- About us
- About colleges
-
Corporate services
- Corporate services
- Mental health and wellbeing
- AoC Student Engagement Charter
- Data Protection/GDPR
-
Employment Services - college workforce
- Employment Services - college workforce
- Employment: How we support members
- Introduction & Employment Helpline
- Absence & Sickness Management
- Contracts and T&Cs
- Disciplinary, Capability, Grievance & Harassment
- Equality, Diversity & Inclusion
- General Employee Relations & HR Issues
- Holiday/annual leave related
- Industrial Relations
- ONS reclassification related guidance
- Pay & Pensions
- Recruitment
- Redundancy, Restructuring & TUPE
- Safeguarding/Prevent
- Workforce Benchmarking, Surveys & Research
-
Governance
- Governance
- Governance: How we support members
- Governance Timeline
- Representation
- AoC National Chairs' Council
- National Governance Professionals' Group
- Code of Good Governance
- External Board Reviews
- Resources
- Governors Inductions
- Student Governor Inductions
- Student Governor Support Hub
- Guidance
- Hot Topics
- Governance Briefings
- Archive
-
Projects
- Projects
- Get Involved!
- Resources
- Contact the projects team
- Apprenticeship Workforce Development (AWD) Programme
- Creating a Greener London – Sustainable Construction Skills
- The 5Rs Approach to GCSE Maths Resits
- Creative Arts in FE 2024 – developing student voice through creativity
- DfE Multiply Capability Support Programme
- Digital Roles Across Non-digital Industries
- GCSE Resits Hub Project
- Pears Foundation Youth Social Action Programme: Phase Two
- T Level and T Level Foundation Year Provider Support Programme
- T Level Professional Development (TLPD) Offer
- The Valuing Enrichment Project
- Film London - Metro London Skills Cluster
- Resources/Guidance
- Sustainability & Climate Action Hub
- Partnerships
- Honours Nomination
- Brexit
- Ofsted Inspection Support
- Recruitment and consultancy
-
Events and training
- Events and training
- Events
- AoC Annual Conference and Exhibition 2024
- T Level and T Level Foundation Year Events
- Events and training: How we support members
- Network Meetings
- Previous Events and Webinars
- In-House Training
- Senior Leadership Development Programme
- Early Career and Experienced Managers' Programme
- Sponsorship and Exhibition Opportunities
- Funding and finance
-
Policy
- Policy
- Meet the Policy Team
- Policy: How we support members
- Policy Areas
- Policy Briefings
- Submissions
- Policy Papers & Reports
- AoC 2030 Group
- AoC Strategy Groups
-
AoC Reference Groups
- AoC Reference Groups
- 14-16 Reference Group
- 16-18 Reference Group
- Adults (inc. ESOL) Reference Group
- Apprenticeship Reference Group
- EDI Reference Group
- HE Reference Group
- HR Reference Group
- International Reference Group
- Mental Health Reference Group
- SEND Reference Group
- Sustainability & Climate Change Reference Group
- Technology Reference Group
- WorldSkills Reference Group
- Opportunity England
- Research unit
-
News, campaigns and parliament
- News, campaigns and parliament
-
Mission accepted
- Mission accepted
- Mission accepted: case studies
- Mission one: kickstart economic growth
- Mission two: make Britain a clean energy superpower
- Mission three: take back our streets
- Mission four: breaking down barriers to opportunity
- Mission five: build an NHS fit for the future
- Mission accepted resources
- General and mayoral election resources
-
Comms advice and resources for colleges
- Comms advice and resources for colleges
- Media relations: 10 ways to build effective relationships with the media
- How to choose a PR agency
- Legal considerations for communications and media work
- How to plan for a new build
- Crisis communications: your go-to guide
- How to handle photo consent for media and marketing
- How to evaluate a PR and media campaign
- How to react to regulation, funding and restructuring issues
- How to react quickly and effectively to the media
- Working with the media: a complete guide
- How to write a compelling case study
- How to write for the web
- Communications, marketing and campaigns community
- AoC Newsroom
- AoC Blogs
- College case studies
- Work in Parliament
- AoC Campaigns
- Briefings
- Communications, media, marketing and research: How we support members
-
Equality, diversity and inclusion
- Equality, diversity and inclusion
- Equality, diversity and inclusion blogs
- AoC’s Equity, Diversity and Inclusion Charter
- AoC’s Equity, Diversity and Inclusion Charter for further education sector organisations
- AoC’s Equity, Diversity and Inclusion Charter signatories
- Diversity in Leadership
- Black FE Leadership Group and AoC partnership agreement
- AoC's Equity Exchange
- Equality, diversity and inclusion: how we support members
- Equality, diversity and inclusion case studies
- ETF Inclusive Leadership Coaching Programme
- Equality, diversity and inclusion briefings
- Home
- News, campaigns and parliament
- AoC Newsroom
- The Hot Topic of Subject Access Requests
The Hot Topic of Subject Access Requests
by Graham Francis, AoC Workshop Facilitator
The introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 have resulted in major changes in how we need to consider and process personal data within any organisation.
We have moved from a regime which focused more on the security of personal data to one where we need to consider the rights of the individual at all stages of data processing.
These new rights have given the data subject more power in the way in which their data is processed as well as significant rights to view and obtain a copy of the data that an organisation holds on them.
The introduction of GDPR saw an immediate rise in the number of Subject Access Requests many organisations received and (this coupled with an often false understanding of the ‘right to erasure’) has seen organisations needing to consider each application as it is received.
Many organisations state that this request needs to be made in writing although the regulation itself does not indicate the format in which the request must be made. In fact Recital 59 of GDPR recommends that data controller should provide means for the request to be made electronically especially where the processing of processing of personal data is carried out electronically.
Providing a means by which a data subject can access their own data will obligate an organisation from some of the requirements of carrying out a subject access request if that information is already available. Further good practice would be to be to introduce a means by which a data subject can make a Subject Access Request electronically through the use of an electronic form and to provide the requestor with an opportunity to clearly state what personal information they actually require.
It should be remembered that a request for “all of my data” might be considered excessive however current guidance dictates that ‘excessive’ does not refer to ‘all of my data’ but to a request overlapping with other requests or one that repeats the substance of previous requests and that a reasonable period of time has not passed since the previous request was made. Whilst this guidance now provides a definition for excessive it is not clear ‘what a reasonable amount of time’ might be.
In all cases a statutory period 30 days is in place in which to make a response is in place. It should also be noted that a minor change to the interpretation of when this period begins has been introduced with day 1 now being considered as the day on which the request was received. In the light of this it might be prudent for organisations to adopt a period of 28 days in which to make a reply rather than the statutory period.
The introduction of GDPR has led to many organisations having to carefully consider how they share personal data with third parties such as parents and support services. It is clear from GPDR that the personal data is that of the individuals and should not be shared under normal circumstances with anyone else without their permission (i.e. Consent).
However for many years in education we have followed a “carrot and stick” policy when reporting student progress to their parents, it would now appear that we need the students’ permission to do so. Therefore we ideally need to gain their Consent (in an affirmative manner) as part of the enrolment process, ideally when they are committing to studying at the organisation in order to continue this process.
We also need to consider what to do when an individual no longer wishes to share their progress with others. It is after all their data and not of their parents. In these circumstances it is probably best for that hard conversation to take place between the respective parties and not with the organisation itself.