Data Subject Access Requests: How Schools should Prepare and Respond

Rose: Welcome back to the Education podcast series, in this session we're discussing DSARs in schools. I'm Rose Smith, a legal director in the education team at Doyle Clayton and I specialise in employment law, and I'm joined by Mike Hibbard a legal director in our Reading team who specialises in employment law and data privacy law. So Mike, welcome.

Mike: Hi, thank you.

Rose: So my first question for you, an entry level question I think, is what is a DSAR, what are we talking about today?

Mike: So, a DSAR, otherwise known as a Data Subject Access Request, is a right available to living individuals, who are known as data subjects, under Article 15 of the UK GDPR. Now it's a very broad right, it gives individuals the right to access personal data processed by a data controller about them, and understand supplementary information on how their data has been used.

So, because it's a right to receive a copy of the personal data being processed, it's a very broad right, and "processing” has a very broad definition; it includes anything that's sent in emails, for example, stored on school systems, any expressions of opinion, any telephone recordings, CCTV; it's a very broad definition. The important thing for schools to know is that a DSAR can be very time consuming to respond to, and there can be a lot of work for the data controller to do in response. Controllers usually have one month from the date of the request to compile and provide a response.

Rose: Now that’s interesting, because there will be significant periods of school holiday where staffing will be different, potentially reduced. During that time will schools have extra time in order to comply with Data Subject Access Requests?

Mike: Unfortunately, in the eyes of the Information Commissioner’s Office, the ICO, the school holiday is irrelevant. The time starts running from receipt of the request, and you have one month to respond. It's really important in schools that there's some sort of oversight and monitoring of relevant mailbox, for example, if there's a central data privacy mailbox, to ensure that any request is picked up on.

It's worth noting that if a request is complex, for example if there's lots of different sources of personal data, lots of different searches need to be used, there's sensitive data that needs redacting, or data of third parties such as other children; then you can extend to three months, so you get a further two month extension. However, that extension has to be relied on before the end of one month time frame, so you still need to be monitoring the mailbox.

Just to pick on one point I mentioned there, data privacy issues in the UK are overseen by what's called the Information Commissioner's Office, or otherwise known as the ICO for this podcast. So, Rose, what data subjects does the school need to be particularly concerned with, who could a request be received from?

Rose: It’s a good question, because as if schools are not busy enough, there’s actually quite a wide and varied set of data subjects that they’re going to have to deal with, and potentially receive Data Subject Access Requests from.

So, like any business or employer, there’s going to be a data processed in respect of their staff, and so they will handle quite a lot of data in respect of teachers and all other staff, some of which is going to be sensitive, such as health data. In addition, suppliers, particularly if using independent contractors, there’s very likely to be the personal contact at those suppliers about whom a (limited) amount of personal data might be processed as well.

Where it gets very specific to schools, and potentially a little bit more complex as well, is where the processing of personal data of pupils comes in, because of course there’s a huge amount of pupils at each school and each of them is going to have personal data being processed by the school about them. Lots of them are going to be under 18 or indeed under 13, and the extent of the data is going to be quite wide, quite often health data is going to be shared as well as special educational needs data as well, so this is very likely to include special category data.

The slightly less obvious category, but one that is really quite significant, is the category of parents and guardians. Schools really do hold and process quite a lot of personal data about parents and guardians. Parents will often share travel plans, personal difficulties, even health issues with the school, so it’s something that we can get, really, quite a lot of information on and that can be sensitive category information as well, and it really depends on the volume of correspondence with the particular parent or guardian. But it can be, really, quite a big data set.

So. Mike, we know who we can expect to hold and process data about within a school, but who can make a DSAR? Is it the parents and students? If it is the students, do they do they need to give their consent? What factors are relevant in deciding if they can give that consent?

