The Rise in Complex Data Requests

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 5th of February, with our Data Protection Consultant Laura Kemsley. This session covered how to get Subject Access Requests right, how to handle data access requests and some common pitfalls to avoid, as well as asking can data subject access requests be refused?

Poll 1

What is a Complex SAR?

Subject Access Requests (SARs) have significantly increased over the past year, with many becoming increasingly complex. This rise is primarily due to greater awareness of individuals' data rights.

But what exactly makes a SAR complex? According to the Information Commissioner’s Office (ICO), some of the key factors include:

• Technical difficulties in retrieving information (e.g., archived data).
• Applying exemptions involving large volumes of sensitive information.
• Issues surrounding the disclosure of a child’s information to a legal guardian.
• Specialist work required to obtain or present information intelligibly.
• Confidentiality concerns around disclosing medical information to a third party.
• Seeking specialist legal advice (routine legal discussions do not make a SAR complex).
• Searching through large volumes of unstructured manual records.

However, simply having a large amount of information or requiring extra time to respond does not automatically classify a request as complex. Additionally, relying on a data processor to provide information does not make a SAR complex.

Poll 2

Managing Complex SARs Effectively

Handling complex SARs correctly is crucial to avoiding complaints from requesters or, worse, the ICO. Key considerations include:

Managing Delays Transparently

Delays are common with complex SARs, but clear communication is essential. If a request is deemed complex, organisations may extend the response deadline from one month to three months. Informing the requester about the delay and the reasons behind it can help prevent frustration.

Careful Redactions

Redacting information appropriately is vital to avoid breaches. Keep a record of redaction decisions in case of queries or ICO investigations. While these records don’t need to be shared with the requester, they provide crucial evidence if a complaint arises.

Being Transparent About Searches

Providing clarity on search efforts can prevent unnecessary follow-ups. Consider sharing details such as:

• Search terms used (e.g., full name, initials, staff codes).
• Systems searched (e.g., CPOMS, MIS, emails, communication platforms).
• Departments contacted.
• Whether physical files were examined.
• The timeframe covered by the searches.

Common Pitfalls to Avoid

Organisations frequently encounter challenges when handling SARs. Some common pitfalls include:

1. Inadequate Redactions Leading to Data Breaches - failing to properly redact data can result in breaches and undermine trust. Implement a process where key personnel, such as the Headteacher and School Business Manager (SBM), review redactions.

2. Lack of Staff Awareness - SARs can be missed if staff are unaware of their responsibilities. Providing training ensures that SARs are recognised and forwarded appropriately.

3. Incorrectly Applying Exemptions - misapplying exemptions can lead to complaints and ICO intervention. Always verify exemptions carefully and consult the Data Protection Officer (DPO) when in doubt.

4. Overuse of Blanket Safeguarding Exemptions - schools cannot withhold all safeguarding information under a blanket exemption. Each record must be assessed individually.

5. Failing to Meet Deadlines Without Communication - delays must be communicated to the requester. Regular updates ensure transparency and maintain trust.

We always recommend talking to your DPO before you apply any exemptions or refusing the entire request.

Can SARs Be Refused?

Yes, but not simply because they are complex. SARs can only be refused if they are:

• Manifestly unfounded
• Manifestly excessive

What do you mean by manifestly unfounded?

This is when the individual clearly has no intention to exercise their right of access. For example, if an individual makes a request but then offers to withdraw it in return for some form of benefit.

Also, when the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption, e.g., the requester explicitly states that they intend to cause disruption, or they systematically send different requests to you as part of a campaign with the intention of causing disruption.

NB: You must consider the context of the request; if the individual genuinely wants to exercise their rights, it is unlikely that the request is manifestly unfounded.

Whilst the use of aggressive or abusive language is not acceptable, the use of such language does not necessarily make a request manifestly unfounded.

Refusal should not be automatic, even in these cases. Instead, consider discussing the request with the individual to clarify what they need. Keeping a record of previous requests can help justify refusals if necessary.

What is meant by manifestly excessive?

It is important to note that this will rarely apply. The inclusion of the word ‘manifestly’ means that there must be an obvious or clear quality to the excessiveness.

Can a SAR Be Refused Due to a Non-Disclosure Agreement (NDA) or Tribunal?

No – The right to access personal data remains, regardless of NDAs or ongoing legal proceedings. However, exemptions like legal privilege may still apply.

For a request to be considered manifestly excessive, the ICO state that you should consider all the circumstances of the request, including:

• the nature of the requested information;
• the context of the request, and the relationship between you and the individual;
• whether a refusal to provide the information or even acknowledge if you hold it may cause substantive damage to the individual;
• your available resources;
• whether the request largely repeats previous requests, and a reasonable interval hasn’t elapsed; or
• whether it overlaps with other requests (although if it relates to a completely separate set of information, it is unlikely to be excessive).

We wouldn’t be able to do this just because the request is large. We must consider all circumstances. This is where we should consider asking the requester to narrow down or clarify what they want or provide us with more information to locate what they want. We have seen in many circumstances that an individual doesn’t really know what they are asking. Therefore, it is useful to have a conversation with the individual who can then clarify what information they are after.

N.B. It is important when having a conversation with the requester, that you do not ask why they are making a request.

If you do start receiving several requests from the same individual, we recommend keeping a clear record of the requests, i.e., when the request was made, what searches were made, search terms and what was provided. This helps evidence the requests if we do decide in the future to refuse the request as manifestly excessive.

We would always recommend seeking advice from your DPO before applying any of these exemptions or before deciding to withhold all the data.

Key Takeaways

1. Maintain transparency and clear communication with requesters.
2. Document decisions regarding redactions, exemptions, and delays.
3. Consult your DPO before refusing requests or applying exemptions.

Handling SARs effectively reduces complaints, protects data, and ensures compliance with legal obligations. By staying informed and proactive, organisations can navigate complex SARs with confidence.

Additional Info

Sofa Session Notes ‘A Guide to Subject Access Requests in 45 Minutes’

Sofa Session Notes ‘Tricky Subject Access Requests’

Sofa Session Notes ‘Data Implications of CCTV Usage’

You can find information regarding our Data Protection Officer (DPO) service here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.