Five steps to turn the tide on Subject Access Requests

No school staff member ever said “brilliant, another SAR to process”. Yet there are several actions schools can take to reduce that sinking feeling when you get yet another request for a copy of “everything you have” about them.

Subject access requests (SARs) are increasingly a factor in difficult situations in schools, including parental complaints, HR grievances and disciplinaries, exclusions, and attendance.

They can present a particular burden on schools, often leaving staff in schools feeling on the backfoot when it comes to achieving data protection compliance.

On the backfoot with compliance

When the little time that staff have allocated to deal with data protection matters is spent on responding to SARs, the school becomes increasingly behind with other data protection compliance work.

With vast quantities of personal data to locate, review and redact before release, and requestors quick to complain to the Information Commissioner’s Office (ICO), this reactive work becomes the focus, rather than the proactive work to remove the need for requests in the first place, or to minimise their burden.

So, what can be done to make managing SARs less challenging? Our newly appointed lawyers, Claire Archibald and Bethany Paliga, who specialise in data protection in education, have complied their five top tips for schools, which will enable schools to be more prepared and efficient in their handling of SARS:

1. Collaborate with the requestor to clarify what they want

School staff should not be afraid to engage directly with the individual making the request to better understand and refine what information they are seeking.

Just because a requestor asks for “everything you have” doesn’t mean you can’t work with them to adapt their request to something more reasonable.

For example, in the event of an exclusion related SAR, it may be that you can explain that the parents will receive a copy of everything relevant in their exclusion pack, or for an employee SAR you can offer to provide a copy of their HR file and any documents and emails from or to their line manager.

Whilst not contained in data protection legislation or ICO guidance, the Department for Education (DfE) in their Data Protection Toolkit states that schools do not need to provide information to which the requestor already has access.

Therefore, emails to/from the requestor, or information on portals that they can self-serve from (such as attendance records on the MIS) may be excluded if you remind the requestor that they have that access.

Manifestly excessive requests

A requestor that refuses to work with staff to ensure their request doesn’t place an undue burden on the school may well be deemed to be making a ‘manifestly excessive’ request.

Schools can either refuse requests where they are manifestly excessive or make what they deem to be a reasonable response. Schools can warn requestors that they may not respond to such excessive requests and invite them to adopt a more cooperative approach.

The ICO understand that requestors may be uncooperative or unreasonable. If the organisation can demonstrate that they have attempted engage reasonably, then the ICO is less likely to uphold a later complaint from the unhappy requestor.

2. Implement effective record management practices

In the sort of complex matters that result in SARs being made it is likely that there will be records spread across several systems, from the traditional paper file to MIS systems, cloud services, email and Teams chats, with multiple staff being involved. Everyone involved in a matter should be given clear instructions on where to file documents and correspondence which can later be easily searched and collated.

Remember that email systems are designed to be an individual post-box, rather than a filing system, so make sure that records are stored in appropriate pupil or HR systems. Once a document is properly filed then you do not need to keep those emails in your mailbox too. A simple way to save emails is to ‘print to PDF’ and then save the email or to cut and paste the email content into systems such as electronic safeguarding logs.

Proper management of records makes sense for operational purposes too, allowing oversight, consistency and effective team working. If a member of staff is absent, or leaves the school, then their work is not left to languish in a disused mailbox.

3. Establish and enforce an effective retention policy 

As schools have rapidly moved to new digital ways of working, the retention and destruction policy that made sense ten years ago now looks rather irrelevant. Your teams don’t need policies and procedures regarding the need to shred papers, they now need procedures on reviewing and deleting data stored on vendor-hosted cloud platforms.

Review and adjust your retention policy and practices to serve your needs better; establish a set retention (and auto-deletion) policy for emails and Teams chats (if it helps, the ICO have theirs set at one year for emails and one week for Teams chats).

A well-structured retention policy makes the process of responding to requests more manageable by ensuring only necessary records are retained. It also helps you to reduce risk of data breach and improves your compliance with data protection laws, a win-win!

4. Don’t leave searching for data to the IT team

Whilst it can seem tempting to relying on the IT team for an all-encompassing electronic search, this is frequently an unhelpful approach, leading to vastly excessive records being located, the majority of which are irrelevant such as lists of pupil names, mass emails, or even school meal transactions. The IT team are then left to trawl the information, with little or no knowledge of the requestor or the information that is relevant to them. This can be disastrous for the SAR process.

Instead, consider which systems and which members of staff are likely to hold information- so in relation to pupils this is likely to be their main teacher/form tutor, head of year, pastoral and safeguarding leads. They are far more likely to know what information they hold about an individual pupil.

This means that work that would have taken hours, can be reduced to 10-15 minutes for a small number of selected staff.

5. Adopt a learning mindset from each request

Treat every SAR as a learning opportunity. Why has the request been made? Why might the requestor be frustrated with your school? What could be done better to prevent the need for the request in the first place?

Any complaints or information rights requests are a rich source of insight on what is going on in your school.

For instance, if you note that many of the SARs received relate to SEND, is your SENDCO effectively complying with your responsibilities to ensure that information is shared with parents under the SEND Code of Practice?

Start with improving the area where you receive the greatest number of requests to see a quick impact, rather than being overwhelmed by trying to tackle every function of the school at once.

The best way to manage SARs is not to receive them in the first place. Most requests are made by parents and staff who have an ongoing relationship with the school. By working proactively with them, and anticipating their needs as part of that relationship, it may be that you receive less requests, and your staff get the time to do the more proactive (and enjoyable) data protection work.

Summary

Whilst SARs present an increasing workload for school staff, they don’t need to continue to be overwhelming. Some preparation work to work with requestors and reduce the amount of material and locations you need to search can significantly reduce their impact. Focus your work to improve in the area where you receive the most SARs in the first place to see quick results.