demonstrate why the request is complex in the particular circumstances.
- Applying an exemption that involves large volumes of particularly sensitive information.
- Clarifying potential confidentiality issues around the disclosure of sensitive medical information to an authorised third party.
- Searching large volumes of unstructured manual records (only applicable to public authorities).
It is important to be realistic in your judgement of the request as ‘complex’. Just because a request involves a large quantity of data, that doesn’t mean it is necessarily ‘complex’ and justifies an extension. Remember, if in doubt, come and speak to us as your DPO and we can advise.
If a SAR request asks for emails, do we have to provide every email that an individual's name appears in?
Answered September ’21.
This is a common misconception and the answer, in short, is ‘no’! A subject access request is about data subjects exercising their right of access. The right of access does involve producing a copy of the individual’s personal data but that doesn’t mean giving them copies of their name every time it appears in your data systems for example. To explain:
You don’t have to necessarily print out or electronically provide every single email that an individual’s name has appeared in. It is only emails that are ABOUT them which isn’t necessarily the same thing. Here is the ICO’s guidance about emails – How do we find and retrieve the relevant information? | ICO
A couple of key points –
- It can sometimes be difficult to determine whether an email contains an individual’s personal data. This depends on the contents of the email, the context of the information it contains, and what it is being used for. Ultimately it is for you as the data controller to determine whether any of the information in the email is the individual’s personal data.
- The right of access only applies to the individual’s personal data contained in the email. This means you may need to disclose some or all of the email to comply with the SAR
- Just because the individual receives the email, does not mean that the whole content of the email is their personal data. Again, the context of the information and what it is being used for is key to deciding this. However, their name and e-mail address is their personal data and you should disclose this information to them.
The ICO includes this example in their guidance:
So, if you search your email system and find thousands of emails with the individual’s name/email address in, you could separate out into different categories:
- Emails that they have sent – in theory, they could simply have these as they are as they would have written them in the first place. You may decide to redact however if the information they sent in those emails is now information you don’t think they should have access to for whatever reason. Or you could just say that you have x number of emails written by them in your system and can provide if requested. They may not really be interested in these but more the emails ABOUT them.
- Emails in which they are a recipient – if they are a recipient of 1000s of emails but aren’t actually the content of the email (i.e. the emails are sent out to all staff/pupils or to groups of staff/pupils), you wouldn’t have to hand these all over. Much like in the example above, you could simply identify the number of them and say, we hold x thousand emails with your name as the recipient but which aren’t about you. You then don’t have to go through all of those.
- Final option are emails in which they actually are the subject of the email. These are the emails which are actually ABOUT them and should be a much smaller subset of the emails. They should be provided with copies of these with any redactions applied as appropriate.
Doing it this way should speed up the process and reduce the need to go through every email as well as the need to provide copies of every single email.
Remember, if in doubt, speak to your DPO and they can advise.
Do we have to provide original (or copies of original) documents to a data subject as part of a subject access request or could we summarise data in a new document for the request?
Answered October ’23.
The short answer is that no, you do not have to provide original (or even direct copies of original) documents as part of a subject access request.
Under the UK GDPR, an individual is entitled to their personal data only. That doesn’t necessarily include all documents that their name or staff/student code appear on (many will not be their personal data) and it is also not the case that the school has to produce original documents that contain their personal data. The ICO’s guidance states “The right of access enables individuals to obtain their personal data rather than giving them a right to see copies of documents containing their personal data” – How should we supply information to the requester? | ICO
This does mean that, where appropriate, you could retrieve data from a system and copy it into a summary document in order to provide it to the data subject. That said, it is often still appropriate to give copies of original documents (with relevant redactions applied) to a data subject, but it isn’t essential.
Should teacher names be disclosed in information contained in a SAR by a parent or pupil?
Answered December ’20.
Regarding redacting teacher names for the SAR. The overall guidance regarding the Right of Access which covers Subject Access Rights is as follows:
The specific areas we want in this case includes the guidance on Education Data:
In this guidance, it states, for example: “Parents can only submit a SAR for information about their child if the child is not competent to act on their own behalf or has given their consent.” This then links to further guidance (How do we recognise a subject access request (SAR)? | ICO) which clarifies how to make the decision around competency.
The guidance also states “if an educational record contains personal data relating to someone other than the requester (such as a family member), you must consider the rules about third-party data before disclosing it to the requester. However, you should not normally withhold information that identifies a teacher.”
On a side note, you also shouldn’t provide information that has been “supplied in a report or given as evidence to the court in the case of proceedings” or if “certain specific statutory rules apply to those [court] proceedings that allow the withholding of the data from the individual it relates to.” And you also shouldn’t provide information if you feel that disclosure could cause serious harm (“cause serious harm to the physical or mental health of any individual”).
The final piece of guidance which is of use in this case is this:
In here, it states the following about an education worker: “it is reasonable to disclose information about them without their consent, as long as the disclosure meets the appropriate ‘test’.”
The test being the following in the case of most of the education establishments we work with:
“For education workers, it meets the ‘education data test’ if the other individual is a teacher or other employee at a voluntary aided, foundation or foundation special school, an Academy school, an alternate provision Academy, an independent school or a non-maintained special school in England or Wales, and the information relates to, or was supplied by, the other individual in their capacity as an employee of an education authority.”
So it is unlikely that teacher names would be redacted from a SAR about a student except in exceptional circumstances.
We are concerned that data released in a SAR, and containing teacher names, could be published online. What can we do? Can we instruct the data subject not to publish online?
Answered January ’21.
We have discussed this particular issue with the ICO. They have stated:
“Data protection law gives a right to individuals to access their own data, so the school cannot put additional conditions on releasing the person’s own data. If the school is concerned about harm to third parties due to that being released then that may be grounds to withhold it.”
As a school then, you cannot tell the data subject what they can or can’t do with the data. If you are concerned about harm then you should redact teacher names. The ICO go on to say:
“The school needs to assess if it is reasonable to supply third party [i.e. teacher] data, taking into account that there is a presumption of reasonableness for teachers. They can ask the individual about their intentions with the data in order to make that assessment, and in some cases it is relevant to ask the third party for consent.”
Your options then are to speak to the data subject about their intentions and, if you feel there is a risk, redact the names further. It might be that this redaction isn’t needed on all documents as there are only some you would be concerned about being published. Will certain documents be detrimental to the teacher if they are posted with their name included? If so, redact those specifically.
Please contact us if you do have further questions at DPO@schoolpro.uk.
SchoolPro TLC Ltd (2022)
SchoolPro TLC is not responsible for the content of external websites.