ICO

Last summer, I made a Subject Access Request to my previous school. There were a number of issues that I wanted to be sure about. 

The first set of data I received was suspiciously minimal. Many documents that I remember were not included.

So, I made another request. 

This time, it took an age to arrive - the documents I had hoped for were still not included. And some of the intel related to two other individuals called Alex. I jest not. 

Frustrated, I ended up making a complaint to the ICO about the way the school had dealt with the issue. The ICO is the ‘UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.’

Here are extracts of the results of their investigation.

________________

Dear Alex,

Thank you for raising data protection concerns about [the] School.

(…)

Subject access

They received your first subject access request on 28 May 2021 and this was responded to on 25 June 2021. You explained to us that as you considered data to be missing you made a second request to them. They have confirmed that they received this request on 27 June 2021. This request was responded to on 7 September 2021.

We have considered all the information provided and we are of the view that the school has not complied with its DPA obligations in this instance. The DPA states that an organisation has a calendar month to respond to a request. The school failed to fully respond within the statutory timeframe. This is an infringement of the DPA.

The school has explained that the delay occurred as the SAR statutory timeframe overlapped with the school holiday period and no staff were available to work on the request. The DPA does not allow for an extension because of school holidays, therefore a school should factor in holiday periods and take steps in order to comply with the timescales.

We note that the school did make you aware that it would not be responding to your request until after the summer holidays, which can be deemed as good practice but nevertheless, it did fall short for the reasons stated above.

Disclosure

Moving on to the disclosure of third party data, you did raise this with the school on 20 September 2021. In an email to the school you told them that they had sent to you data relating to two other individuals with the name Alex.

From what you have explained to the ICO this is likely to be an infringement if third party data has been inappropriately disclosed to you. It is probable that the data should have been redacted/removed or a summary of just your data supplied to you.

Once the school has investigated this, we will ask them to confirm if an infringement has occurred. That said, we will still make recommendations to the school on this issue.

The school has apologised on this point and admits that at the time no steps were taken to investigate this matter. The ICO raised this directly with the school and we note that you have now been contacted about this issue.

We will liaise with the school on this matter as you have been advised by the local authority that you should not have any contact with the school. We do note that your Union has recently raised this fact with the school, but we will also reiterate the point. It is a great shame, but had the school initially acted when you first brought this to their attention, the issue of you having no contact with the school would have been avoided.

We will follow this up with the school and ask them to keep us updated.

(…)

There are no further actions for us to take, but we have decided to keep a copy of the concerns that you have raised on file. This will help us to build up a picture of the school's information rights practices. Should we receive further concerns about the school we may take this case into consideration when deciding regulatory action.

Thank you for bringing this to our attention.

________________

It was all very revealing of the system that has been established at the school: a system of smoke and mirrors. Since then, the ICO has been in touch with me and I was informed that there had been no data breach -  as no significant third party data had been disclosed to me.

However, this decision was based on two documents that I sent the ICO that I had to track down myself because the school who should have been responsible for this task refused to do so. There are more documents but this will mean that I will need to sift through hundreds of others – something to look forward a rainy day...