No school staff member ever said “brilliant, another SAR to process”. Yet there are several actions schools can take to reduce that sinking feeling when you get yet another request for a copy of “everything you have” about them.
Subject access requests (SARs) are increasingly a factor in difficult situations in schools, including parental complaints, HR grievances and disciplinaries, exclusions, and attendance.
They can present a particular burden on schools, often leaving staff in schools feeling on the backfoot when it comes to achieving data protection compliance.
On the backfoot with compliance
When the little time that staff have allocated to deal with data protection matters is spent on responding to SARs, the school becomes increasingly behind with other data protection compliance work.
With vast quantities of personal data to locate, review and redact before release, and requestors quick to complain to the Information Commissioner’s Office (ICO), this reactive work becomes the focus, rather than the proactive work to remove the need for requests in the first place, or to minimise their burden.
So, what can be done to make managing SARs less challenging? Our newly appointed lawyers, Claire Archibald and Bethany Paliga, who specialise in data protection in education, have complied their five top tips for schools, which will enable schools to be more prepared and efficient in their handling of SARS:
1. Collaborate with the requestor to clarify what they want
School staff should not be afraid to engage directly with the individual making the request to better understand and refine what information they are seeking.
Just because a requestor asks for “everything you have” doesn’t mean you can’t work with them to adapt their request to something more reasonable.
For example, in the event of an exclusion related SAR, it may be that you can explain that the parents will receive a copy of everything relevant in their exclusion pack, or for an employee SAR you can offer to provide a copy of their HR file and any documents and emails from or to their line manager.
Whilst not contained in data protection legislation or ICO guidance, the Department for Education (DfE) in their Data Protection Toolkit states that schools do not need to provide information to which the requestor already has access.
Therefore, emails to/from the requestor, or information on portals that they can self-serve from (such as attendance records on the MIS) may be excluded if you remind the requestor that they have that access.
Manifestly excessive requests
A requestor that refuses to work with staff to ensure their request doesn’t place an undue burden on the school may well be deemed to be making a ‘manifestly excessive’ request.
Schools can either refuse requests where they are manifestly excessive or make what they deem to be a reasonable response. Schools can warn requestors that they may not respond to such excessive requests and invite them to adopt a more cooperative approach.
The ICO understand that requestors may be uncooperative or unreasonable. If the organisation can demonstrate that they have attempted engage reasonably, then the ICO is less likely to uphold a later complaint from the unhappy requestor.
2. Implement effective record management practices
In the sort of complex matters that result in SARs being made it is likely that there will be records spread across several systems, from the traditional paper file to MIS systems, cloud services, email and Teams chats, with multiple staff being involved. Everyone involved in a matter should be given clear instructions on where to file documents and correspondence which can later be easily searched and collated.
Remember that email systems are designed to be an individual post-box, rather than a filing system, so make sure that records are stored in appropriate pupil or HR systems. Once a document is properly filed then you do not need to keep those emails in your mailbox too. A simple way to save emails is to ‘print to PDF’ and then save the email or to cut and paste the email content into systems such as electronic safeguarding logs.
Proper management of records makes sense for operational purposes too, allowing oversight, consistency and effective team working. If a member of staff is absent, or leaves the school, then their work is not left to languish in a disused mailbox.
3. Establish and enforce an effective retention policy
As schools have rapidly moved to new digital ways of working, the retention and destruction policy that made sense ten years ago now looks rather irrelevant. Your teams don’t need policies and procedures regarding the need to shred papers, they now need procedures on reviewing and deleting data stored on vendor-hosted cloud platforms.
Review and adjust your retention policy and practices to serve your needs better; establish a set retention (and auto-deletion) policy for emails and Teams chats (if it helps, the ICO have theirs set at one year for emails and one week for Teams chats).
A well-structured retention policy makes the process of responding to requests more manageable by ensuring only necessary records are retained. It also helps you to reduce risk of data breach and improves your compliance with data protection laws, a win-win!
4. Don’t leave searching for data to the IT team
Whilst it can seem tempting to relying on the IT team for an all-encompassing electronic search, this is frequently an unhelpful approach, leading to vastly excessive records being located, the majority of which are irrelevant such as lists of pupil names, mass emails, or even school meal transactions. The IT team are then left to trawl the information, with little or no knowledge of the requestor or the information that is relevant to them. This can be disastrous for the SAR process.
Instead, consider which systems and which members of staff are likely to hold information- so in relation to pupils this is likely to be their main teacher/form tutor, head of year, pastoral and safeguarding leads. They are far more likely to know what information they hold about an individual pupil.
This means that work that would have taken hours, can be reduced to 10-15 minutes for a small number of selected staff.
5. Adopt a learning mindset from each request
Treat every SAR as a learning opportunity. Why has the request been made? Why might the requestor be frustrated with your school? What could be done better to prevent the need for the request in the first place?
Any complaints or information rights requests are a rich source of insight on what is going on in your school.
For instance, if you note that many of the SARs received relate to SEND, is your SENDCO effectively complying with your responsibilities to ensure that information is shared with parents under the SEND Code of Practice?
Start with improving the area where you receive the greatest number of requests to see a quick impact, rather than being overwhelmed by trying to tackle every function of the school at once.
The best way to manage SARs is not to receive them in the first place. Most requests are made by parents and staff who have an ongoing relationship with the school. By working proactively with them, and anticipating their needs as part of that relationship, it may be that you receive less requests, and your staff get the time to do the more proactive (and enjoyable) data protection work.
