- About us
- About colleges
-
Corporate services
- Corporate services
- Mental health and wellbeing
- Data Protection/GDPR
-
Employment Services - college workforce
- Employment Services - college workforce
- Employment: How we support members
- Introduction & Employment Helpline
- Absence & Sickness Management
- Contracts and T&Cs
- Disciplinary, Capability & Grievance
- Employment Briefings Library
- Equality, Diversity & Inclusion
- General Employee Relations & HR Issues
- Holiday/annual leave related
- Industrial Relations
- ONS reclassification related guidance
- Pay & Pensions
- Recruitment
- Redundancy, Restructuring & TUPE
- Safeguarding/Prevent
- Workforce Benchmarking, Surveys & Research
- Governance
-
Projects
- Projects
- Get Involved!
- Projects: How we support members
- Resources
- The 5Rs Approach to GCSE Maths Resits
- Apprenticeship Workforce Development (AWD) Programme
- Creating a Greener London – Sustainable Construction Skills
- Erasmus+ EXPECT Project
- Digital Roles Across Non-digital Industries
- T Level and T Level Foundation Year Provider Support Programme
- The Valuing Enrichment Project
- Higher and Extended Project Qualifications
- OfS - Higher Education Social Prescribing Project
- Pears Foundation Youth Social Action Programme: Phase 2
- T Level Professional Development (TLPD) Offer
- T Level Curriculum Macro-Sequencing
- Contact the Projects Team
- DfE Multiply Capability Support Programme
- Creative Arts in FE 2024 – developing student voice through creativity
- Resources/Guidance
- Sustainability & Climate Action Hub
- Partnerships
- Honours Nomination
- Brexit
- Recruitment and consultancy
-
Events and training
- Events and training
- Events
- T Level & T Level Foundation Year Events
- Events and training: How we support members
- Network Meetings
- Annual Conference & Exhibition 2023 Resources
- Previous Events & Webinars
- In-House Training
- Senior Leadership Development Programme
- Introducing AoC's Early Career and Experienced Middle Managers Programme
- Sponsorship & Exhibition Opportunities
- Funding and finance
-
Policy
- Policy
- Meet the Policy Team
- Policy: How we support members
- Policy Areas
- Policy Briefings
- Submissions
- Policy Papers & Reports
- AoC Strategy Groups
-
AoC Reference Groups
- AoC Reference Groups
- Adults (inc. ESOL) Reference Group
- Apprenticeship Reference Group
- Technology Reference Group
- HE Reference Group
- 14-16 Reference Group
- Mental Health Reference Group
- 16-18 Reference Group
- SEND Reference Group
- WorldSkills Reference Group
- HR Reference Group
- Sustainability & Climate Change Reference Group
- EDI Reference Group
- Opportunity England
- Research unit
-
News, campaigns and parliament
- News, campaigns and parliament
- General and mayoral election resources
- Comms advice and resources for colleges
- AoC Newsroom
- AoC Blogs
- Work in Parliament
- AoC Campaigns
- Briefings
- Contact the Communications, Media, Marketing and Research Team
- Communications, media, marketing and research: How we support members
-
Equality, diversity and inclusion
- Equality, diversity and inclusion
- Equality, diversity and inclusion blogs
- AoC’s Equity, Diversity and Inclusion Charter
- Diversity in Leadership
- Black FE Leadership Group and AoC partnership agreement
- AoC's Equity Exchange
- Equality, diversity and inclusion: how we support members
- Equality, diversity and inclusion case studies
- Home
- News, campaigns and parliament
- AoC Newsroom
- The Hot Topic of Subject Access Requests
The Hot Topic of Subject Access Requests
by Graham Francis, AoC Workshop Facilitator
The introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 have resulted in major changes in how we need to consider and process personal data within any organisation.
We have moved from a regime which focused more on the security of personal data to one where we need to consider the rights of the individual at all stages of data processing.
These new rights have given the data subject more power in the way in which their data is processed as well as significant rights to view and obtain a copy of the data that an organisation holds on them.
The introduction of GDPR saw an immediate rise in the number of Subject Access Requests many organisations received and (this coupled with an often false understanding of the ‘right to erasure’) has seen organisations needing to consider each application as it is received.
Many organisations state that this request needs to be made in writing although the regulation itself does not indicate the format in which the request must be made. In fact Recital 59 of GDPR recommends that data controller should provide means for the request to be made electronically especially where the processing of processing of personal data is carried out electronically.
Providing a means by which a data subject can access their own data will obligate an organisation from some of the requirements of carrying out a subject access request if that information is already available. Further good practice would be to be to introduce a means by which a data subject can make a Subject Access Request electronically through the use of an electronic form and to provide the requestor with an opportunity to clearly state what personal information they actually require.
It should be remembered that a request for “all of my data” might be considered excessive however current guidance dictates that ‘excessive’ does not refer to ‘all of my data’ but to a request overlapping with other requests or one that repeats the substance of previous requests and that a reasonable period of time has not passed since the previous request was made. Whilst this guidance now provides a definition for excessive it is not clear ‘what a reasonable amount of time’ might be.
In all cases a statutory period 30 days is in place in which to make a response is in place. It should also be noted that a minor change to the interpretation of when this period begins has been introduced with day 1 now being considered as the day on which the request was received. In the light of this it might be prudent for organisations to adopt a period of 28 days in which to make a reply rather than the statutory period.
The introduction of GDPR has led to many organisations having to carefully consider how they share personal data with third parties such as parents and support services. It is clear from GPDR that the personal data is that of the individuals and should not be shared under normal circumstances with anyone else without their permission (i.e. Consent).
However for many years in education we have followed a “carrot and stick” policy when reporting student progress to their parents, it would now appear that we need the students’ permission to do so. Therefore we ideally need to gain their Consent (in an affirmative manner) as part of the enrolment process, ideally when they are committing to studying at the organisation in order to continue this process.
We also need to consider what to do when an individual no longer wishes to share their progress with others. It is after all their data and not of their parents. In these circumstances it is probably best for that hard conversation to take place between the respective parties and not with the organisation itself.