Subject Access Requests under the GDPR – how are you coping in the education sector?
Changes introduced by the GDPR and the Data Protection Act 2018 have increased the time pressure on schools and academies that have to respond to Subject Access Requests (“SARs”). Under the old regime, organisations had 40 days in which to respond, and could charge a fee of £10. Now, the response must be provided within a month, and fees can only be charged in exceptional situations.
So what can you do to make your life easier? There are some possibilities under the new legislation.
Can the time limit be extended?
Where the SAR is a complex request, or a multiple request, you may be able to extend your time for responding by up to two further months. You have to inform the individual, within one month of the receipt of the SAR, of the time extension and the reasons why the extension is necessary. This option should not be used as a matter of course, but only in exceptional situations. Bear in mind that the individual may choose to complain to the Information Commissioner about the extension – which could involve you in more wasted time and costs.
Can a charge be made?
If you can demonstrate that the SAR is “manifestly unfounded or excessive” then you can decline to comply with the SAR altogether, or to agree to comply only if the individual pays a reasonable fee that reflects your administrative costs in responding to the SAR. Again, this option should be used sparingly.
Is an exemption available?
There is some information that you are not required to provide in response to an SAR, including:
- certain communications with your solicitors
- confidential references
- exam scripts
- personal data relating to third parties
- child abuse data, in certain circumstances.
Managing personal data
You can make your life easier by taking some simple steps when managing personal data within your school or academy. These include:
- thinking carefully before you create data – for example, could you pick up the phone rather than sending an email? Could you anonymise the data?
- only disseminating personal data to those who need to have it
- being strict about where personal data is stored, so that you know where to go to when answering the SAR
- applying your data destruction policies rigorously, so that you do not hold more personal data than is necessary.
Lupton Fawcett offers a half-day training course “Subject Access Requests under the GDPR – making your life easier” that deals with these issues in more detail. For further information contact Louise Connacher on 0113 280 2108 or email@example.com
If you would like to receive this blog and other topical articles direct to your mailbox, please click on the link below.
Please note this information is provided by way of example and may not be complete and is certainly not intended to constitute legal advice. You should take bespoke advice for your circumstances.