In October the ICO finally issued updated guidance on Subject Access Requests following a period of extensive consultation. We know how busy Schools People are right now so the DPO has trawled through the Right of Access to bring you what you need to know.
The individual has a right to access their personal information
You cannot restrict that right by placing conditions on applying for or providing the information. Subject Access Requests are purpose neutral; a person does not need a reason to ask for their data and any reason given for the request does not matter.
You need to ensure you comply with the Equality Act 2010 and provide the information in an accessible and secure way.
Apply the “Scout” Principle – Be Prepared
You cannot impose a process on submission of a Subject Access Request. Train your staff to recognise a SAR and to treat all data requests as a potential SARs until proved otherwise. It does not matter if the request is verbal, on social media, in a letter or email or by carrier pigeon. They all count.
Ensure you have an internal document in place for capturing verbal SARs. It will assist the recipient to gather the relevant information and the prompts can help the requester to focus the scope and timeframe of the SAR.
Appoint a member of staff to receive and oversee the fulfilment of SARs, better still get your DPO in on the action.
Ensure staff know who to forward any SAR request to.
Know where your data is held and how to access it. The key to the fast and effective retrieval of data is your Record of Processing Activity (ROPA). The ROPA is a requirement under the GDPR and provides a comprehensive picture of where categories of personal data are held within the organisation’s documents and systems. Make sure it is up to date and use it.
Have policies and processes in place, for the fulfilment of SARs including how you will calculate any fees charged (where lawfully permitted). That way you can avoid accusations of prejudice if applying them to a SAR that the organisation considers manifestly unfounded or excessive.
Exceptions to the Rule?
You do not have to comply with a SAR if it is manifestly unfounded or excessive. For example, if someone offers to withdraw a SAR in exchange for compensation, or it is clearly just an attempt to disrupt business.
GDPR is for living individuals. If you receive a SAR for a deceased person, or you become aware a requester has died following submission of a SAR, you do not need to proceed with fulfilment.
Other exemptions apply to certain types of data. Check with your DPO to ensure you are not releasing data unnecessarily.
When is a Month not a Month?
A valid SAR should be fulfilled within one calendar month from receipt. However, the calculation of the calendar month can be a little complicated.
A SAR is valid only when the organisation is confident about the identity of the requester and their entitlement to the data requested. If necessary ask for ID or any further information and clarification as soon as possible. Waiting for ID or further information pauses the clock; however, you cannot delay requesting the information as a means of extending the timeframe further.
If the SAR is unusually complicated you can take a further two months. You should not use this extension as a blanket response just because a requester requires a lot of information. ‘Complicated’ may include redacting other people’s information from numerous documents or seeking permission/s to release that information. You must tell the requester as soon as possible if and why this extension is being applied and record it in the SAR log.
If you legitimately cannot keep to the required time limit, record the reasons in the SAR log. The ICO will be understanding in exceptional situations, such as limited resources owing to the Covid -19 pandemic
On the Record
Record all actions and decisions relating to the fulfilment of the SAR including:
- requesting confirmation of ID
- confirming third-party consent
- deciding you do not have enough information to verify the identity of the requester and/or their entitlement to the data, and they have not responded to requests for clarification
In the event of a complaint, these records will demonstrate the steps you took and the decisions you made to the ICO.
If you cannot verify the identity of the requester or their entitlement to the data you can ask for ID. Don’t keep a copy, just note what documents were provided and the details of the staff member who checked the documentation in your log.
Check the authority of third parties. If a requester is making a SAR on behalf of a data subject, a third-party consent should accompany the SAR. This applies if a parent or carer submits a SAR on behalf of a student aged 13 or over and the student is deemed competent to submit the SAR themselves.
- Be fair
- Be compliant
- Keep the data secure.
- Keep a log of actions and decision.
If you would like to know more about The Schools People: DPO Service and what we can offer your organisation please get in touch.