Dealing with a Subject Access Request

A topic we regularly get calls on at Law-Call is how settings deal with both personnel record requests from employees and information requests from parents or carers relating to their children.

When requests of this nature are made, they are called a subject access request (SAR) and the general principles for both types of requests are broadly similar.

First and foremost, an SAR is a request made by or on behalf of an individual for personal information that the organisation holds on them.

The law doesn’t set out any formal requirements for a valid request. An individual can therefore make a subject access request verbally or in writing – including by social media – providing it’s clear that the individual is requesting their own personal data.

GDPR doesn’t prevent a third party making the request on someone else’s behalf. You do, however, need to be satisfied that the third party making the request is entitled to act on behalf of the individual. Following a request, you must comply without undue delay and, at the latest, within one month of receipt.

You should calculate the time limit from the day you receive the request – whether it is a working day or not – until the corresponding calendar date in the next month or, if there isn’t one, the last day of the following month. If the date falls on a weekend or a public holiday, you have until the next working day to respond.

If a request is made for a large amount of information, you may ask them to specify the related information before responding to the request. The time limit for responding to the request is paused until you receive clarification, referred to as ‘stopping the clock’.

In most cases, you cannot charge a fee for dealing with an SAR.

The information you hold about a child is the child’s right rather than anyone’s else’s – even if they are too young to understand the implications or the right is exercised by those who have parental responsibility for the child.

It’s usually appropriate to let the holder of parental responsibility exercise the child’s rights on their behalf. If a parent or guardian makes an SAR on the child’s behalf, you should also consider:

any court orders relating to parental access or responsibility that may apply
any duty of confidence owed to the child or young person
any consequences of allowing those with parental responsibility access to the child’s information (which is particularly important if there have been safeguarding or legal issues)

Those with parental responsibility for children can also request a copy of their child’s pupil record.

In the Data Protection Act 2018, an exemption exists stating that you do not have to comply with an SAR if doing so means disclosing information that identifies another individual, except where the other individual has consented, or it is reasonable to comply without consent.

So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it’s appropriate to do so in each case. This decision involves balancing the rights of both parties.

To help you decide whether to disclose information relating to a third party, follow this three-step process:

Does the request require disclosing information that identifies another individual?
Has the other individual provided consent?
Is it reasonable to disclose without consent?

You should consider whether it is possible to comply without revealing information that relates to and identifies another individual. As your obligation is to provide information rather than documents, you may delete names or edit documents should the third-party information not form part of the requested information.

The law says that you must consider all the relevant circumstances, including:

the type of information that you would disclose
any duty of confidentiality owed to the third party
any steps taken by you to try to get the third party’s consent

Confidentiality is one of the factors you must consider when deciding whether to disclose information about a third party without their consent. A duty of confidence arises where an individual discloses genuinely ‘confidential’ information to you, with the expectation that it remains confidential.

In most cases, where a duty of confidence does exist, it’s usually reasonable to withhold information, unless you have the third party’s consent to disclose it. Any employment reference provided in confidence is exempt from disclosure. This means that if an organisation receives a request, confidential employment references about the individual making the request, whether created by that organisation or received from a third party, will be exempt from disclosure.