The Information Commissioner’s Office’s (ICO) has recently published new, detailed guidance on subject access requests (SARs). While overall the guidance is more evolution than revolution (reflecting the fact that GDPR did not radically alter the law in this area in 2018) in a number of important areas it has moved things in a helpful direction for schools dealing with these often complex, and resource-intensive, requests.
Even where the guidance has not necessarily changed the prior position substantively, it is important for schools to be aware of where the ICO has "landed" in terms of a settled position and to that extent, it is helpful to have this degree of additional clarity. The ICO is not the final authority on the interpretation of this law (strictly, that is a matter for the courts); but in practice for the vast majority of complaints or concerns raised about the handling of subject access requests, it will be the ICO to whom matters are referred for a decision.
Helpful elements of the guidance
- The guidance provides some detailed considerations in respect of requests on behalf of children, and the factors that need to be considered in establishing the requisite authority where a request does not come from the child directly. Encouragingly the guidance is mindful of particular issues that can arise in these contexts, for example the greater need to check authority and competence where the data is more sensitive, and the importance of the controller, considering the consequences of allowing those authorised to act on behalf of the child access to that child’s information.
- On extending the one month deadline for responding to SARs (owing to the number or complexity of requests), factors listed as tending to justify the further two months – and which crop up regularly with SARs to schools – include:
- clarifying parent / child authority issues; and
- needing to assess large volumes of particularly sensitive information.
Please note that volume of data alone is not a factor, except where combined with other sensitive or complicating factors requiring close review – although the size and resources of an organisation will be relevant to considering what counts as complex. Having a number of unrelated SARs to deal with at the same time is not, in and of itself, a ground for extension; but the guidance suggests that it would likely be a relevant factor taken into account by the ICO if it were to look at a complaint.
- On delaying the start of the process, the guidance helpfully now says that data controllers can "stop the clock" when waiting for individuals to clarify their request. In practice, this will be more significant for those requests that have to be dealt with within the standard one month deadline, rather than the more complex or multiple requests where an additional two months may be justified. It is nonetheless welcome, especially where an individual is unclear or slow to engage about the specifics of what they are seeking, or tries to move the goalposts later. If the individual does not respond to the request for clarification, controllers can consider the request ‘closed’ if they do not hear back after a reasonable period (the ICO suggests one month).
- There is some helpful further detail on the issue of when a request might be "manifestly unfounded or excessive"– including where made purely to exert pressure or leverage on the school – and the potential, if so, for a controller either to charge a "reasonable fee" for dealing with the request, or to refuse to comply with it altogether. The guidance on charging now says that a reasonable fee may include the costs of staff time.
This is a potentially significant development, but it remains to be seen whether it might herald any sort of widespread shift in practice across different sectors, and/or whether it becomes a battleground with requesters (especially with pupils and parents where it may be unattractive). Going down this route also requires controllers to justify their view that a request is genuinely excessive (as opposed to simply inconvenient or burdensome), and to publish clear, objective charging criteria.
At least until it becomes clearer as to what might be considered "normal practice", schools should probably adopt a cautious approach in this area, noting the need for sensitivity in many cases and more generally in managing relationships within the school community and beyond. However, when dealing with extremely difficult and persistent requesters, a more robust or ‘commercial’ approach may be justifiable.
One of the most helpful sections of the guidance is to set out some examples of when a request may reasonably be classed as "unfounded". These often hinge on whether the request concerns a genuine effort to obtain personal data, as opposed to a means simply to create disruption or cost, or to pursue personal vendettas or agendas. For example:
- malicious uses, including the targeting of individuals at an organisation (which can be evidenced by eg the making of unsubstantiated accusations);
- use of GDPR rights as collateral to extract other benefits from the organisation (so potentially using SARs as a settlement ploy when there is a legal claim); or
- sending systematic requests as part of a campaign to cause disruption (most obviously with multiple parties working in concert, rather than repeat requests from the same individual which are all, in themselves, "new" and "genuine").
Therefore, while it remains the case that the right of subject access is generally "motive blind", in extreme examples (and we still think these are likely to be the exception rather than the norm, even where dealing with aggrieved individuals) a bad faith or abusive motive may justify refusal.
On manifest excessiveness, the guidance cites a range of factors to take into account, including whether the request largely repeats previous requests and a reasonable interval has not elapsed, or whether it overlaps with other requests (again, if it relates to a completely separate set of information it is unlikely to be excessive). There is however the reminder too that just because an individual asks for a large amount of information, that is not necessarily excessive. In such cases the reasonable approach may be to ask the requester for more information to narrow the scope; or, where this will not work, to apply your own common sense parameters on to how to sift through large quantities of data in a proportionate manner (even if not "perfect"), and then to explain the approach taken when responding in due course.
Whilst the new guidance does seem to open the door to more credible refusals of requests as being manifestly unfounded or excessive, in our view it will often still be more sensible and pragmatic for a data controller to provide a response of some sort (based on reasonable and proportionate efforts) than to refuse a request altogether. An individual always has the option of pursuing their case with the ICO or even through the courts. Although recent case law (and the guidance itself) confirms courts’ powers in this area are discretionary – and we have seen that courts do sometimes show little sympathy for SARs with collateral intent – it would be a brave data controller that steadfastly refused a request altogether, at the risk of prolonging a dispute, to throw themselves on the mercy of the courts or regulator.
Less helpful elements of the guidance
In the "less helpful" column, the guidance pours cold water on the suggestion (which had been hinted at in previous DfE guidance) that requesters should be considerate of school holidays in terms of schools’ capacity to respond to requests within the requisite timeframes. That said, in reality the potential to take three months to deal with complex requests tends to provide schools with a sufficient window – even if a request does arrive outside term time.
In addition, the guidance provides no qualification or caveat to the "assumption of reasonableness" for identifying school staff where their personal data is mixed with material relating to the requester (for example, identifying them as the source or recipient of an email, or attributing comments or opinions to them). On the face of the guidance, this applies equally whether the request was made by a pupil, parent, external third party, or colleague – which, most reasonable observers would consider, cannot be right.
Whilst this does strictly follow the relevant provision in the Data Protection Act 2018, there had been some cause to think there might be some pragmatic interpretation of this in practice. However, the guidance simply states the statutory position. While other exemptions may be available beyond simply "third party data" rights (including, in some cases, where there is a risk of serious harm or distress), these are exceptions rather than the rule. Whilst we would still stress the need to be pragmatic and sensitive to the rights of all parties, the guidance position is not terribly helpful in supporting staff data rights – and this is something school staff should be aware of as part of their ongoing GDPR compliance training.
As stressed above, the ICO does not have the final word on data protection compliance, and ultimately it is for the data controller (school) to determine its GDPR obligations, including those it owes to each of its data subjects. Overall though, this guidance should help provide schools with some useful practical clarity on dealing with SARs.
Helpful elements aside, SARs will of course continue to place potentially significant demands on a school’s time and resources in the most complex cases, and it is all the more important to have systems and procedures in place to help navigate them effectively – and to maintain professional approaches to the creation and retention of personal data in the first place.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2020