Mike: It’s a really interesting, and slightly challenging, topic because the right of access is actually the child's own right, it's a right to access their own personal data. But, obviously, in the school context the pupils are different ages, so it’s really fact specific. Even if the child is too young to understand the implication of what their rights are, it's still their rights, rather than those of a parent or a guardian. A parent or a guardian may make a request for a child's personal data. You should only allow parents to exercise those rights on behalf of child if either the child has authorised them to do so, or when the child does not have sufficient understanding to exercise the rights themselves, or to understand what that means, provided that it's evidently in the child's best interests. So, a thought process needs to be carried out there.

Now any adult with parental responsibility may seek to exercise any of the child's rights on their behalf. So as a school if you receive a request, if you are satisfied that the child is not competent to understand their rights, and that the person who has approached you has parental responsibility for the child, it is usually appropriate to let the holder of parental responsibility exercise the child's rights on their behalf. The exception is if you think that is not in the child's best interests to do so. If you're confident that the child can understand their rights, you should usually respond directly to the child. However, you may allow the parent to exercise a child's rights on their behalf if the child authorises it, or if it's evident that doing so is in their best interests. What matters is whether the child understands the rights and what has been asked. For example, does the child understand what it means to request a copy of their personal data and interpret the information they receive?

If you have a borderline case, there are various factors you can take into account. For example, what is the child's level of maturity? What is their ability to make a decision like this? What personal data are we talking about? Is there anything sensitive, such as health data, involved? Is there an extensive amount of personal data being held? Are there any court orders related to parental access relative or responsibility that could apply? Are there any duties of confidence over the child or young person? What will the consequences be of allowing those with parental responsibility to exercise the child's rights? This one is particularly important if there is an allegation of abuse or ill treatment if you let someone parental responsibility not access the information, could there be a detriment to the child or young person concerned?

Now, there's no hard and fast rule about this. In Scotland a child is presumed competent to exercise the rights once they are 12 years of age, unless proved otherwise. However, there's no such age set in England and competence is assessed depending on the level of understanding of the child. So, you need to weigh up the factors I just mentioned in deciding whether child’s consent is needed, and it should be assessed on a case by case basis.

So, if you've got a request, Rose, and you think you're authorised to act on it: you either have the child's consent, or you think it’s in their best interests to act on it; what data can be requested from a school and are there any particular limitations for the education sector?

Rose: It is a question that is slightly nuanced in the sector. As you've said, there's all of those different types of data subjects who can make Data Subject Access Requests, and, generally speaking, what we tend to see is a request for copies of personal data, which is the particularly time consuming part of responding to a Data Subject Access Request. Now, the request can be quite wide, in any sector, not just in schools. It doesn't necessarily mean that you have to disclose every piece of information about the individual that you've ever seen, it is only the personal data, and we can hold back the personal data of other people and, in some cases, also confidential business sensitive data as well. What we're really focusing on is just the personal data of the individual making the request, or in a situation where a parent is making request on behalf of a pupil, the personal data of that pupil.

There are very few limitations on the amount of data that can be requested. In general terms, resisting a Data Subject Access Request on the basis of size is only really possible if the request can be shown to be manifestly unfounded or excessive, and it's still a bit nebulous as to what that will actually mean in practice. There is some suggestion from the ICO that there could be an argument to be deployed if the request is being made purely to put pressure on a school, or if it's repeated or overlapping, then there may be the possibility of charging a fee for the production of documents in that situation. So, it is a bit tricky to try to resist a request in terms of the size of it. Schools of course have extra considerations they need to keep in mind, and they are safeguarding obligations, which need to be considered in the context of any DSAR results that are being provided. Now we would always recommend reviewing any DSAR results in any sector, from any client, so that you are aware what is being released to a third party, particularly thinking about the personal information of others. But in the school context, that review needs to be more fine tooth and have the added consideration of whether any safeguarding of children issues arise from the documents specifically. That will need to be considered quite widely.

