| SPOTLIGHT |
More and more it is commonplace for schools and academy trusts to receive Data Subject Access Requests (DSARs) from parents, either for themselves or on the behalf of their child. Liam Ellwood explores what a DSAR might look like, and how a schools or trust should look to deal with it in the first instance.
What is the right of access?
The right of access is granted by Article 15 of the UK GDPR, and is essentially the right for individuals to obtain a copy of their personal data held by a controller. A controller is any person or body which determines the purposes and means by which the personal data is processed. Schools and academy trusts are data controllers.
Commonly you might receive a DSAR in the form of an email or letter. However, there are no formal requirements to making a DSAR, and they can be made verbally as well as in writing. The request does not have to specify that it is a DSAR in order to be valid. Indeed, it isn’t unusual for parents to mislabel their DSAR as a Freedom of Information Request. However, if the request is for personal data, it should be dealt with as a DSAR.
What is personal data might be obvious in some cases, but for the avoidance of doubt, it includes any information relating to an identified or identifiable individual, i.e. information that can be attributed to that person. If the personal data wouldn’t obviously identify a person when looked at in isolation, that does not avoid it being in scope of the statutory definition. The determining factor is whether the controller has information which would allow the individual to be identified.
If a parent is making the request for their own data, this might include things like records of meetings they have had with staff members, a copy of correspondence they have sent to or received from the school, or a log of any complaints that parent has raised.
What if the parent is requesting data on behalf of their child?
More often than not, a parent’s DSAR will include any data held on the part of their child. As a starting point, the right of access to that personal data belongs to the child and not to the parent. Therefore, it would be for the child to make or authorise this request themselves.
Though that is the starting position, it is possible for a parent to exercise this right on the child’s behalf. You should consider:
As a general rule of thumb, children aged 12 or over will be sufficiently mature to exercise the right for themselves. For those younger than 12, it will often be appropriate for parents to exercise the right on their behalf. That said, this is not a hard rule and each request should be assessed on a case-by-case basis.
Is it a request for education records?
A DSAR should not be confused with a request for education records under the Education (Pupil Information) (England) Regulations 2005. Parents can request access to their child’s education records under these regulations.
‘Education records’ have a broad definition under the regulations, and are likely to cover records of academic achievements, correspondence from teachers and the local authority, as well as information held from the pupil or their parents.
Access to education records is a separate right to the right of access and does not extend to pupils. Crucially however, these regulations do not apply to academies and academy trusts. So if you are an academy or a trust, and you receive a request of this nature, you would deal with it as a DSAR for all intents and purposes.
Preliminary checks
You should take reasonable and proportionate steps to satisfy yourself that the requester is who they say they are. Where you receive the request from an unknown email address for example, it would absolutely be prudent to request some form of identification. This risk is that you could commit a data breach if disclosing personal data to somebody who is not entitled to exercise the right of access.
The timescale for responding to a DSAR does not kick in until you receive the requested information to verify the requesters ID. That said, you are obliged to request ID documents promptly if you feel they are required.
In most cases, you will have been in dialogue with the requester, and the DSAR is a development of that communication. In such cases, you may be more relaxed that you can be assured of the requester’s identity.
Timescales
You must comply with a DSAR without undue delay and at the latest within one month. For example, if you get the request on 1 October, the response is due 1 November. If the relevant date one month away happens to falls on a weekend or a bank holiday, you have until the next working day to respond.
There may be circumstances where you can extend your response time. Under the UK GDPR, if a request is complex or is numerous then there may be scope to extend the time to comply by up to a further two months.
How to narrow the scope
If the requester has asked for ‘everything you have’ on them and/or their child, and you process a large amount of information about those individuals, you may ask the requester to specify which information in particular they are looking for. If you seek to clarify the request, the one month time limit to respond is paused until a response is provided.
However, though you can ask an individual to provide clarity, you cannot force them to narrow their scope. So if the requester refuses to do so when asked for clarification, your starting point is that they are entitled to the data requested. You may wish to explore if other exemptions apply in this scenario, such as whether the refusal now makes the request complex.
Refusing the request
You may refuse to comply if you deem the request ‘manifestly excessive’ or ‘manifestly unfounded’. To be manifestly excessive, the request would need to be clearly or obviously unreasonable based on whether it is proportionate when balanced with the burden or costs of complying. As a general rule, this would not come into play just because a large amount of data has been requested.
That question of proportionality is key, and you should consider all the circumstances of the request when making this decision, including your available resources, and the damage to the individual in not complying. Even if you do deem the request to be manifestly excessive, you should consider asking the requester to clarify and specify their request before outright refusing to comply.
A request may be manifestly unfounded if the requester evidently has no intention to exercise their right of access. A common example is where the requester seeks to use the DSAR as a bargaining chip, i.e. they offer to withdraw the request if the school or trust comply with another of their requests.
In addition, it may be manifestly unfounded if clearly intended maliciously in order to harass and disrupt the school or trust. For example the DSAR might:
In addition to this, you may have data that you would be concerned about disclosing to the requester. You should explore whether an appropriate exemption may apply in this case. The UK GDPR and DPA 2018 contain a number of exemptions from the right of access. Using an exemption, you may consider it appropriate to withhold certain information, or to redact certain documents. If you are unsure about the use of exemptions, you should take legal advice before proceeding.
Summary
Dealing with a DSAR can feel like a complicated process. Having a good grasp of these initial points can really help you when triaging the DSAR, and knowing what to do next.
Liam Ellwood is a Senior Associate at Hill Dickinson.
