A Subject Access Request (SAR) is a request made by an individual to receive confirmation, and a copy, of the personal data that your school or MAT holds about them. It is the individual’s right of access as set out in s.45 Data Protection Act 2018 and Article 15 UK GDPR.
Anyone could submit a Subject Access Request if they believe that you might hold personal information about them. Usually, you might expect to receive a Subject Access Request from:
There is a common misconception that a Subject Access Request must be made in writing using a prescribed form, this is not the case. A Subject Access Request may be made in writing or verbally and there is no need for the requester to use a template or form that you may have provided.
This is crucial as your time to respond will start from the moment the request is made, even if you do ask the requester to complete a form or confirm the details of their request in writing, the time will have already started ticking.
You will be required to provide a response with the information requested as soon as possible, without delay, and usually within one month of receiving the request.
If the request is for a large amount of information and it would take longer than one month to collate and provide the response, you are entitled to extend this period by a further two months. Giving you a total of three months to provide your response.
You should notify the requester as soon as it becomes clear that you are likely to require the extension. This is usually something you would know as soon as the request is received and an initial search for the data is carried out.
Anyone with parental responsibility for a child has a legal right to receive certain information about their child’s education irrespective of their rights under the Data Protection Act 2018.
If you are a maintained school in England, then anyone with parental responsibility is entitled to ask you for a copy of their child’s education record under The Education (Pupil Information) (England) Regulations 2005.
You would have 15 school days to provide a response with a copy of the information requested.
You could only refuse to provide a copy of the education record if you believed that releasing it could lead to physical or mental harm to the pupil or another individual or if it would mean providing examination marks before they have been officially released.
If you are an Academy, this does not apply to you. Instead, you have an obligation under The Education (Independent School Standards) Regulations 2014 Schedule Part 6 s.32(1)(f) to provide an annual report to anyone with parental responsibility, setting out the progress and attainment for the main subjects taught.
Requests for a child’s education record or annual report of progress and attainment are not regulated by the Information Commissioners Office.
Unless a parent specifically requests a copy of their child’s education record or cites The Education (Pupil Information) (England) Regulations 2005 or The Education (Independent School Standards) Regulations 2014, you should work on the basis that the parent has made a Subject Access Request under the Data Protection Act 2018 and UK GDPR.
If a parent makes a request for data regarding their child, you must establish the following information:
You should ask for ID and consent as soon as you have received the request to avoid any delay, but you MUST NOT provide any information until you have received these.
It is recommended that a member of staff approaches the child to obtain their consent directly to avoid them being put under any undue duress by the parent. In most cases, the child will provide consent and support their parent in obtaining the information but there are cases where a child might not want the parent to receive the information but consent due to fear of repercussions from the parent.
If it is not possible to obtain consent from the pupil directly, you will have to ask the parent to facilitate this with their child.
Whilst you are awaiting confirmation of consent and the parental ID, you should begin to collate the records that have been requested.
Other than obtaining consent and ID, you should treat the request the same as you would if it had been made by the individual data subject.
It is best practice to acknowledge receipt of the Subject Access Request as soon as possible. If the request is made verbally, it is recommended to email or write to the requester to acknowledge the request and ensure that the details are documented in writing.
Once the information has been collated, a response should be provided with the data and other required information including why the information is held and who it is shared with.
An individual can ask to receive all/any information that the school or MAT holds about them, this can include emails, so it is important to ensure that all staff are aware of this.
Schools and MATs should support individuals in making a Subject Access Request, so the individual is provided with the information that they are looking for and the school/MAT do not have to spend unnecessary time collating and redacting records that the individual is not interested in receiving.
The key to this is clear communication with the requester. This is sometimes easier said than done if the request is made in the context of a complaint/dispute. Your DPO will be highly skilled in dealing with the appropriate communication in this situation.
Deciding what information to provide and what to withhold and redact is a tricky topic and would require specialist advice from your Data Protection Officer. You should not provide any information that identifies, or is capable of identifying, another individual unless you have their consent. This does not normally apply to staff names or other personnel working in a professional capacity, but certain exceptions would apply.
Other redactions should be made to only provide the information that relates to the individual, this would mean redacting or withholding information that is administrative or organisational in nature.
You should try to work with the individual who has made the request to provide the information that they are looking for. This can sometimes be tricky if the individual doesn’t know or want to tell you what that information is.
When you provide a response to a Subject Access Request you should make it clear what options the individual has if they wish to make a complaint about the way their request has been processed, this would include providing the details of the Information Commissioners Office.
If the individual makes a complaint to the ICO, you will be contacted by a case worker and asked to review the way you processed the request and provide information to the caseworker for a decision to be made.
You should consult your Data Protection Officer as soon as you receive a Subject Access Request, and they will be able to advise and guide you through the process.
If you would like further assistance, you can register for our Software ++ package with full DPO service and resources, which includes unlimited advice and assistance on all data protection matters.