We've worked with one school who were asked to disclose personal data as part of a parental dispute, and some of the data to be disclosed to the parents, if it had been seen by the child, could have had a safeguarding impact on that child, which we were bound to avoid. So, in those circumstances we found that it was justifiable to redact that piece of data. It really is case by case, point by point, but there really is a strong onus on the school to think about what damage could the provision of this data to this person cause, and do we have a safeguarding obligation triggered by it?

I touched on one situation where I've seen DSARs used in school context, Mike, where else might we see it?

Mike: There's a whole wide range of contexts in which we do see DSARs, usually it's if an individual is wanting to know to specific information, whether that's the parent, the guardian, or the child. Relevant examples are, for example, if a child is excluded, the parent, guardian and/or child might want to know the reasons behind the exclusion and anything that's being written internally about it, exam results or exam scripts, if there are behavioural concerns of the child, again there might be a DSAR raised.

You mentioned there about a potential dispute between parents, sometimes this information may be used in a wider context. Again, as a school you really do need to think about the best interests of the child when you're responding to any of these. Another example is sometimes with special educational needs assessments or disputes, often you see a DSAR in that context.

What we've outlined today is a DSAR can be quite a tricky, thorough task, and you do need to put work into it. I think the key thing is really to have processes in place, have a policy, have a system in place for how you can respond to these, so that when you do get a request you can take the necessary steps, potentially within that one month deadline (if you don't get to use an extension).

Now sometimes, Rose, we receive questions about access to academic records, so how does a DSAR interplay with that right, to access academic records?

Rose: They are quite different rights. A DSAR is a request made under the Data Protection Act 2018 (or UK GDPR) and it is completely separate to the education regulations, which deal with access to academic records. So, under the latter regulations, those with parental responsibility have the right to see a pupil’s education records. That only covers information coming from a teacher, other employees, local authorities or schools about the educational record of the pupil. It’s occasionally going to include information provided by a child or parent, but only insofar as it forms part of that pupil’s educational record. So, it's nowhere near as wide in breadth as a Data Subject Access Request, it certainly does not include all personal data processed by the school.

There are some quite different rights of access as well. This is a right that pupils don't actually have, it's a right that belongs to those with parental responsibility only. So, again, much narrower than privacy rights in that way, but unfortunately also tighter timescales to respond to requests. So, whilst it isn't as much information as a DSAR, it is only 15 school days that we have to answer these requests.

We do have some good news, in that school holidays will not count to the 15 active school days in which a reply must be sent, so we do have a little bit more flexibility over school holidays for responding to this, but it is still pretty tight. And so again, having processes in place storing this information safely and correctly so that a response can be formulated quickly, is absolutely critical.

What is similar to the Data Subject Access Request is that it is still fettered, to some extent, by the safeguarding issues that arise. A safeguarding issue will pretty much trump both of these rights to access information, and again, with anything that you're releasing under this request, you should be asking yourself by providing this information to this person, could we cause some risk or damage to a child?

The processes don't overlap, you don't have to choose one or the other, but there is one point to consider that could assist: if you have a parent seeking to use their rights under the Education Regulations Access to Academic Records, a price can be charged for making copies of documents, and that is a big part of the cost of responding to a Data Subject Access Request. So, where the Data Subject Access Request does cover those academic records, you can give some thought to whether you might be able to apply a charge for the copies in that circumstance only.

The other thing to consider, coming back to the ICO that you mentioned at the beginning of this session: if a parent's not happy with the outcome of an Education Regulations Access to Academic Records application, then there's no protection from the ICO –the ICO doesn't regulate it, it's not interested in it at all, and it's got its plate very full with data privacy. So, the only resolution for those with parental responsibility in that situation would be to complain to the school. It is a similar right, but there's plenty of differences too.

Hopefully this gives you an introduction to how Data Subject Access Requests are experienced in schools and what the particular things to look out for are, if we can help you with any further information about Data Subject Access Requests in school, please visit our website, we have an Education team page, and you can get in touch with us from there. Thanks very much for listening. Thanks, Mike.

Mike: Thank you.