We often see a rise in the number of Subject Access Requests received by schools at the end of term or at the end of the academic year.  This article, therefore, covers guidance and support around subject access requests, how to recognise them and how to respond.

What is the right of access? Commonly referred to as a subject access request (SAR), gives someone the right to obtain a copy of their personal information from your organisation.

Do people have to submit a request in a certain format? No, a request could be verbally or in writing, including social media.  Sometimes people mistakenly send a 'FOI' that is really a request for personal data under the Data Protection Act.  Organisations must be able to recognise a request even when it is mis-labeled. 

Ensure everyone in your organisation can recognise a subject access request and knows what to do.

What can we do if the SAR arrives on the last day of term? The 30 day time limit for a subject access request does not warrant an extension.  It is important that the organisation discusses the situation with the data subject if they feel they will not meet the deadline.  On occasion, where the data is unavailable because the organisation is completely closed, it may be possible to agree with the requester that it will be dealt with by a certain deadline upon the organisation's return.  It is always worth remembering that they are not obliged to agree and all effort to respond as soon as possible should be made.  If you are a Data Protection Education customer then please contact us for support and help with this and consider putting an out of office message, making it clear the mailbox is not monitored, with a message: "If you have an urgent data protection concern or query, please contact our data protection officer at: This email address is being protected from spambots. You need JavaScript enabled to view it.."

SAR Guidance:

The ICO has published some guidance: SARs for employers.

As recommended by the ICO, there are simple ways to make your next subject access request easier to handle:

1. Plan ahead
2. Practice good records management
3. Train your staff
4. Check you've understood

The full guidance can be read here: Simple ways to make your next subject access request easier to handle.The ICO offers a webinar on subject access requests and talks though everything you need to know to prepare and answers some of the common questions about SARs: How to make your next subject access request easier to handle. 

If you are short on time, there is a two minute video: Two minutes on subject access requests.

There is a step by step video guide on how to deal with the request: How to deal with a request for information: a step-by-step guide.If you are a Data Protection Education customer we would recommend logging on the Knowledge Bank and adding a Data Rights Log from the the Dashboard; answering all of the questions on the form will ensure you log all the relevant information.  You can also email: This email address is being protected from spambots. You need JavaScript enabled to view it. which will raise a ticket with the team but will not add it to the data rights log.  We always recommend that a subject access request is added to the data rights log where possible for auditing and reporting purposes.  Further information about how to use the Knowledge Bank for logging a SAR:

Further help and advice can be found in our Subject Access Requests Best Practice Library, which also includes awareness and training information for staff. If you are unsure about what data to disclose, please contact us for further advice.   Safeguarding data can cover a wide range, and while child abuse data does not have to be shared, given it could cause harm to the child if it is divulged, there is not a 'blanket' no to all safeguarding data.  In this instance, consulting with the DSL in your school may provide the best advice.  Remember that just because information resides in a system designed for holding safeguarding data, it does not necessarily mean that all data within it is safeguarding data. The ICO recently tweeted the following link about withholding information when responding to a SAR: https://t.co/r0aMvktIFT - exemptions must be applied on case-by-case basis.

This article gives further guidance about information schools can share: Dealing with Subject Access Requests

How will I know what to redact?

Review our Redaction Best Practice Library because in order to comply with a SAR, organisations may be required to provide some information that identifies another individual.  In order to protect their data protection rights this personally identifiable information must be removed by editing the document before release.  We provide further redaction guidelines:  document Redaction Guidelines (166 KB) . 

Data Protection Education provides a free redaction tool to all of its customers available from the Knowledge Bank Dashboard widget which follows the redaction guidance provided by the ICO: How to disclose information safely. Although redaction is not part of our usual SLA service it is something that Data Protection Education can provide as an additional service if you feel unable to manage this yourself.  We can give quotes for an 'all you can eat' type of service or a 'pay as you go' service. If this is a requirement please email: This email address is being protected from spambots. You need JavaScript enabled to view it.for prices.