Subject Access Requests (“SARs”) intertwine with a data subject's right to access and receive a copy of their personal data, and other supplementary information. This falls under the rights and freedoms of natural persons within the GDPR, rights that allow data subjects to have a sense of autonomy over their personal data. When a school is faced with a SAR, they must collate every piece of relevant data and present it to the data subject within a reasonable timeframe. However, it is not as simple as just collecting the data and presenting it to the data subject. Knowing what data to include, who can request a SAR, and what classifies as presentable data can complexify the process exponentially if you are not informed on the ins-and-outs of SARs.
SAR is a term used for when a data subject requests a document with the personal data of theirs that your school, as the data controller, has processed. This may happen when a data subject is not happy with the way that their data has been processed, and it is well within their rights to make a request. This falls under the rights and freedoms of natural persons in the GDPR, there are eight rights that data subjects have which allow them to keep as much autonomy over their data as they can.
SARs can range in request size, some data subjects will want to see all of the data you have processed for them, and others will only want to see specific processes. SARs aren’t always huge projects that you’ll have to set aside a copious amount of time for, but that doesn’t mean that you shouldn’t be prepared for them.
Anyone that your school processes data for can make a SAR, this this includes:
It is important to note that parents/carers may want to request to see their child’s data. However there are certain situations where this is not applicable. For example, if a parent/carer would like to access counselling notes between the school and the child, the school must consider the benefit of the child. Due to safeguarding reasons, it may not be safe to disclose information due to the overriding need to protect the child. There are also subjective rules around when a child is old enough to take authority over their own data. Data protection consultant, Claire Archibald, discusses this further in our Education Privacy Magazine.
In order to ensure that a subject access request can run smoothly, there are certain processes that must be kept in order to collate the processed data as quickly as possible, staying within the required timeframe of one calendar month. When a data subject understands their rights and freedoms within GDPR, they can submit a SAR whether your school has a fully developed compliance programme or not. This can make for a frantic run-around, trying to find every piece of data that the data subject has requested.
One way to accelerate the process of a SAR is to ensure that there is an adequate mapping of your school’s data in place. Data mapping helps your school visualise how data travels throughout your school network. In documenting where exactly data is being processed, schools are able to visualise where every piece of data is held, meaning that it is easier to find if needs be. 9ine’s Records of Processing function on the 9ine App allows you to evaluate and initiate assessments along a guided workflow. Not only do records of processing help when a data subject requests to see their data, but also when evaluating the risks associated with that type of processing.
Benchmark your school’s compliance with the 9ine Privacy Framework. The Information Commissioner’s Office (ICO) promotes the use of using a framework for your compliance programme. 9ine’s Privacy Framework is education specific, allowing your school to advance compliance in the most efficient and effective way, being able to visualise and benchmark your compliance with the GDPR. Through catering your programme to the 9ine Privacy Framework, coming into contact with a SAR will no longer be a daunting process.
How else can 9ine help?
A substantial part of compliance in schools is centred around understanding your obligations. Whether your school is at the beginning of its data protection compliance programme, or well into it, 9ine’s training services are able to educate at all levels. Alongside this, we understand that there is a lack of applicable and instructional training focussed on data privacy and technology hardening. The 9ine Technical Academy and the 9ine Privacy Academy are designed to give you instructional, applicable, and understandable guidance towards data privacy and system hardening.
DPO Essentials follows 9ine’s modular data privacy framework. An expert consultant leads your team through the development and implementation of a privacy management programme. It also provides you with access to 9ine’s advisory support, training, template documentation, regular data protection meetings, auditing capabilities, annual cyber vulnerability penetration testing and service desk expertise to develop and advance your school’s Data Privacy Office.
If your school would like more information on how 9ine can help you in preparation for SARs or any other data privacy compliance issues