The right of access: 5 top tips for dealing with tricky subject access requests

If your school has received a tricky subject access request (‘SAR’), you will perhaps already be aware that the GDPR provides that a request can only be refused where it is “manifestly unfounded or excessive”. Up until now, there has been limited guidance as to what this actually means, which has resulted in many schools (rightly) taking a cautious approach when responding to a SAR.

Helpfully, the ICO has recently updated its right of access guidance to include further information about the meaning of “manifestly unfounded or excessive”, which can be found here. However, schools should exercise caution in deciding not to respond; the ICO expects organisations to handle a SAR as far as possible, and the guidance makes it clear that refusal will only be appropriate in exceptional circumstances. It will be up to the school to demonstrate that it is able to refuse a request because it is “manifestly unfounded or excessive” and any refusal will carry a risk of challenge.

5 top tips for handling tricky SARs

Have procedures in place to deal with SARs

Consider drawing up an internal procedure for handling SARs to be shared with members of staff. Given that the time limit for a response is now one month, it is particularly important that all members of staff are able to recognise a request (note that a request can be made both in writing, verbally and even via social media) and know when to direct a request for information to the appropriate person at the school for handling.

Clarify the request

When acknowledging receipt of a request, seek clarification on anything that is not clear. If you receive a request for all data held about an individual, ask if there is anything in particular the requester is looking for, and whether there are any key terms you can search for, or timeframes you can search within, in order to assist you in extracting the relevant information.

Swot up

Understand the definition of personal data, the time limit for a response, when you can seek an extension, principles surrounding third party data, and the exemptions that are most likely to apply to data your school is processing.

Review the data the school is holding

You should only be processing (note that processing includes merely storing) data where you have good reason, and a legal basis, for doing so. Data should not be held for longer than is necessary and should be held in accordance with the school’s data retention schedule.

Seek legal advice

Stone King has a dedicated information law team that can advise on all aspects of data protection law, including handling SARs.