Summary
Whilst SARs present an increasing workload for school staff, they don’t need to continue to be overwhelming. Some preparation work to work with requestors and reduce the amount of material and locations you need to search can significantly reduce their impact. Focus your work to improve in the area where you receive the most SARs in the first place to see quick results.
Key contacts
Claire Archibald
Legal Director
claire.archibald@brownejacobson.com
+44 (0)330 045 1165
You may be interested in...
Online Event
Handling parent complaints against staff: Panel discussion
Online Event
Embracing AI to improve school governance
Press Release
New hires at Browne Jacobson will support schools with data compliance amid enhanced ICO scrutiny
Legal Update - School leaders survey
School Leaders Survey Autumn 2024: The results are in
Legal Update
Five steps to turn the tide on Subject Access Requests
Legal Update
Silence persists on gender questioning guidance for schools
Legal Update
Attendance management checklist for schools
Legal Update
Interventions and penalties for school non-attendance
Legal Update
New attendance monitoring requirements for schools
Legal Update
Changes to attendance requirements for schools
Guide
Rebuilding trust and community: A guide for schools after the recent UK riots
Guide
School INSET days: preparing staff for the 24/25 academic year
Guide
Keeping Children Safe in Education (KCSiE) 2024: The main changes and what to do next
Legal Update
Understanding the ICO's new fining guidance
Opinion
School attendance matters
Legal Update
Cyber security and data breaches
Guide
FAQs - converting to academy status
Legal Update
Protecting children and their data in the online environment
Legal Update
Top three training topics 2022-23
As well as providing day-to-day support to help you focus on managing your settings, we also provide training and professional development on a range of topics to keep you and your staff up-to-date.
Press Release
Law firm picks up record breaking sixth Education Investor Award
Browne Jacobson’s education team has been named as winner of the ‘Legal Advisors to Education Institutions’ category at the Education Investor Awards 2022 for a record sixth time.
Press Release
Thousands take part in virtual careers event to help increase diversity in the legal profession
Over 3000 young people from across the UK and Ireland took part in a virtual legal careers insight event, aimed at making the legal profession more diverse.
Legal Update
Browne Jacobson’s market leading Education expertise recognised again in latest Legal 500 rankings
The new set of Legal 500 directory rankings have been published and we are proud to once again be recognised as one of the country’s leading firms advising the Education sector.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Press Release
Browne Jacobson’s C-suite exec level coaching team appoints two new education specialists
National law firm Browne Jacobson has grown its team behind its dedicated Space + Time executive coaching programme with the addition of two more qualified coaches who will work with clients in the education sector.
Published Article
Five top tips for strong data compliance in 2022
This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
Press Release
Browne Jacobson hosts UK’s largest virtual legal careers event to boost access to careers in law
Press Release
New benchmarking service now available to guide the remuneration of school trust executive teams
The Confederation of School Trusts (CST), as the sector body for School Trusts, today releases a salary benchmarking service for executive roles in School Trusts, in conjunction with partners XpertHR, Cendex and Browne Jacobson.
Legal Update
Steps to take following a data breach: reporting, criminal charges and injunctions
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation as “special category” data).
Legal Update
Academy Trust Handbook 2021: the future focus as we recover from Covid-19
Legal Update
Exam appeals guidance released
The Joint Council for Qualifications (JCQ) this week published the appeals guidance for grades awarded this summer.
Legal Update
Preparing to award teacher assessed grades
Schools will now be tasked with reading a vast amount of information to get themselves ready to provide teacher-assessed grades (TAGs) for students following the recent publication of the suite of Joint Council Qualifications (JCQ).
Legal Update
Everyone’s Invited – Ofsted to review safeguarding policies
Ofsted has announced that it will begin an immediate review of school safeguarding policies. It is now time that you take steps to ensure your policies and procedures are up to date.
Legal Update
Grades without exams - FAQs
In the absence of exams, the Department for Education (DfE) and Ofqual have confirmed that the 2021 GCSE, AS and A level and vocational and technical qualification grades will be determined by centre assessment.
Legal Update
‘Everyone’s Invited’ - managing reports of child-on-child assault and harassment
The ‘Everyone’s Invited’ movement has over 9,000 testimonies on its website and, whilst it has recently taken the step to anonymise everything on the platform, a number of schools have been named.
Legal Update
Laptops and lifelines
On-Demand
Rising to the challenge: Digital transformation in schools - Part 2
Catch up for part 2 of our education training videos, exploring the role of digital transformation on our education system.
On-Demand
Rising to the challenge: Digital transformation in schools - Part 1
Catch up on our on-demand video to see the latest in our series looking at how the education sector is rising to the challenge and should look forward with optimism.
Legal Update
Delivering live remote learning to pupils – some data protection considerations
Education providers have become more innovative with their delivery of lessons to ensure all students are able to and are participating. Delivery of lessons include live teaching sessions through video conferencing platforms, but it does create a number of additional issues.
Legal Update
New year, new approach – getting compliance right
Compliance is a broad term and covers the three Ps – paper, people and practice. Be it safeguarding, GDPR or health and safety, there is a direct link between high-quality, outcomes-focused training and the impact on staff and children in your setting and to help you get it right, here are my eight tips for excellent compliance training.
Legal Update
Exams and assessments: what we know so far
The government has issued updated guidance for schools during the 2021 national lockdown. Find out more here.