GDPR

When can you refuse a request?

This article gives some information around refusing a request for personal data.


Actions to undertake

When you refuse a request, you must:

  • Respond within 1 month
  • Explain why you're refusing the request
  • Tell the individual they have the right to complain to the ICO
  • Tell the individual they can seek to enforce their subject access right through the courts

You don’t have to confirm whether you hold the requested data.

Unfounded or excessive requests

Requests that are "manifestly unfounded or excessive" can be refused. This might be where a request is repetitive or asks for further copies of the same previously supplied information.

If you decide to fulfil such a request, you can charge a reasonable fee for you to comply, based on the administrative cost of providing the information. You'd need to contact the requester promptly to inform them of the fee, and you wouldn't need to comply with the request until you'd received it.

 

Concerns about "serious harm"

You can refuse requests for certain types of data if you believe they meet the "serious harm" test, meaning sharing the information would be likely to cause serious harm to the physical or mental health of any individual.

This applies to:

  • Education data (i.e. personal data kept in educational records)
  • Social work data

Similarly, you can refuse requests for child abuse data from anyone with parental responsibility for a pupil if sharing the data would "not be in the best interests" of their child. This will cover any information as to whether a child is or has been the subject of child abuse, or may be at risk of it.

Conversely, you shouldn’t share any health data via a request unless, within the last 6 months, you’ve been told by an appropriate health professional that the serious harm test is not met.

Even if you've been informed of this in the last 6 months, you must re-consult with the appropriate health professional about this if it would be reasonable for you to do so.

 

Information that includes others’ personal data

You don’t have to comply with a request for information that includes personal data about an individual other than the requester or their child, except if:

  • The other individual has consented to the disclosure; or
  • It’s reasonable to comply with the request without that individual’s consent

In determining whether it’s reasonable to disclose the information, take into account the relevant circumstances such as:

  • The type of information that you would disclose
  • Any duty of confidentiality you owe to the other individual
  • Any steps you've taken to seek consent from the other individual
  • Whether the other individual is capable of giving consent
  • Any express refusal of consent by the other individual

Consider as well whether you can redact or change the format of the data so the other individual is suitably anonymised.

Do note that it is considered reasonable to disclose information about ‘education-related’ workers at your school without consent so long as the information relates to their employment.

For example, if you’ve received a request for a pupil report written by a teacher, you won’t need to redact the teacher’s name or seek consent from them to share the report.

 

Other exemptions

There are other types of personal data you can refuse to share with a requester, such as information related to:

  • Crime, if disclosing the personal data would be likely to prejudice the prevention or detection of crime, or the apprehension and prosecution of offenders
  • Immigration, if disclosing the personal data would prejudice the maintenance of effective immigration control
  • Legal professional privilege - check with a legal expert if you're not sure whether this privilege applies
  • Management forecasts, such as planned redundancies or restructuring
  • Negotiations, such as if you are negotiating about a pay rise or promotion
  • Confidential references, regardless of whether you have sent or received such a reference
  • A candidate's exam script, but this exemption doesn't apply to information recorded by the person marking the exam (although there are special rules where this information includes unannounced exam marks)

Read more about this, including the special rules for exam marks, in guidance on exemptions from the ICO.

If you're unsure about whether you can refuse a request, contact the ICO for advice.

Information taken from 'The Key for School Leaders' website.