Get your Data Protection Ready for Summer Holidays

This is a summary taken from Judicium’s Data Protection ‘Sofa Session’ from the 10th of July, with our Data Protection Consultant Lane Baker. This session focused on SARs and FOIs received just before or during holidays, steps you can take to make sure your school does not infringe data related rights and practical tips to put in place now.

How to Handle data requests that arrive as the academic year ends

Judicium know there will be an increase in SARs received in the Summer term before you break up for holidays. The main tip is not to panic, but put in steps to manage the requester’s expectations and ensure you are transparent.

What are the key differences in timescales for Subject Access Requests (SARs) and Freedom of Information Requests (FOIs)?

For Subject Access Requests, the statutory deadline to respond to the request is one calendar month. This date begins on the exact date of receipt and there is no official, statutory guidance for extending the deadline due to school closures. There is guidance on when situations may arise where an extension is deemed proportionate and/or necessary.

For Freedom of Information Requests, the statutory deadline to respond is 20 school days (or 60 days - whichever is shorter). Therefore, there is a statutory requirement that considers closure periods in which schools will take additional time to fulfil the request.

For both requests, your Data Protection Officer (DPO) would assist you in drafting a formal acknowledgement to set the deadline and request ID, clarification and/or consent where appropriate. They would also draft a final response once the data has been collated and is ready to send.

Poll 1

What should schools do during closure periods and how can they be transparent with requesters?   

Below are some helpful tips on how best to prepare for SARs, especially when received while the school is closed, or when minimal staff is available on site.

1. Consistency – Judicium advise schools to create a checklist for staff to use.
• The checklist can be drafted by a DPO or the key contacts within the school.
• It is used to set key areas that must be considered when carrying out a SAR. Not all SARs will be the same but having a starting point with a list of areas to check will help when carrying out a “reasonable” search.
2. Structured – Judicium’s best practice advice is to maintain organised, structured data within your organisation.
• For instance, ensure your systems are managed effectively. Have processes in place such as only communicating about staff with initials or codes (similarly with pupils).
• This means when a SAR is received, it is more likely to be reasonable to search with the same processes you apply.
3. Accountable – This can apply in two ways:
• Firstly, the organisation is accountable for ensuring requests are complied with, not individuals. Judicium advise sharing the responsibility and dividing tasks to ensure this can be completed within the deadline.
• Secondly, to ensure accountability, Judicium advise maintaining an accurate request log and to update this with any extensions, reminding yourself of the deadlines to complete.
4. Minimised – A key area that will assist in preparing for any data requests is retention.
• Only retain data for as long as necessary for your intended purpose.
• Have an email retention policy in place and review with your DPO how long it is necessary to store data.
• Being transparent about retention processes and not storing data longer than necessary is highly beneficial for SARs.

Transparency during Closure Periods

It is important to always be transparent with the requester and to set reasonable expectations of when you will be able to provide them with the full response.

There is no statutory rule on extending SARs because of closures. During the summer term in particular, if you are not able to deal with the request, you should let the requester know the following immediately:

• Why you can’t deal with the request
• The length of the delay
• When you expect the response to be ready by
• Whether any information can be provided to them sooner

Practical Steps to Notify Requester of any Delays

1. Send a newsletter or communication out to parents and staff or place a notice in the reception area.
• Highlight how over the closure emails may or may not be monitored and therefore, SARs/ Data Requests may not be complied within statutory deadlines.
2. Have an out of office message stating:
• The dates your school is closed from and to
• Whether the inbox is monitored
• A relevant alternative contact that can monitor throughout the period
3. Have a key contact who is working throughout the closure as the named individual on out of offices.
• You can review with your DPO any extension wording so you can be transparent with the requester as quickly as possible.
4. You can have a dedicated data protection inbox, so SARs are easier to acknowledge and don’t get lost within generic emails.
5. Clearly state within your policies what your process is during school closures – especially summer.
• If you are subscribed to our Data Protection service, this wording has been integrated into our data policies.

NB: The test for requiring an extension remains strict. Due to the legal restrictions, we recommend seeking advice from your DPO. If you are a Judicium Data Protection client, we will assist in drafting any appropriate wording.

Under what circumstances can a school have an extension for an SAR? 

Judicium has held discussions with the Information Commissioner’s Office (ICO) directly on this matter.  The ICO confirmed they are sympathetic to schools for the strict approach that has been adopted regarding extensions during closure periods. However, an extension would only apply under the ‘complex request’ exemption as long as you had the correct processes in place, and you are being transparent.

This can only apply if the school is closed and there are no qualified staff on site to handle the SAR within the one calendar month. 

NB: This also applies if someone works across the period but doesn’t have access to the information to prepare all the requested data.

If you can, set out to the requester what data you can reasonably provide earlier and what will require additional time due to closure constraints. For instance, if some staff do have remote access and are able to provide some information, evidence your taking steps to action within the initial statutory timeframe.

Of course, the complex exemption cannot be applied as a blanket exemption, but the reasoning just explored must be met. Therefore, for requests at other points throughout the year, may not be able to apply this just because they have requested a lot of information. For instance, if a request is over a half term, there might still be an expectation this can be fulfilled if staff are on site and you have taken steps to be prepared and organised to deal with this.

Poll 2

How can a SAR Appendix in your data policy help? 

It is essential you are including wording of your SAR processes within your policies. You can be transparent that during closures, you may require an extension as no staff will be on site to complete the request within the one calendar month.

The requesters will have this expectation from the outset and will be less likely to refer their request on to the ICO due to the delay.

NB: Speak to your DPO to draft the wording and to ensure it is specific.

How can a clear retention policy help with SARs? 

It is a legal requirement to keep a record of your processing activities. We recommend using a data map as it will assist you in reviewing your purposes for holding data and the lawful basis for certain data. If there is no purpose for storing the data, you are likely to breach the key principle of ‘data minimisation.’ As a result, data you hold longer than necessary will still be subject to a data subject access request.

Ensure staff are aware of how long data is stored, referring to your data retention policies or processes in place, including general file management and how long to keep staff records once they left school.

Data is also held in other areas such as:

• Emails – Use a two or three-year retention period set up on emails.
• In most cases, you may hold data that has no necessary purpose to store and should be deleted.
• Decide on a case-by-case basis where you feel there is a reason to store longer. These emails can be stored in a more organised way into your MIS, Safeguarding systems, your server, or folders.
• Emails are often requested in a SAR. For schools without an email retention policy, the searches can yield thousands of results, which takes longer to process. You may feel an extension is warranted but, the guidance remains strict.
• Software - Data entered may form personal data. Take additional steps to remove leavers from other systems (where possible) to ensure that you are:
• Restricting use and managing access rights
• Removing their data.

Top Tips:

1. Utilise the summer period or quieter times to carry out the deletion of data and to review your HR and pupil records to ensure only necessary data is being kept.
2. Your retention policy should be easily accessible and have best practice guidance in place for staff to test what information may need to be held for longer.
3. Provide guidance on where to store emails when necessary to move away from emails becoming the filing system.

What about requests for exam information before results day? 

The simple answer is no.

The ICO have confirmed SARs requesting this data do not need to be answered until after issuing the exam results.

We would advise sending a response to the requester to confirm the results will remain confidential until after they have been issued. You can confirm you will contact the requester after the results are published to determine whether they still want to proceed with the subject access request. Your DPO should assist you in this.

Key Takeaways

1. Set guidance throughout the year to help with the requests that come in these closures.
2. Be transparent with the requester.
3. Be confident and contact your DPO with any questions.

Additional Info

You can find information regarding our School Data Protection Officer (DPO) service here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.