This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 24th of May, with our Data Protection Consultant Patrick Ballentine. This session focused on: when and how to make redactions, exemptions to completing a SAR and how they are applied, and situations where requests can be viewed as manifestly unfounded/excessive and be refused.
Receiving a Subject Access Request (SAR)
SARs can be received in any format by any member of an organisation; therefore, it is best practice to provide guidance to all staff regarding how they need to escalate requests for data. Requests can be made by data subjects directly, or by parties with authority to act on their behalf (i.e., parents with parental responsibility for young children, or solicitors where authority has been provided.)
A SAR can be complicated. The first port of call should always be your DPO, as they can advise and support you, so you meet the requirements of complying with the request. You must comply within one calendar month.
You should also log the request once received. If you are a Data Services client, you can use our compliance tool, Jedu, to do this, which immediately notifies us of the request, the specifics, and tracks the request for you.
The first step is to acknowledge the request. This allows you to make the requestor aware the SAR was received and, if necessary, allows you to ask questions as part of your due diligence:
- ID and Entitlement Checks
- Can verify on emails to expediate the request.
- If unsure as to the identity and entitlement, you can also request further information to clarify. NB: The ownness is on the school to be satisfied with identity and entitlement regardless of the source.
- Consent – Applies when data is not requested by the data subject e.g. parents.
- AGE – There is no prescribed age in data protection legislation. However, the best estimate would be 12, but can vary.
- SEN – This may mean the data subject is not in position to consent.
- Discuss with SENCO as to whether this is a relevant concern.
- Initial Search
- If possible, using the terms supplied, conduct an initial search, and get an estimate of the data required. This will inform whether clarification is required to conduct a reasonable search.
- If based on the terms provided you would be unable to conduct a reasonable search, you can request clarification of terms.
- It is helpful at this stage to think more about your relationship with the requestor and what information they may be seeking.
- NB: Seeking clarification stops the clock! However, if the request for clarification comes back as none given, then you should conduct a reasonable search of key records (personnel/pupil/MIS, etc). Explain this to the requestor and your DPO should be included in all aspects of these initial conversations to ensure an argument to stop the clock is qualified.
Manifestly Unfounded Requests
This is when the request is not being made for a legitimate reason. The ICO offer guidance on what this may be:
- The requestor has stated they intend to cause disruption.
- The request makes unsubstantiated or false accusations against the organisation or specific employees which are clearly prompted by malice.
- The person is targeting a particular employee against whom they have a personal grudge.
- The person makes a request but then offers to withdraw it in return for some sort of benefit from the organisation.
- The person systematically or frequently sends different requests to you as part of a campaign with the intention of causing disruption e.g., once a week.
NB: This is not a prescriptive list, and despite an organisation feeling a request is being made out of maliciousness or is to target a specific employee, it is not always as clear cut as it seems. It is essential to refer these concerns to your DPO, as the obligation falls onto the school to prove why a request might be manifestly unfounded. Your DPO can assist you in deciding whether this would be a suitable course of action.
- A requestor may make multiple different requests of an organisation in a short time period (requests for data, requests for erasure, requests for amendment, etc.) Although these requests are burdensome, as they are all distinctly different, they may not be considered manifestly unfounded. The requestor is simply making use of their data rights.
- Alternatively, there have been instances where prior to a parent making a large SAR to school, they publicly posted on parent forums how all parents should make requests to the school as a means of causing disruption. In this case, as there was a clear indication these requests were made to cause a nuisance, their SAR was refused as it was manifestly unfounded.
Manifestly Excessive Requests
In a similar fashion to manifestly unfounded, manifestly excessive has no prescribed format as to how this should be identified.
Generally, it is one of the below:
- A request repeats the substance of a previously complied with SAR and enough time has not passed to make a new request seem reasonable.
- A request requires a substantial amount of information to comply with.
- NB: A request is not manifestly excessive because you hold a lot of data about an individual. The obligation falls to an organisation to ensure that their records are ordered and structured appropriately so that information, even in large quantities, can be easily recalled.
A request is complied with but is then immediately followed by an identical request because requestor believes information is being withheld. You should explain why it is not the case. However, if they wish to proceed with this request, you may look at calling it manifestly excessive as it is being made on an unsubstantiated belief which you attempted to provide clarity on.
If either manifestly unfounded or excessive are routes you feel may be appropriate, it is essential to include your DPO in these discussions. They will be able to provide expertise and case studies to ensure that your argument is robust.
Managing a Subject Access Request
SAR requests should be disclosed by the requestor’s instruction. Where this instruction is not provided, ICO guidance states that we should disclose by the method the request was received, i.e., if submitted by email respond with an email.
With adequate criteria, it should be clear which records to search, which can be prioritised. Subject Access Requests can require any data you hold as a record whether a hardcopy or digital.
Preparation is key to complying with any Subject Access Request!
Ongoing efforts should be made to reduce staff workload through effective record management and data minimisation. An effective retention policy can greatly reduce workload.
