Paul Watkins proffers advice about how to deal with the growing phenomenon of subject access requests

 

Last summer saw a slew of headlines linked to information being obtained via subject access requests (SARs). Whether it was Nigel Farage’s request to Coutts, the shadow education secretary’s repeated requests to the Independent Schools Council, or Nadine Dorries’s refusal to resign until she received a SAR response from the government, the use of a SAR (or at least its media exposure) seems to be on the rise.

The statistics published by the Information Commissioner’s Office (ICO), the regulator for data protection, seem to back this up. From April 2022 to March 2023 the regulator received 15,848 complaints related to SARs. This accounts for 37% of all data protection complaints received by the ICO and includes complaints made about how independent schools have dealt with SARs.

When I speak to school staff about their experiences of dealing with subject access requests there can be little positive to say. A frequent word I hear used to describe a SAR is that it is a “nightmare”. I can see why. By the time a school contacts me for advice they may have gone to great lengths to retrieve a colleague’s data that has been requested. They may have started to trawl through reams of school records and emails or are dreading the prospect of doing so.

Not only that, but SARs can be ill-timed. They are often received when a school already has plenty on its plate dealing with the same colleague who, for instance, has also raised a grievance or issued a tribunal claim. It may also be received just before or during school holiday periods.

Back to basics

Let’s take a step back to understand what a SAR is. It is a request made by any individual to an organisation, including schools, for access to their personal data that may be held by the organisation.

SARs have existed in data protection law for decades but the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 have strengthened this right of access. Requestors no longer have to pay to make a SAR and there is more focus on organisations being open with individuals about their data rights. This may explain why SARs are on the increase.

Nowhere is this rise more apparent, at least anecdotally, than when it comes to requests for staff or HR data. Readers may be aware of colleagues past or present asking their school for their personal data. This could be HR records, sickness and attendance records and performance and disciplinary records. It also extends to CCTV footage, internal school emails and social media messages, to name a few examples.

Schools can also receive requests from job candidates, particularly those that didn’t get the job and want to dig into why not.

ICO guidance

In light of the number of ICO complaints it’s perhaps unsurprising that the regulator has said that employers regularly misunderstand the nature of SARs or underestimate the importance of responding to requests, and that organisations which fail to respond to SARs promptly, or at all, can be subject to fines or a reprimand.

To support employers to respond to SARs from current and former members of staff, and to address the high number of complaints, the ICO has published guidance for employers (tinyurl.com/yxxcuza2) on dealing with SARs.

The ICO guidance is in a Q&A format and refers to (and reinforces) the relevant parts of the ICO’s detailed subject access guidance (tinyurl.com/5dw8cpjn). Some of the more pertinent topics in the ICO guidance, as far as schools are concerned, are set out below.

Recognising and clarifying requests

The ICO guidance reminds employers that there are no formal requirements for a valid SAR. They may be made verbally or via social media and don’t need to include the words ‘subject access request’ or a right of access. It could be as simple as a request for their HR file or, and this is an example used in the guidance, “Can I have a copy of the notes from my last appraisal?”

A request can be made to anyone in the school, but it’s best practice to have a designated person to deal with it and staff should know who this is so requests can be passed to that person as soon as possible.

Regardless of how it’s received, schools have one calendar month to respond, but where it’s a complex request a total of three months can be taken, if necessary.

The ICO is clear that employers can ask staff to clarify the scope of their SAR, particularly if it is necessary to interpret the request in good faith and where the organisation holds a large amount of information about the member of staff, for example, if the requester has been employed for many years.

Refusing to respond

A request can be refused in its entirety, or a reasonable fee can be charged, where it is “manifestly unfounded” or “manifestly excessive”. Put very simply, this is where requestors lack any genuine intention to access their data or it is a repeated request. The ICO guidance gives an example of a manifestly unfounded request as one where an employee makes a SAR but offers to withdraw it in return for a payment.

It can be difficult to meet this criteria and any refusal to respond should be backed up with evidence. The ICO can understandably be reluctant at times to accept arguments made on this basis.

This is not a straightforward area of data protection law and it will need to be carefully considered as requestors not getting any of the information they have requested are far more likely to make a complaint to the ICO.

Withholding information

Where schools are required to respond to a SAR, the requested information must be searched and collated for review. This is not to say that all the information collated may need to be disclosed. The ICO guidance sets out some of the exemptions which would permit schools to withhold certain information from employees, including where it contains:

• Other people’s data (including witness statements and whistleblowing reports). This covers where there is a ‘mix’ of personal data of more than one person. There is wide discretion for schools to determine what is reasonable in all the circumstances. When it comes to witness statements made as part of internal disciplinary procedures, schools will need to consider the reasonable expectations of staff, any assurances of confidentiality, and whether consent should be sought and has been refused, etc. This may result in some redactions to a witness statement or it may be withheld completely.
• Confidential references. Provided a reference is given in confidence, both references given and received can be withheld, as long as it relates to a person’s suitability for education, training, employment, volunteering, appointment to an office, or provision of a service.
• Management information. This includes information which, if disclosed, is likely to prejudice school activities, for example, where premature disclosure of redundancies as part of a school reorganisation could cause staff unrest.
• This includes information which could prejudice a negotiation such as when negotiations over a severance package are ongoing.

Other considerations

Compliance with a SAR is required regardless of whether the requester has initiated a tribunal process or raised a grievance. Requestors must be allowed to search for a ‘smoking gun’ but exemptions may apply to withhold certain information.

If a member of staff leaves a school the ICO is unequivocal that his or her right of access to the data “cannot be overridden” by a settlement or non-disclosure agreement. Limiting such rights under these agreements will be unenforceable under data protection law.

That said, we often advise schools that, although such provisions are unenforceable, they can act as a useful deterrent.

The future

Data protection reforms are slowly going through Parliament which would allow organisations, including schools, to refuse to respond to vexatious requests – a welcome introduction if/when it comes into force. The Bill would also make it clear that only reasonable and proportionate searches in response to a SAR are required.

In the meantime, and before the next SAR lands in your inbox, don’t forget to review what you already have on your devices about your colleagues (and former colleagues) to make sure it’s still needed. Always keep in mind that anything you do record about them may be requested and this includes comments on personal devices or email/social media accounts used for school purposes.

 

Paul Watkins is a senior associate at law firm Harrison Clark Rickerbys.