In a world crammed with data and where the acronym “GDPR” (short for General Data Protection Regulation, an EU Directive) has hit the national headlines, we've seen a marked increase in calls for assistance from schools and colleges for dealing effectively with data subject access requests (“DSAR’s”).
DSAR’s can be made under the GDPR or under the Data Protection Act 2018.
What is a DSAR?
It is request made by an individual for a copy of their personal data. The right of access to personal data also gives the individual the right to certain other supplementary data, for instance, to know about the reason the data is processed.
Personal data is information which relates to an identified or identifiable living person. This could be but is not limited to a name, address, telephone number, date of birth or other identifier, like an IP address. It could include CCTV and photographic images.
An individual making a DSAR is usually not entitled to anyone else’s personal data, just their own, unless consent has been obtained.
However you do not need to obtain consent from senior decision makers to provide copies of their personal data. Senior decision makers will be senior staff members with managerial responsibility or staff members in roles which involve decision making for which they have accountability.
Who can make one?
In the context of schools and colleges, most requests are likely to come from staff members, parents or pupils – past or present. Sometimes requests are made from governors or from people who are connected to an activity run on school or college grounds.
If the school or college is the data controller for the information sought, it is its responsibility to deal with the request.
Can children access their personal data?
Yes. Children have the same right of access to their personal data as adults. They may allow their parent to exercise their rights on their behalf and, in the case of young children, it is likely that their rights will be exercised by those who have parental responsibility for them. The regulator (Information Commissioner’s Office or ICO) guidance is that before responding to a DSAR from a child you must consider if the child is mature enough to understand their rights. We recommend that a note is kept of the decision making process, in case any complaint is later made to the ICO.
You should use clear and plain language when responding to any DSAR, but this is particularly important when disclosing information to a child. There is more information about requests made by children on the ICO website.
Is it our responsibility to respond to a DSAR?
If the school or college is the data controller it must respond to a DSAR. A data controller exercises overall control over what to process and why.
How long do we have to respond to a DSAR?
You must deal with a DSAR without undue delay and at the latest within one month from the date you receive it. You can extend the time to respond by a further two months if the request is complex or a number of requests have been received by the same individual - but you should take advice before relying on this.
Don’t waste time. A month goes by quickly and it takes much longer to pull together all the potentially relevant bits of data than people often think. Sadly these don’t usually just sit in one place: it is usual for you to have to search through multiple electronic and paper sources (personal data may be held in automated or manual filing systems).
Even identifying what those are can pose challenges. A great deal of data may be returned. Unless it is possible for the DSAR to be refined, that paper and electronic data will then need to be reviewed, analysed, considered for exemption, potentially redacted and then provided to the data subject within a month.
Can we ask the individual to specify exactly what they are looking for?
If you process a lot of information about an individual you can ask them to clarify their request but you should only ask for what you reasonably need to find the personal data they are seeking.
If you do ask for clarification, it's sensible to give a description of the amount and classes of data that you hold . This is so you can (if necessary) later show this correspondence to the ICO.
But, the individual is not obliged to provide further details to you and, if they refuse, you still need to carry out reasonable searches.
Do requests have to explicitly say they are a DSAR?
No. DSAR’s rarely arrive with a stamp marked “this is a DSAR”. There are no formal requirements. It doesn’t even need to be in writing and can be made verbally. If it’s a request for personal data (see definition above), it’s a DSAR, and time starts ticking. You should train staff to spot DSAR’s, and appoint someone to deal with them.
Can we charge a fee?
Do we need to verify the identity of the data subject?
Only if you reasonable doubts about their identity. Be proportionate and let the individual know as soon as possible.
Do we need to be worried about receiving a DSAR?
DSAR’s are rarely made in isolation. They are usually made in connection with an actual or anticipated disagreement or dispute. Always consider the bigger picture.
-be careful when creating new internal documents (like emails or text messages) after a DSAR is received discussing the DSAR or the data subject. They might fall within the request or otherwise be discloseable in the context of a dispute, unless specific legal exemptions apply
-you may be able to refuse to deal with a DSAR if it can be shown to be manifestly unfounded or excessive taking into account whether it is a repetitive request – but you must be able to justify your decision (so keep a good note and be prepared to disclose to the ICO if a complaint is made).
-it can be a good idea to take advice from a specialist about how to respond effectively and apply any available exemptions or help with the strategy for dealing with the request, particularly if there is a connected legal claim (actual or anticipated).