Subject access requests are relatively old news as far as data protection is concerned. Individuals have been able to get their hands on their own information for more than 30 years.
But with the General Data Protection Regulation (GDPR) comes enhanced rights, about which schools need to be aware.
Subject access: what’s changed since the Data Protection Act?
Giving more power to individuals over their data is one of the mainstays of the new regulations. Whereas previously an individual could just ask to see or have amends made to data, a lot more options are now available.
“There are additional data subject rights under GDPR,” says Mark Taylor, a partner at law firm Osborne Clarke. “This includes the ability to object to processing and to have data deleted.
GDPR now lists eight individual rights that are closely linked to the types of request schools could receive.
Under the Data Protection Act (DPA), organisations were entitled to charge £10 to those wanting to access their data. This has now been scrapped, although, perhaps to deter nuisance requesters, the Information Commissioner’s Office (ICO) has said “you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive”.
Respond to requests within one month
GDPR has put a one-month response limit on all subject access requests, meaning you need to keep a watchful eye on your inbox. The regulations actually state that the response should be dealt with "without delay", but a calendar month is the maximum.
You’re entitled to ask for up to an additional two months if requests are “complex or numerous”. If that’s the case, the individual making the request needs to be told, and this initial response still needs to happen within a one-month period.
“The response is key,” says Jonathan Harrex, DPO and information security specialist at thinkdpo.com. “If there’s a breakdown in communication, that’s when people start complaining. So you need to respond to someone and say you’re dealing with it.”
What kind of requests can schools expect to receive?
There’s a chance your school could have previously received a subject access request under the DPA. But under GDPR, the type of request a school could now receive has the potential to be a little more complex.
“Under the DPA, it was just a subject access request,” says Harrex. “All you could then say was ‘I want my data corrected’. You couldn’t object to the processing and you could ask for it to stop or for it to be deleted."
Subject access requests schools are most likely to receive:
Request for access: an individual asks to see all of the data you hold on them.
Request for rectification: an individual asks you to amend any inaccuracies in the data you hold on them.
Request for erasure: an individual asks for all or part of the data you hold on them to be deleted.
Request for restricted processing: an individual asks for you to stop using their data, but does not want it deleted. A restriction on processing should also be temporarily applied while you investigate an individual’s challenge to the accuracy of data, or if they object to the processing of the data.
Request for data portability: an individual asks for the data you hold on them to be given in a portable format. This should be a commonly used digital file and should be given securely. Some organisations have set up secure environments for individuals to access and retrieve their data.
Does a school always have to comply with requests?
“The exercising of rights is based on the lawful basis,” says Harrex, “because the lawful basis dictates what you can and can’t do.”
Because there may be instances in which a school’s legal right to process data trump an individual's request, it pays to know the list of lawful basis for processing.
“If you take, for example, your processing of data for pay,” says Harrex, “your rights with regards to that data are governed by anything to do with income tax regulations. You couldn’t ask for it to be erased, because its being processed under the lawful basis of legitimate interest.”
How can a school prepare for subject access requests?
From 25 May 2018, schools will be legally obliged to respond to subject requests. Failing to do so is a sure-fire way to get yourself in trouble with the ICO, so it’s important to ensure you’re ready to respond.
Recognise a request
“Make sure everybody is trained to recognise a subject access request,” says Claire Williams, an information and cyber law specialist at law firm Mills and Reeve.
With the new one-month limit on responses, you can’t afford to have requests sitting in an inbox. Identifying requests and making sure they end up under the nose of the right person is key.
“Schools will generally have an approach where they say ‘if you want to access your data, please contact X’, but of course not everyone does. So you need your staff to be able to recognise when they receive a request,” says Williams.
Responding to a request
Once you’ve received and registered a subject request, you need to have a smooth process to make responding as easy as possible.
“Schools should make the process simple and not reliant on one particular person in the organisation,” says Harrex. “It shouldn’t be bogged down by convoluted processes, and if someone makes a request, whether it be over the telephone, by letter or by email, they should all go to the same place: they don’t get scattered to all four corners of the organisation.”
It’s worth performing a couple of mock subject requests as a way of identifying any issues in the response process. Look at potential requests from pupils and staff, and work through each step of the process.
“If somebody asked us for their personal data, where and how would we look?” asks Williams. “Are there any roadblocks that would mean we can’t access things? Do we have adequate search functions over our electronic storage, or would it be incredibly difficult to find anything?”
Keeping data to a minimum
By reducing the amount of data you ask for and the length of time you keep that data on record, you automatically make handling any requests a lot easier. Trawling through years’ of files and emails looking for personal data is not a good use of staff hours and if you can keep it to a minimum, everyone will thank you for it. There are no specific rules on the length of time you should keep data, but the consensus seems to be the shorter, the better.
“If you are required for any reason to keep data, due to legislation, then you’re stuck with that,” says Williams, “but you should still consider the extent of the data you are required to hold.
“A lot of people hold extra stuff just in case, but that’s not a good use of resources in terms of data-storage cost. It’s also going to cause you problems if you have to go through it all for a subject access request. So if you don’t have to store data, there’s a lot of value in deleting it.”
Will schools be inundated with requests?
As we mentioned earlier, subject access requests have been around for a long time. But with people becoming more savvy about the use of their personal data, is it more likely that individuals will exercise their new-found rights?
“Subject access requests are now easier to do in the sense that there’s a shorter time period and no statutory fee, so we do expect to see more subject access requests,” says Taylor.
“People are becoming more aware of their data rights,” adds Williams, “The volume of subject access requests has been rising, but that’s just a general societal phenomenon, as people realise their data has value and have become a lot more curious about what people are doing with it.”
Find out more on responding to a data breach