• Contact Us

Help! Our School Has Received a Subject Access Request - What Should We Do?

on Thursday, 01 April 2021.

Requesting personal information, or making a subject access request (SAR), has become a popular mechanism for pupils, parents and staff to find out exactly what information a school holds about them. Here's what you need to do when you receive one.

Often used in the context of a dispute, complaint or grievance, getting it right or wrong can have important legal and reputational consequences for your school. Understanding how to recognise a request and deal with it effectively can save your school time, money and resources.

Are You Satisfied That the Subject Access Request Is Genuine?

You should carry out reasonable checks to ensure that the person making the request is:

  • who they say they are; and
  • if making the request on someone else's behalf - authorised to do so.

For example, if a parent makes a request on behalf of their child then you may need to speak with the child, depending on their age.

What Falls Within the Scope of the Subject Access Request?

It is important to remember that individuals are entitled to their personal data, which is information that relates to them and from which they can be identified or are identifiable. This does not mean that every reference to someone's name is their personal data. For example, an email between staff discussing a pupil's behaviour might not include the staff members' personal data. You should make sure you understand what the requester is entitled to, and take steps to locate the relevant information on your systems.

Do You Require Any Further Information from the Requester to Locate the Personal Data?

As a school, it is likely that you will hold large amounts of data about individuals such as your staff and pupils. If the subject access request that you receive is broad (eg "everything the school holds"), you are permitted to ask requesters for information to assist you in locating the requested personal data. This should be focussed on obtaining useful information that will assist with your searches, such as a date range or identifying individual mailboxes.

How Long Do We Have to Respond?

The time period for your response is usually one calendar month from having received the request. However, this can be extended by an additional two months where the request is complex or where a number of requests have been made.

When calculating the deadline for the response you should be aware that:

  • the clock does not start to run until you have received any information requested to satisfy yourself of the requester's identity (assuming it is reasonable to ask for this)
  • if you have asked for clarification to locate the personal data requested, the clock will pause while you are waiting for a response
  • the clock continues to run during school holidays.

VWV Plus - Data Protection eLearning

Myth-Busting Subject Access Requests

Myth

Bust

Subject access requests only apply to information held electronically.

This is incorrect. Personal data which is caught by the UK GDPR might also be found in a paper filing system depending on how it is structured.

If your school is a public authority (ie covered by the Freedom of Information Act) then the scope of the paper records potentially caught is even wider.

The requester must provide a reason for their request.

Requesters do not need to provide a reason for their subject access request.

The request must be in writing.

Subject access requests can be made over the phone or in person. There is no requirement for them to be in writing. You cannot require the requester to complete a form to make a SAR.

If we hold information received from a third party we don't need to provide it.

If the information is held by your school (regardless of its origin) then you may need to provide it, even if it came from a third party (such as the local authority). To withhold requested personal data you need to identify an exemption from disclosure.

Only factual information about someone is disclosable.

Personal data includes opinions about people. It is important to note that there is no exemption for information which it would simply be embarrassing to disclose. For example, an email from a teacher which makes rude remarks about a pupil or their parents will likely be disclosable.

We suggest that you train your staff to keep written comments professional.

The requester has asked for everything we hold and it is going to take us a really long time to find it all, so we can just refuse to comply.

Your obligation is to make reasonable and proportionate searches. There is no right to refuse a subject access request on the basis that it will take up a lot of time. You can seek clarification to assist in reducing the amount of time that needs to be spent.

If a subject access request is either "manifestly unfounded" or "manifestly excessive" you are allowed to refuse to respond. However, the threshold is high and you must be able to justify why this is the case.

Information which is also about someone else is not disclosable.

This depends on the circumstances of the case. Where information is about both the requester and a third party, the information is mixed personal data and may be exempt or disclosable, depending on the circumstances.

We have to provide copies of documents redacted if necessary.

The requester is entitled to a copy of their personal data but not to a copy of the document containing that personal data. You can place their personal data in a new document if you prefer.


For further information and advice about subject access requests in a school environment, please contact Bronwen Jones (on 07818 018215) or Claire Hall (on 07467 148750) in our Data Protection & Information Law team. Alternatively, complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Telephone
Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input