Subject Access Requests in Schools

The General Data Protection Regulation (GDPR) forms part of the data protection regime in a number of European countries through their national statute. In the UK, this is reflected in the revised 2018 Data Protection Act (DPA 2018). What we are also seeing is data protection law changing on a global scale outside of Europe. Initiated in part by the GDPR in the EU, certain countries across the world have adapted, changed or brought in new legislation to align their data protection requirements with those of the EU. From Nigeria, with their in-draft ‘Data Protection Guidelines 2018,’ to the U.S. and California State law changing on the 1st January 2020, with the introduction of the ‘California Consumer Privacy Act of 2018’ (CCPA).

The GDPR (EU) 2016/679 mandates how data protection and privacy for all individuals within the EU and the European Economic Area (EEA) is regulated. It also addresses how those processing personal and special category data need to ensure they have given due consideration to this processing outside the EU and EEA areas. In an age where technology is constantly evolving, the GDPR’s drive is to simplify the regulatory environment by unifying the regulation within the EU, and through this,  give back control to the individual over their personal data.

The GDPR has 6 leading principles, in addition to the ‘accountability principle’ - sometimes referred to as the 7th principle. These principles, Article 5 of the GDPR, have been streamlined from the 8 principles of its predecessor, the Data Protection Directive 95. The principles dictate that data controllers and data processors need to ensure personal data shall be:

• Processed lawfully, fairly and in a transparent manner.
• Collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
• Accurate and, where necessary, kept up to date.
• Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Processed in a manner that ensures appropriate security of the personal data.

As data subjects, we all have the right to find out if an organisation is using or storing personal data. This is referred to as our ‘right of access.’ Regardless of who we are, where we live, what nationality we hold or how old we are, we can exercise this right by making a ‘subject access request’.

Our recent webinar on “Subject Access Requests in Schools: Tell Me Everything!” provides some practical insights into how to meet the demands of information rights requests.  Our aim, was to reassure those faced with responding to SAR’s that, even though there are no ‘one size fits all’ responses, there are some commonalities that all DPO / Data Protection Leads can rely on to make the process less daunting. Some of the key themes that emerged from questions asked during and after the webinar were:

• How to manage SAR’s during the school holidays.
• How to approach the sensitivity of children’s data.
• How to manage those larger requests within the 30-days / one month.

As a Data Protection Consultant at 9ine, it was important to emphasise on the webinar that the specified 30-days response for SARs are a maximum and should not be abused. As best practice, working to a 28-day deadline will always ensure you are within the regulatory limits, unless you have agreed an extension with the requestor.

With this in mind, it is important that you have in place a process to ensure you are able to identify and action a request for information as quickly as possible. Have clear guidance for staff to confidently differentiate between business as usual and a SAR, remember that time is of the essence and a precious commodity (this is explored in our webinar). 9ine’s DPO Essential services offers concise guidance and supporting templates to log, acknowledge and respond to SAR’s.

Data protection compliance revolves around the ability to develop, establish and evidence a culture of data protection principles and accountability. With this in mind, as data controllers, we all need to ensure we have clearly mapped processes for identifying, recovering, reviewing and providing information requested within the remits and imposed limitations of the GDPR.

If a request is received whilst the Data Protection Officer (DPO) / Data Protection Lead (DPL) is on holiday, or the school has closed for the holidays, you still have an obligation to respond. To ensure this, you will have to implement processes that can continue to support you and make certain that the data subjects’ rights are met throughout the year. This may, for example, be a postal or email redirect.

When looking at the more sensitive requests involving vulnerable date subjects, such as children, it is imperative that data controllers have a clear understanding of the associated complexity. For example, consider the age and maturity of the child. Under the GDPR, as detailed in Article 8, the age when a child is required or able to give their consent for the processing of their own personal data is 16. Although, member states are allowed to allocate their own age of consent, provided that this does not fall below the age of 13, which is the UK’s age of consent. This is important as it will need to be considered when a request for information comes directly from the data subject, ‘the child,’ or their legal guardian. You may need to seek consent from the child to release information to their parent(s) or legal guardian(s). Don’t forget to also consider the associated mapped processing conditions, as this will also influence your approach.

Always remember, the GDPR aims to give back control to individuals over their personal data. It is their data you are processing. As you engage with data subjects you become the data custodian, and as such, you have to ensure you are open, transparent and fair in your approach. If you cannot provide all, and or part, of the requested information, then you need to be able to justify this in a clear and unambiguous manner.

For information on 9ine's support with SARs, breach management and data protection services: