Often used in the context of a dispute, complaint or grievance, getting it right or wrong can have important legal and reputational consequences for your school. Understanding how to recognise a request and deal with it effectively can save your school time, money and resources.
You should carry out reasonable checks to ensure that the person making the request is:
For example, if a parent makes a request on behalf of their child then you may need to speak with the child, depending on their age.
It is important to remember that individuals are entitled to their personal data, which is information that relates to them and from which they can be identified or are identifiable. This does not mean that every reference to someone's name is their personal data. For example, an email between staff discussing a pupil's behaviour might not include the staff members' personal data. You should make sure you understand what the requester is entitled to, and take steps to locate the relevant information on your systems.
As a school, it is likely that you will hold large amounts of data about individuals such as your staff and pupils. If the subject access request that you receive is broad (eg "everything the school holds"), you are permitted to ask requesters for information to assist you in locating the requested personal data. This should be focussed on obtaining useful information that will assist with your searches, such as a date range or identifying individual mailboxes.
The time period for your response is usually one calendar month from having received the request. However, this can be extended by an additional two months where the request is complex or where a number of requests have been made.
When calculating the deadline for the response you should be aware that:
Myth |
Bust |
Subject access requests only apply to information held electronically. |
This is incorrect. Personal data which is caught by the UK GDPR might also be found in a paper filing system depending on how it is structured. If your school is a public authority (ie covered by the Freedom of Information Act) then the scope of the paper records potentially caught is even wider. |
The requester must provide a reason for their request. |
Requesters do not need to provide a reason for their subject access request. |
The request must be in writing. |
Subject access requests can be made over the phone or in person. There is no requirement for them to be in writing. You cannot require the requester to complete a form to make a SAR. |
If we hold information received from a third party we don't need to provide it. |
If the information is held by your school (regardless of its origin) then you may need to provide it, even if it came from a third party (such as the local authority). To withhold requested personal data you need to identify an exemption from disclosure. |
Only factual information about someone is disclosable. |
Personal data includes opinions about people. It is important to note that there is no exemption for information which it would simply be embarrassing to disclose. For example, an email from a teacher which makes rude remarks about a pupil or their parents will likely be disclosable. We suggest that you train your staff to keep written comments professional. |
The requester has asked for everything we hold and it is going to take us a really long time to find it all, so we can just refuse to comply. |
Your obligation is to make reasonable and proportionate searches. There is no right to refuse a subject access request on the basis that it will take up a lot of time. You can seek clarification to assist in reducing the amount of time that needs to be spent. If a subject access request is either "manifestly unfounded" or "manifestly excessive" you are allowed to refuse to respond. However, the threshold is high and you must be able to justify why this is the case. |
Information which is also about someone else is not disclosable. |
This depends on the circumstances of the case. Where information is about both the requester and a third party, the information is mixed personal data and may be exempt or disclosable, depending on the circumstances. |
We have to provide copies of documents redacted if necessary. |
The requester is entitled to a copy of their personal data but not to a copy of the document containing that personal data. You can place their personal data in a new document if you prefer. |