Subject access request timescales
Everyone should know by now that the deadline for responding to a subject access request under the General Data Protection Regulation and the Data Protection Act 2018 is one calendar month.
This obviously means there can be a variation in the number of days, with months potentially lasting 28, 29, 30 or 31 days, depending on when the request is made.
Until recently the ICO's guidance was that they would expect requests to be completed within 30 days of receipt, with Day 1 being classed as the day after the request was received.
Well this advice has now changed!
Guidance from the ICO has been amended to say that a calendar month should be considered as 28 calendar days for the sake of consistency and that the day the request is received is now considered to be Day 1.
This obviously shortens even further the time allowed to gather and process the information being requested, consider any exemptions that may apply, and make any necessary redactions to the material being supplied to the applicant.
Make sure your staff know the revised time-frame and stress that it is even more important that the school's Data Protection Officer is alerted to the fact a SAR has been received as soon as possible.