Data minimisation is often an issue as organisations collect or retain more data than they should.
This presents unnecessary issues when complying with a SAR as staff have more information to sift through, some of which is duplicated, irrelevant, or shouldn’t have been kept when the SAR was made. Emails are notorious problem area, so efforts should be made to limit inbox sizes to a specific timeframe. Schools are generally very good at logging data (through CPOMS, MIS, etc) so risk of data loss is minimal.
Data should be well structured and organised so the time it takes to recall information is reduced and the risk of missing relevant information is mitigated. Your DPO can provide guidance on information governance and management tailored to suit your needs.
What we like to call ‘a heroic approach’ to SARs, is when one member of staff is responsible for conducting the entire process. This is invariably met with delayed delivery – sometimes due to absence or simply because the workload is unmanageable.
Having a shared responsibility and approaching it as a team reduces overall individual workload and ensures any relevant individual who knows more about the data and how it might relate to the data subject (SENCO being a good example of this) is included in the process. This is essential when it comes to making informed decisions about why you might need to withhold specific data under an exemption.
In many SARs there will be circumstances where data either should not, or could not, be disclosed under a specific exemption. Where exemptions are used, they must be qualified. You might use the same exemption several times in a request, but in each instance will need to have a specific rationale.
Again, it is key to involve your DPO in discussions surrounding use of exemptions as they can advise and assess whether it would be suitable or relevant to your argument. The Information Commissioner’s Office (ICO) looks negatively on exemptions used inappropriately.
Specific exemptions are in place generally to either protect individuals from serious harm, or to prevent a bias or prejudice from occurring. There is a myriad of exemptions available, however only a handful would be relevant to schools in most cases:
Serious Harm Exemptions
- When disclosure would likely cause serious harm, materially, or non-materially to any individual.
- These can broadly apply to social work, education, child abuse, and health data and can differ depending on the nature of the data, how your organisation came to acquire it, or what that data’s further purpose is.
- Where any identified information could pose a likely harm to individuals, there may be an argument to not disclose all or part of the information based on safeguarding concerns.
Bias or Prejudice Exemptions
- When disclosure could bias any current, prospective, or possible processes. These are normally applied to legal advice which relates to former, current, or potential litigation when received from an organisation’s appointed legal practitioner, or when data contains information which has been created for the purpose of planning or actioning a defence to any current or prospective litigation.
- The exemption is applied when disclosure of this information would bias your legal or litigation position. In a similar fashion the negotiation exemption is applied when disclosure would bias your current or potential future negotiating position and is most commonly used when SARs are made during investigations where disclosing relevant information prematurely would bias the process and thus your ability to negotiate.
There are also other exemptions which may apply, including the exemption for confidential references. This can be applied to references for employment, training, or education. However, it is worth noting that this is not an absolute exemption, so it remains at your discretion whether you do provide this information or not.
The Protection of the rights of others
- SARs are only for the information relating to the requestor, or the party which they are acting on behalf of. As a rule, data relating to non-professional third party identities can be excluded.
- Frequently, you will encounter data sets where the data of the requestor and other third parties appear in proximity, so data cannot necessarily be excluded. In this case we often look at editing the information to redact third-party identities to anonymise them.
- Redactions can be done in a variety of ways:
- For paper documents, you can take a marker and score through the relevant information to mask it. However, this is not the most effective method as information can normally be seen through so pages must then be scanned and reprinted.
- It is normally more time efficient to manage the redaction process electronically by using a third-party redaction software or by simply editing the information so that third party identities are removed.
- There may be some circumstances where effective redactions cannot fully anonymise data. In these circumstances you should always refer to your DPO for guidance as the data will need to be reviewed to establish whether it is still reasonable to disclose, considering the benefits versus risk of sharing identifiable information.
Concluding a Subject Access Request
With all information now collated and redacted, you are now able to respond to the requestor. This should be done with data organised into relevant categories for ease of access. In this disclosure it is recommended to provide clarification on how the search was conducted and if information was withheld under an exemption.
There may be some further conversation about the information, but this is part of the SAR process. Requestor concerns should be addressed where possible and any dispute or complaint about the handling of the request should be referred to your DPO. They can review and mediate the situation.
Upon conclusion of the request, relevant details should be logged in your data request register. As a separate logging activity, it is often advantageous to log any lessons learned from the request to ensure that mistakes or issues are avoided when you next comply with a SAR.
Key Points to Take Away:
- Process Subject Access Requests by stages, (Receiving, Managing, and Concluding).
- Ensure the team who handles the SAR is proportionate and relevant to the complexity and scope of the request.
- When making decisions concerning exemptions or refusals, ensure these are assessed and qualified by your DPO.
- No single request is similar. Decisions relating to any request should be made on a case-by-case basis and informed by professional advice where appropriate.
Judicium also offer a range of GDPR e-learning training designed for schools. You can see current course availability here.
If you’d like to review Judicium’s forthcoming Sofa Sessions please click here
© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.