Best Practice Update

Image of a hand holding a phone with a white keyboard and the word 'Access'

Subject Access Requests (SARs)

As we are in the last part of the school year, this is often the time that we see a rise in the number of Subject Access Requests received by schools.  This article, therefore, covers guidance and support around subject access requests, how to recognise them and how to respond.

What is the right of access? Commonly referred to as a subject access request (SAR), gives someone the right to obtain a copy of their personal information from your organisation.
Do people have to submit a request in a certain format? No, a request could be verbally or in writing, including social media.  Sometimes people mistakenly send a 'FOI' that is really a request for personal data under the Data Protection Act.  Schools must be able to recognise a request even when it is mis-labeled. 

The ICO have recently published some new guidance: SARs for employers.

As recommended by the ICO, there are simple ways to make your next subject access request easier to handle:
  1. Plan ahead
  2. Practice good records management
  3. Train your staff
  4. Check you've understood

The full guidance can be read here: Four simple ways to make your next subject access request easier to handle.

The ICO also provides a webinar on subject access requests and talks though everything you need to know to prepare and answers some of the common questions about SARs: How to make your next subject access request easier to handle

If you are short on time, there is a two minute video: Two minutes on subject access requests.

There is a step by step video guide on how to deal with the request: How to deal with a request for information: a step-by-step guide.

If you are a Data Protection Education customer we would recommend logging on the Knowledge Bank and filling out a Data Rights Log; answering all of the questions on the form will ensure you log all the relevant information.  You can also email: This email address is being protected from spambots. You need JavaScript enabled to view it. which will raise a ticket with the team but will not add it to the data rights log.  We always recommend that a subject access request is added to the data rights log where possible.  Further information about how to use the Knowledge Bank for logging a SAR: 

Further help and advice can be found in our Subject Access Requests Best Practice Library, which also includes awareness and training information for staff. If you are unsure about what data to disclose, please contact us for further advice.   Safeguarding data can cover a wide range, and while child abuse data does not have to be shared, given it could cause harm to the child if it is divulged, there is not a 'blanket' no to all safeguarding data.  In this instance, consulting with the DSL in your school may provide the best advice.  Remember that just because information resides in a system designed for holding safeguarding data, it does not necessarily mean that all data within it is safeguarding data. The ICO recently tweeted the following link about withholding information when responding to a SAR: https://t.co/r0aMvktIFT - exemptions must be applied on case-by-case basis.

This article gives further guidance about Subject Access Requests and Children's Data.

This information should be viewed alongside our Redaction Best Practice Library because in order to comply with a SAR, schools may be required to provide some information that identifies another individual.  In order to protect their data protection rights this personally identifiable information must be removed by editing the document before release.  We provide further redaction guidelines:  document Redaction Guidelines (166 KB)

Data Protection Education provides a free redaction tool to all of its customers available from the Knowledge Bank Dashboard widget which follows the redaction guidance provided by the ICO: How to disclose information safely.  Although redaction is not part of our usual SLA service it is something that Data Protection Education can provide as an additional service if you feel unable to manage this yourself.  If this is a requirement please email: This email address is being protected from spambots. You need JavaScript enabled to view it.for prices.

What can we do if the SAR arrives on the last day of term? The 30 day time limit for a subject access request does not warrant an extension.  It is important that the school discuss the situation with the data subject if they feel they will not meet the deadline.  On occasion, where the data is unavailable because the school is completely closed, it may be possible to agree with the requester that it will be dealt with by a certain deadline upon the schools return.  It is always worth remembering that they are not obliged to agree and all effort to respond as soon as possible should be made.  If you are a Data Protection Education customer then please contact us for support and help with this.

Search