The volume of Subject Access Requests made to the education sector looks set to increase markedly in line with other public sector organisations. It is vital that all education establishments have robust systems to effectively deal with all SARs as failure to do so could potentially lead to a data breach and possible fines and action from the ICO, as well as compensation claims from the subject of the request.
As a result of a range of concerns the ICO has recently published a wide-ranging report focused on the handling of SARs across the education sector. The report is based on a number of reviews conducted by the ICO and is intended to ‘…help them and others in the sector recognise where they can make improvements.’ (Findings from ICO reviews of subject access request handling within educational establishments November 2020).
During the reviews some key areas of good practice were identified. In total there were 8 aspects of good practice identified and these were predominantly focused around the processes the educational establishments used as well as their existing information governance structures. For example:
- 87% had a nominated data protection lead who responded to SARs and the same proportion had received specialist SAR training.
- 62% maintained a central SAR log.
- 75% had an Information Asset Register (IAR) which listed the type and location of all the information they held.
Despite identifying some positive elements the report went on to identify 40 separate key issues. We have listed some of the key issues below:
- Some establishments did not undertake annual refresher training for SARs.
- In some cases the Data Protection Officer (DPO) did not have oversight of the SAR specific training and line managers did not chase up staff who had not completed the available training.
- Available training and guidance was not always sufficiently detailed.
- Not all staff who were responsible for processing SARs had received specialist training.
- Not all establishments included information detailing how compliance with their policy on responding to SARs was governed and monitored.
- In some cases there were no detailed procedures for handling SARs.
- More than a third did not take the required action in relation to a SAR that was received in the school holidays, instead delaying any action until the start of the new term.
- 75% did not take steps to make sure that all third parties who processed their data understood their obligations in respect of any SARs made.
- In 50% of cases establishments only recognized SARs that were made in writing.
- Over 60% did not provide sufficient guidance on website on how to make a SAR.
- In one case emails were being stored indefinitely.
Despite them being challenging and complex, there are a number of steps that schools, academies, colleges and universities can take to ensure they stay compliant in relation to SARs. The main recommendations to achieve compliance are:
- Ensure all staff receive clear SAR training which is refreshed annually.
- Ensure all staff who process SARs receive regular specialist training.
- Review and update all policies and procedures relating to how SARs are handled.
- Update information with all third-party data processors so they are clear on their obligations in relation to SARs.
- Ensure all data flow maps and locations of all electronic and hard copy personal data is up to date.
The full report can be read at:
BLS Stay Compliant has years of experience of supporting organisations with SARs, both in terms of specialist training and direct support to process and respond to specific requests.
We support public sector organisations to ensure that they remain compliant across the full breadth of data protection. The team have over 85 years combined experience of working in the public sector, including one of our team who worked in the education sector for 25 years, including over a decade as a Headteacher.
We can support schools, MATs, colleges and universities with a range of specialist services and training packages.
- Data protection awareness for whole staff and volunteers.
- Awareness and compliance for governors and Trustees.
- Focused training for staff with specialist roles including Business Managers, Headteachers, Data Protection Officer (DPO) and Information Asset Owners (IAO).
- Subject Access Requests (SARs) – how to manage and reply to them, including the use of redaction.
- We can also support schools to identify key training areas and compile a Training Needs Programme.
- We can act as your designated DPO for a school or MAT providing regular support and guidance.
- Support with key data protection paperwork including Data Protection Impact Assessments (DPIAs), data flow mapping, risk registers, Privacy Notices and key policies.
- Support to respond to Subject Access Requests including reaction and response letters.
- Full audits of all key Data Protection and GDPR policies and guidance.
- Physical security audits to ensure school and MAT sites are physically secure and so data is effectively protected.
- At the end of both audits a full report complete with recommendations will be issued.
If we can support you with any aspect of data protection compliance and training please contact us and one of the team will be happy to discuss your needs:
Tel: 01757 616885