• Careers
  • Contact Us

5 Ways to Easily Deal with a Subject Access Request

on Monday, 11 November 2019.

Of all of the rights given to individuals under the GDPR, the one which causes schools the most difficulty is the right of access.

This article outlines some simple actions to make the initial stages of dealing with a Subject Access Request (SAR) more straightforward.

Staff Training

A SAR can be made to any staff member, in writing or orally and does not need to use any particular form of words, or in fact even mention that it is a SAR. Training staff to recognise SARs and pass them to your school's data protection lead immediately is essential.

Reminding staff to not write embarrassing or unprofessional comments should be an 'easy win'. Often, staff do not realise that their work emails (and other written comments) are potentially disclosable. When a SAR is made in the context of a complaint (which they often are) having to disclose these comments can put your school in a difficult position.

Be Organised

Having rules about where to store different types of information and documents and ensuring that staff follow the rules make it easier to search for the requested information.

We often find that staff within a school will store the same types of information in different locations, eg, some on their desktop, some in a departmental drive and some on their cloud account (eg, OneDrive). This can make it very difficult to collate the information needed to respond to a SAR and also has wider implications for data protection compliance

Do You Need to Ask The Requester for More Information?

SARs are often broad and unclear, but fortunately when the requester is asking for a large amount of information, you are able to ask them for clarity on what they are seeking.

If you have any doubts about the authenticity of a request, consider whether it would be reasonable to ask for identification. There could be serious consequences if you provide personal data in response to a fraudulent request.

Parents are entitled to make requests on their child's behalf. However, if the child can understand their data protection rights, (usually from the age of 12) then the child's authorisation may need to be sought. The child should fully understand what they are authorising so it is often best to clarify the scope of the request (as above) before speaking to the child.

Calculate the Deadline

If you have asked for clarification or ID then the timeframe for your response does not begin until you have received it. Make sure that you ask for it promptly to avoid criticism from the Information Commissioner's Office.

The standard timeframe for your response is one calendar month. However, you're allowed to extend the timeframe by up to an additional two months for complex requests.

Seek Legal Advice Early On

Speaking to us when you first receive a SAR can save you time and legal costs in the long run. It is also the case that SARs are usually made against a contentious background and our data protection specialists work closely with other specialists at VWV to provide strategic advice that covers all angles.

In the next edition of our Schools Law Brief, we will cover preparing and sending out your response.

If you would like more information regarding Subject Access Requests, please contact Claire Hall in our Data Protection team on 0117 314 5279, or complete the form below.


Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input