Subject Access Requests should we be scared?

The current data protection regime in Europe is the most rigorous in the world. Individuals have been granted greater control over their personal information than ever before. As expected, data subjects are now exercising their rights following awareness campaigns by the Information Commissioner's Office (ICO).

Arguably, the greatest challenge for schools stems from the right to access data, commonly referred to as subject access requests (SAR). The ICO recently revealed that over 50% of the complaints which they receive regarding schools are in relation to SARs. These complaints can be based on ignored requests, missed deadlines, inappropriate redaction etc.

At a time when school budgets are increasingly stretched, the sheer amount of time which a flurry of SARs can take to fulfil is burdensome to the extreme. The primary business of schools is education, and rightly so this should be prioritised.

That said, conflicting demands are being made on already drained resources. The General Data Protection Regulation makes no allowances for schools, they are held to the same stringent legislation as multinational conglomerates.

Personal data is often held within a multitude of systems, this in itself is not an issue, it’s very rare for any organisation to have only 1 or 2 systems which use personal data.

An unintended consequence of the ICO’s awareness campaign has seen the weaponisation of SARs ...’

The issue comes from the ability of the school to be able to service the right of access within a timely manner. Can you be sure that if your school were to receive an SAR tomorrow morning that it could be fulfilled according to all the demands of the regulation?

SARs must be responded to within one month of receipt, irrespective of workload, OFSTED visits, parents  evening, sports days, school holidays and even that vitally important staff bowling night out.

The result is vast amounts of personal data held in a system from which there is no real adequate or efficient way of retrieval when considering SARs.  We have seen school’s faced with over 5,000 emails containing the personal data of a requester.

A sage piece of advice would be to only document opinions and thoughts  which you wouldn’t mind being exposed to the person in question.  Bob Hoskins old BT advert ‘It’s good to talk’ rings true over 20 years later!

Due to increased public awareness, I expect to see a rise in SARs to schools. An unintended consequence of the ICO’s awareness campaign has seen the weaponisation of SARs in order for disgruntled staff, pupils or parents to cause disruption.

A word of warning, always refer to your data retention schedule so you can be sure if personal data can be destroyed. If you don’t need to retain personal data this should be securely destroyed. If you don’t hold personal data then you cannot provide it in a SAR, this is by far the best scenario.