Handling subject access requests (SARs) may soon become an even greater headache for independent schools.
A new initiative announced in July by the Information Commissioner’s Office (ICO), with a view to safeguarding and empowering the public, is a ‘Subject access request (SAR) generator’ to help individuals identify where their personal information may be held and how to request it in ways which will assist organisations to respond effectively.
This online tool will generate a template SAR which individuals can send to an organisation, such as independent schools. At the same time, the organisation will receive information from the ICO which, it claims, will help it to respond quickly and simply to the SAR.
In September the ICO took enforcement actions against seven UK organisations who failed in their duties responding to SAR. Prior to this, the regulator had only once publicised enforcement action since the UK GDPR came into force in 2018 – which suggests it is running out of patience with organisations which are non-compliant. Alongside news of its enforcement actions, the ICO website published a blog on getting the basics right when handling SARs.
Most common complaint to ICO about schools?
Previously the ICO indicated that handling of subject access requests (SARs) by educational establishments is the most common data protection complaint received about the sector.
This prompted the regulator to publish findings from its reviews of schools back in November 2020. It identified areas for improvement, with emphasis on their expectation that schools should prepare better for handling requests.
While finding that most educational establishments included information about SARs within their mandatory internal staff data protection training, some schools did not annually refresh training, as the ICO expects.
Another criticism was that training content and other guidance available for staff did not always provide sufficient information about SARs.
What does the ICO expect independent schools training on subject access requests to cover?
At a minimum for any staff handling personal data at schools, training content and relevant procedures should cover:
- what is a SAR,
- the fact that SARs can be made in writing, as well as verbally or via social media,
- what to do if a SAR is received,
- who is entitled to make a SAR, and
- what to do if a request for personal data is made by a third party either on behalf of the individual or for other reasons, for example a police officer.
Additional training should be given to the staff responsible for handling SARs. It should cover:
- the SAR process,
- how to apply exemptions,
- third party personal data, and
- how to redact information safely and securely.
This training should be refreshed on an annual basis.
2. Documenting consideration given by the school to a child’s capacity
Among recommendations in its report, the ICO included a reminder that the right of access to personal data about children belongs to the child.
Before responding to a SAR for information about a child, a school should consider whether the child is mature enough to understand their personal rights.
If the request is from a child, and a school is confident they can understand their rights, usually the response should be issued directly to the child.
A school may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child. If a child is competent, they may authorise someone else, other than a parent or guardian, to make a SAR on their behalf.
This means consideration always needs to be given to whether the child has the maturity and ability to understand their rights.
A record of any assessment made regarding the child’s capacity, checks on parental responsibility or if the child has provided consent for the individual to request their personal data, should be recorded.
Here in Scotland, section 208 of the Data Protection Act 2018 provides that children aged 12 or over are presumed to be of sufficient age and maturity to provide their own consent unless the contrary is shown.
Later this month, Scottish Council of Independent Schools (SCIS) offer training on “Handling Subject Access Requests (SAR) in Independent Schools” delivered by Navigator Law. It will cover all the ICO guidance mandatory requirements for staff responsible for dealing with SAR and can be booked here: Data Protection Workshop: Handling Subject Access Requests (SAR) in Independent Schools » SCIS