Subject Access Requests should we be scared?

The current data protection regime in Europe is the most rigorous in the world. Individuals have been granted greater control over their personal information than ever before. As expected, data subjects are now exercising their rights following awareness campaigns by the Information Commissioner's Office (ICO).

Arguably, the greatest challenge for schools stems from the right to access data, commonly referred to as subject access requests (SAR). The ICO recently revealed that over 50% of the complaints which they receive regarding schools are in relation to SARs. These complaints can be based on ignored requests, missed deadlines, inappropriate redaction etc.

At a time when school budgets are increasingly stretched, the sheer amount of time which a flurry of SARs can take to fulfil is burdensome to the extreme. The primary business of schools is education, and rightly so this should be prioritised.

That said, conflicting demands are being made on already drained resources. The General Data Protection Regulation makes no allowances for schools, they are held to the same stringent legislation as multinational conglomerates.

Personal data is often held within a multitude of systems, this in itself is not an issue, it’s very rare for any organisation to have only 1 or 2 systems which use personal data.

An unintended consequence of the ICO’s awareness campaign has seen the weaponisation of SARs ...’

The issue comes from the ability of the school to be able to service the right of access within a timely manner. Can you be sure that if your school were to receive an SAR tomorrow morning that it could be fulfilled according to all the demands of the regulation?

SARs must be responded to within one month of receipt, irrespective of workload, OFSTED visits, parents evening, sports days, school holidays and even that vitally important staff bowling night out.

The result is vast amounts of personal data held in a system from which there is no real adequate or efficient way of retrieval when considering SARs. We have seen school’s faced with over 5,000 emails containing the personal data of a requester.

A sage piece of advice would be to only document opinions and thoughts which you wouldn’t mind being exposed to the person in question. Bob Hoskins old BT advert ‘It’s good to talk’ rings true over 20 years later!

Due to increased public awareness, I expect to see a rise in SARs to schools. An unintended consequence of the ICO’s awareness campaign has seen the weaponisation of SARs in order for disgruntled staff, pupils or parents to cause disruption.

A word of warning, always refer to your data retention schedule so you can be sure if personal data can be destroyed. If you don’t need to retain personal data this should be securely destroyed. If you don’t hold personal data then you cannot provide it in a SAR, this is by far the best scenario.

Cookie	Duration	Description
ARRAffinity		This cookie is set by websites that run on Windows Azure cloud platform. The cookie is used to affinitize a client to an instance of an Azure Web App.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_129094303_2	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duration	Description
ARRAffinitySameSite	session	No description available.
WFESessionId	session	No description available.

Journal

Journal

Subject Access Requests should we be scared?

You might also like

JOIN OUR COMMUNITY

Our Partnerships

Our Partnerships

Airthings

NPW-LGfL recognised support

Citation