New ICO Guidance on Subject Access Requests and other ICO developments

The Information Commissioner’s Office (“ICO”) has consulted on new guidance about subject access requests (“SARs”). The draft document expands on previous guidance issued by the ICO under the Data Protection Act 1998, and will be welcomed by schools, who are dealing with increasing numbers of tricky SARs.

The consultation closed on Wednesday 12 February 2020 and we await the outcome.

Some key points to note from the draft guidance (which may be subject to change) are as follows:

• Responding to a SAR. The ICO has confirmed that when responding to a SAR, an organisation must supply additional information (listed in Article 15 of the GDPR) in addition to a copy of the personal data. Providing a link to the relevant privacy notice (so long as it contains the required information) will be sufficient.
• Redaction. The ICO now expects organisations to have systems in place which will allow them to redact third party data where necessary (for example, redaction software).
• Children and SARs. Even if a child is too young to understand the implications of the right of access, it is still their right to request access to their information. What matters is that the child is able to understand (in broad terms) what it means to make a SAR and how to interpret the information they receive. The ICO gives some guidance on things to consider when it is not clear whether or not a child has capacity to understand or interpret this information.
• Can we deal with a request in our normal course of business? It is important to draw a practical distinction between formal requests for information and routine correspondence that you can deal with in the normal course of business. Such routine correspondence should be considered on a case by case basis.
• Complex requests. There is additional guidance on when a request may be considered ‘complex’. However, a school will need to be able to demonstrate why the request is complex in the particular circumstances.
• Timescales. If an organisation needs to ask an individual to clarify their request the timescale for responding will not be affected unless it is genuinely unclear whether a SAR is being made.
• Reasonable searches. A requester is entitled to ask for all information held and organisations must make ‘reasonable searches’ for the information covered by the request. There is no further guidance on what this might mean.
• Personal devices. The ICO will not expect organisations to instruct staff to search their private emails or personal devices in response to a SAR unless there is a good reason to believe they are holding relevant personal data.
• Meaning of “excessive” and “manifestly unfounded”. A school can only charge a fee, or refuse to comply with a request, if it is ‘excessive’ or ‘manifestly unfounded’. The guidance goes into further detail about what this means.
• Staff data. The guidance says that you should not normally withhold information that identifies a teacher when responding to a SAR. This will again need to be considered on a case by case basis.

The ICO has launched a consultation on its draft direct marketing code of practice.

The code aims to provide practical guidance and promote good practice when complying with the GDPR, DPA 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003. In addition, the code covers a range of additional topics such as lawful bases for processing for marketing purposes, and individual rights and exemptions. The ICO also plans to produce additional practical tools such as checklists to go alongside the code.

The consultation is open until 4 March 2020.

On 21 January 2020, the ICO published its final Age Appropriate Design Code – a set of 15 standards that online services should meet to protect children’s privacy.  The Code must complete a statutory process before it is laid in Parliament for approval. After that, an organisation that it applies to will have 12 months to update their practices before the Code comes into full effect. The ICO expects this to be by Autumn 2021.

In summary, the Code requires the best interests of the child to be a primary consideration when organisations design and develop online services for use by children. It sets out the standards expected when designing, developing or providing online services like apps, connected toys, social media platforms, online games, educational websites and streaming services. For example, social media platforms such as Facebook (which are often accessed by pupils) will be subject to the Code.

In practice this means that privacy settings should be set to high by default; location settings should be switched off by default; data collection and sharing should be minimised; and profiling that can allow children to be served up targeted content should be switched off by default.

Schools should note that the Code is only for providers of information society services (ISS). This means that those developers who are creating services should follow the Code in order to safeguard children’s data. The ICO has previously stated that ‘if an ISS is only offered through an intermediary, such as a school, then it is not offered ‘directly’ to a child.’ 

However, schools as Data Controllers, should be mindful that any service they use has been assessed in accordance with data protection law and schools remain responsible for any personal data shared with an ISS.