The Information Commissioner’s Office (ICO) has recently published new guidance on how businesses and employers (including schools, colleges and MATs) should handle Subject Access Requests (SARs).
Alongside this, the ICO also released a blog post that highlights many organisations are either misunderstanding the nature of SARs, or underestimating the importance of responding to requests:
“It’s important not to get caught out.” - New SARs guidance for employers issued
ICO publishes new guide on responding to subject access requests. Employers risk fine or reprimand
This seems like an opportune time to re-emphasise some of the key points around SARs and some of the important lessons for education establishments taken from the blog post itself.
A Reminder About Subject Access Requests
Firstly, a quick refresher on SARs:
- Definition of SARs:
SARs are requests by individuals to see their personal data held by organisations. This includes the sources of their information, the purposes it’s used for, and the entities with whom it’s shared. - SARs and Employment:
Individuals can request information from their current or previous employers, such as attendance and sickness records, or HR details. In an education setting, of course, requests may also come in from pupils/students, parents, governors and anyone who believes you may be processing their personal data. - Time Limit for SARs:
Organisations must respond to a SAR within a month of receipt of the request. This can be extended by up to two additional months for complex requests. There are also a few other factors that can affect the timeline depending on the context of the request. - Consequences of Non-compliance:
Failure to comply with SARs is illegal. Organisations risk fines or reprimands if they fail to respond promptly to these requests. Whilst it is unlikely (though not impossible) that an education establishment would receive a fine, they certainly could receive a reprimand. And the ICO now publishes these publicly! - Subject Access Complaints:
There were 15,848 complaints related to SARs reported to the ICO from April 2022 to March 2023. This figure includes all organisations, not just education establishments! - Recent Actions by the ICO:
The ICO reprimanded Plymouth City Council and Norfolk County Council for failing to respond to information access requests, and took action against seven other organisations who didn’t comply with SARs.
How Can You Not Get ‘Caught Out’ by SARs?
So, taking into consideration the points made by the ICO in their blog post, how can you ensure that you don’t get caught out by SARs?
- Remember that You Have a Responsibility to Respond:
Education establishments, like all other organisations handling personal data, must comply with SARs. You must provide students, parents, or employees with the requested personal data within the stipulated time frame.
(There are a few exceptions to this which you can discuss with us as your DPO when a request comes in.) - Emphasise Training and Awareness for All Staff:
It is necessary for you to train staff to recognise and correctly handle SARs if that hasn’t already been done. A SAR could be made to any member of staff in your organisation. Requests can be informal and even made via social media, so it’s important that all potential points of contact are prepared and know what the process is if they receive a request.
– Who do they report it to?
– Do they understand the importance of this and timeframes involved? - Maintain Effective Data Management:
Given the potential complexity of these requests, you should ensure you have effective data management systems in place. This will help you quickly locate and securely share the requested data. - Consider Email and Other Communication Channels:
Email is a communication tool and not a storage system. That said, many education establishments retain tens of thousands of emails dating back several years in their systems and many of these emails will almost definitely contain personal data. Consider streamlining email and other communication tools, enforce reasonable retention periods, and ensure that data that is required to be retained is copied into relevant data systems. - Promote Transparency:
Education establishments, like other organisations, should promote a culture of transparency about the use of personal data. This can help build trust with students, parents, and employees. It may also reduce the need for individuals to submit SARs in the first place. - Understand the Possible Legal Consequences:
You should be aware of the legal implications of not complying with SARs. As discussed above, this could include a public reprimand from the ICO.
Overall, it is crucial to be prepared to handle SARs in accordance with the updated guidance from the ICO, respecting the data rights of students and staff, and promoting transparency and trust within your community.
And to assist, we also have our SAR checklist to help through the process:
If you have any other questions about this or any other data protection topic, please contact us at DPO@schoolpro.uk.
Stay safe and healthy,
The SchoolPro TLC Team
SchoolPro TLC Ltd (2024)
SchoolPro TLC guidance does not constitute legal advice.
SchoolPro TLC is not responsible for the content of external websites.