When GDPR comes into force, it is important to keep in mind that Freedom of Information Requests (FOI) and Subject Access Requests (SAR) will still apply.
A FOI is, as it sounds, a request for information. This could be a copy of a policy, information about accounts or other information. The general position is that information should be disclosed unless an exception applies. For example; personal information should not be disclosed. Further, if the request would cost too much or take up too much time, then there is also a potential reason for refusal. Requests may also be refused if they are vexatious. However, it is the request itself (and not the person making it) that must be vexatious. Many FOI requests can be responded to in a straightforward way, although, if there are any concerns about a particular request then advice should be sought to see if an exception applies.
SARs are different to FOI, because with SAR a person is requesting a copy of all of the data held about them personally – this includes e-mails. So it is particularly important to keep in mind when sending e-mails about students, staff or parents that a SAR may mean that the e-mail could potentially be disclosed. Again, exceptions apply but these are more limited than those available for a FOI. An example of a SAR exception is legally privileged information; where advice being sought is in relation to a legal matter.
Under GDPR Information must be provided without delay and at the latest within one month of receipt. This can potentially be extended to two months.
In reparation for GDPR, it is always good to consider how your IT systems work and to ask providers how information can be recovered if a FOI or SAR is made as it will be necessary to be able to access this information if a request is made.