Surviving subject access requests from colleagues

The summer of last year saw a slew of headlines linked to information being obtained via subject access requests (“SARs”).

Whether it was Nigel Farage’s request to Coutts, the then shadow education secretary’s repeated requests to the Independent Schools Council, or Nadine Dorrie’s refusal to resign until she received a SAR response from the government, the use of a SAR – or at least its media exposure – seems to be on the rise.

The statistics published by the Information Commissioner’s Office (“ICO”), the regulator for data protection, seem to back this up. From April 2022 to March 2023 the regulator received more than 15,848 complaints related to SARs. This accounts for 37 percent of all data protection complaints received by the ICO and includes complaints made about how independent schools have dealt with SARs. More recent statistics confirm this upward trajectory.

When I speak to school staff about their experiences of dealing with subject access requests there can be little positive to say. A frequent word I hear used to describe a SAR is that it is a “nightmare”. I can see why. By the time a school contacts me for advice they may have gone to great lengths to retrieve a colleague’s data that has been requested. They may have started to trawl through reams of school records and emails or are dreading the prospect of doing so.

Not only that, but SARs can be ill-timed. They are often received when a school already has plenty on its plate dealing with the same colleague who, for instance, has also raised a grievance or issued a tribunal claim. It may also be received just before or during school holiday periods.

Back to basics

Let’s take a step back to understand what a SAR is. It is a request made by any individual to an organisation, including schools, for access to their personal data that may be held by the organisation.

SARs have existed in data protection law for decades, but the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 have strengthened this right of access. Requestors no longer have to pay to make a SAR and there is more focus on organisations being open with individuals about their data rights. This may explain why SARs are on the increase.

Nowhere is this rise more apparent, at least anecdotally, than when it comes to requests for staff or HR data. Readers may be aware of colleagues past or present asking their school for their personal data. This could be HR records, sickness and attendance records and performance and disciplinary records. It also extends to CCTV footage, internal school emails and social media messages, to name a few examples.

Schools can also receive requests from job candidates – particularly those that didn’t get the job and want to dig into why not.

ICO guidance

In light of the number of ICO complaints it is perhaps not surprising that the regulator has said that employers regularly misunderstand the nature of SARs or underestimate the importance of responding to requests, and that organisations which fail to respond to SARs promptly, or at all, can be subject to fines or a reprimand.

To support employers to respond to SARs from current or former members of staff, and to address the high number of complaints, the ICO has published guidance for employers on dealing with SARs.

The ICO guidance is in a Q&A format and refers to, and reinforces, the relevant parts of the ICO’s detailed subject access guidance. Some of the more pertinent topics in the ICO guidance, as far as schools are concerned, are set out below.

Recognising and clarifying requests

The ICO guidance reminds employers that there are no formal requirements for a valid SAR. They may be made verbally or via social media and do not need to include the words ‘subject access request’ or a right of access. It could be as simple as a request for their HR file or, and this is an example used in the guidance: ‘Can I have a copy of the notes from my last appraisal?’

A request can be made to anyone in the school but it is best practice to have a designated person to deal with it and staff should know who this is so that requests can be passed to them as soon as possible.

Regardless of how it is received schools have one calendar month to respond but where it is a complex request a total of three months can be taken if necessary.

The ICO is clear that employers can ask staff to clarify the scope of their SAR, particularly if it is necessary to interpret the request in good faith and where the organisation holds a large amount of information about the member of staff, e.g., if the requester has been employed for many years.

Refusing to respond

A request can be refused in its entirety, or a reasonable fee can be charged, where it is ‘manifestly unfounded’ or ‘manifestly excessive’. Put very simply, this is where a requestor lacks any genuine intention to access their data, or it is a repeated request.

The ICO guidance gives an example of a ‘manifestly unfounded’ request as one where an employee makes a SAR but offers to withdraw it in return for a payment.

It can be difficult to meet these criteria and any refusal to respond should be backed up with evidence. The ICO can understandably be reluctant at times to accept arguments made on this basis.

This is not a straightforward area of data protection law and it will need to be carefully considered as requestors not getting any of the information they have requested are far more likely to make a complaint to the ICO.

Withholding information

Where schools are required to respond to a SAR, the requested information must be searched and collated for review. This is not to say that all the information collated may need to be disclosed. The ICO guidance sets out some of the exemptions which would permit schools to withhold certain information from employees, including where it contains:

• Other people’s data – including witness statements and whistleblowing reports

This covers where there is a ‘mix’ of personal data of more than one person. There is wide discretion for schools to determine what is reasonable in all circumstances. When it comes to witness statements made as part of internal disciplinary procedures, schools will need to consider the reasonable expectations of staff, any assurances of confidentiality and whether consent should be sought and has been refused, etc. This may result in some redactions to a witness statement or it may be withheld completely.

• Confidential references

Provided a reference is given in confidence, both references given and received can be withheld, as long as it relates to a person’s suitability for education, training, employment, volunteering, appointment to an office, or provision of a service.

• Management information

This includes information which, if disclosed, is likely to prejudice school activities, e.g. where premature disclosure of redundancies as part of a school reorganisation could cause staff unrest.

• Negotiations
  

This includes information which could prejudice a negotiation such as when negotiations over a severance package are ongoing.

Other considerations

Compliance with a SAR is required regardless of whether the requester has initiated a tribunal process or raised a grievance. Requestors must be allowed to search for a ‘smoking gun’ but exemptions may apply to withhold certain information.

If a member of staff leaves a school the ICO is unequivocal that their right of access to their data ‘cannot be overridden’ by a settlement or non-disclosure agreement. Limiting such rights under these agreements will be unenforceable under data protection law.

That said, we often advise schools that, although such provisions are unenforceable, they can act as a useful deterrent.

The future

Before the general election was announced, data protection reforms were slowly making their way through parliament. These reforms would have allowed organisations, including schools, to refuse to respond to vexatious requests amongst other welcome changes. The King’s Speech made the Labour government’s commitment to reforms in this area clear but a new Bill has not yet been introduced. It remains to be seen whether it will include changes to the rules on SARs.

In the meantime, and before the next SAR lands in your inbox, don’t forget to review what you already have on your devices about your colleagues and former colleagues to make sure it is still needed. Always keep in mind that anything you do record about them may be requested and this includes comments on personal devices or email/social media accounts used for school purposes.