Dealing with subject access requests (SARs)
A subject access request (SAR) is a type of information rights request. A SAR lets people access a copy of the personal data a school holds about them or someone they have parental responsibility for.
This guidance is for people working in the education sector who respond to subject access requests (SARs).
You can make it easier to respond to a SAR by:
- having good record keeping practices, including retention periods
- making parents and carers aware of how they can find personal data they already have access to
- keeping an accurate record of how you have dealt with a SAR
Any individual whose personal data is held by an education setting can make a SAR. Personal data is information that relates to an identified or identifiable individual.
In this guidance the person making a SAR is referred to as the requester.
Individuals can ask for a SAR from anyone who works at an organisation. In a school this could include:
- teachers
- support staff
- school volunteers
Individuals can make a SAR in any format. They could make a verbal request, or a written request via a letter, text, or email. Once an individual has made a request, you cannot ask them to change the format they made the request in.
When an individual asks for their personal data, they do not have to call it a SAR. You will need to be aware that someone could be making a SAR if they:
- make a complaint
- quote other legislation, such as a freedom of information request
When working in an education setting you may receive a SAR from:
- students
- anyone with parental responsibility for a child (either for themselves or on behalf of the child)
- employees (such as teachers, classroom assistants and support staff)
- volunteers
- governors
- third parties, such as legal organisations, acting on behalf of another person
Information an individual can request
A requester can ask for any personal data that relates to:
- themselves
- someone they have parental responsibility for
- someone they have permission to act on behalf of
Examples of why someone might request a SAR
A requester may ask for specific personal information, such as attendance records, school reports or behaviour reports.
A former pupil could request access to their attendance records to prove they attended that school.
A parent could request to see their child’s attendance records for a particular period.
A third party, such as a solicitor, could request special educational needs records for a child, on behalf of the child’s parent.
Clarifying a SAR
Some requests will be non-specific and ask for “all the information you hold”.
You cannot ask the requester to narrow or reduce their request. You can ask for clarification of what specific information the requester is looking for. This might be helpful when the requester asks for a lot of information because they are not sure what they need.
Example
A college student has received a warning about their attendance. The student decides to submit a SAR. They’re not sure what to ask for, so they ask for all the information the college holds on them.
The college replies with:
Dear student,
We hold a large quantity of personal data about you, including:
- your registration details
- your attendance information
- data about your courses
- coursework and examinations
- all correspondence you have received within 2 years
We can send you all this data, but if you want specific data then we may be able to retrieve it quicker. Please let us know if you’d like specific information.
The student replies that they only need attendance information and internal communication relating to them.
The college has not asked the student to reduce their request. They have made it clear that the student can still have all the information they asked for.
The college should record evidence of the student’s clarification.
Encouraging requesters to self-serve
If the requester already has access to the information they want to see, you can direct them to this. For example, the requester may already have access to personal data stored on the school’s website.
You do not have to treat this request as a SAR, provided they can access the information within one calendar month.
Example
A parent asks a school receptionist for their child’s behaviour record. The receptionist refers them to the school website and provides them with sign-in details.
The parent can access their child’s behaviour record and other personal data on the website. In this case, the parent has not asked for any information that is not already available to them. This request does not need to be treated as a SAR.
In most cases when an individual makes a SAR you will need to ask for identification (ID) from them.
In a school setting, pupils and their parents or carers are generally well-known to school staff. If you know the requester and are sure of their identity and authority, you do not have to request ID. Make a record of why you made this decision.
If the requester is asking for their own information, and you do not know them, then they will need to provide their identification.
Adults should provide a photo ID plus another form of ID, this could be:
- their driving license or passport for the photo ID
- a utility bill or council tax bill that confirms their name and address
If the requester is asking for another individual’s information, then they will need to provide the individual’s ID.
They will also need to provide evidence that they have the authority to act on the individual’s behalf. This includes requesters such as parents and solicitors.
The data controller is responsible for deciding whether to request ID or not. Find out more about a data controller’s responsibilities.
If the requester cannot provide the standard ID, it is the data controller’s decision whether alternative identification is appropriate. Make a record of your decision-making process.
Requesting a SAR is a child’s right. A child can request access to information about themselves from any education setting that holds data about them.
A child does not have to be a certain age to make a SAR.
The Information Commissioner’s Office (ICO) provides guidance on the rights of children when making SARs.
If the young person is under 13 and is making their own request, you will need to consider whether they will be able to understand your response, but this shouldn’t be a barrier to supplying them with their information.
If the young person is over 13, you should treat the request the same way as if an adult made it, provided there are no issues with the child’s competency.
Parents or carers can also make a SAR on behalf of a young person. If the young person is 13 or over, check whether they are happy for their personal data to be shared with their parent or carer.
When a child of any age submits a SAR, you should assess if they can understand the information they will receive in response to their request.
If you believe the child has the maturity and understanding to request and receive the information, you should respond directly to the child, regardless of their age. If a child requests a SAR themselves, this demonstrates some maturity and understanding about their right of access their personal information.
You should not respond directly to the child if you believe they:
- do not have the maturity or competence to act independently
- have a health condition that limits their understanding
- have given consent for a representative or someone with parental responsibility to act on their behalf
In these cases, contact the child and ask if they agree for their parent or carer to make the request on their behalf.
The ICO provides guidance on SARs from young people.
A requester can submit a SAR:
- in writing, such as an email, letter, or via social media
- verbally, such as over the phone or face-to-face
It is the responsibility of the school to treat a request for information as a SAR.
The person requesting information does not need to refer to the process as a SAR.
For example, a parent could ask for a copy of an incident report, regarding their child, during a phone call with a school. As the parent has asked for personal data, the school should treat this request as a SAR.
You should not ask the requester to make a SAR in a different way once they have made their request.
You can create a preferred request method, such as a standard form, but should not insist a requester makes a SAR in a particular way.
Example
A student makes a verbal request for their previous teacher’s reports during class. The teacher writes down the request and checks with the student that they have understood their request. The student has the right to say no or not to respond. The teacher must still respond within one calendar month from the day of the verbal request.
Example
A parent collects their 8-year-old from school. Whilst waiting for their child, the parent tells a teaching assistant that they wish to see copies of their child’s personal information relating to the school’s handling of an incident that recently occurred on school premises involving their child.
Usually, the school encourages parents to make a SAR by using a request form on the school website. The teaching assistant asks the parent if they can complete the request form. The parent insists they want to make the request verbally.
The teaching assistant writes down contact details for the parent, details of the child and an overview of the verbal request. The teaching assistant checks that the parent is happy for future correspondence to be made in writing and immediately passes the request to the headteacher, who is the school’s data protection officer (DPO).
The headteacher knows the parent and child well and decides not to request ID. The headteacher sends the parent a letter to acknowledge the SAR and to clarify the request.
A full SAR response must be sent to the requester within one calendar month.
You can extend the SAR deadline if you have to wait for the requester to provide identification, authority and any clarification you might need. For example, if it takes 3 days for the requester to provide identification, you can extend the deadline by 3 days.
If the request is complex, the response time can be extended by up to a further 2 calendar months, making the response deadline 3 months in total. The ICO advise that you should respond to the SAR as soon as possible within the extended period.
For complex requests, you must tell the requester the new deadline and the reason their SAR is being treated as complex. You must do this in writing, within one calendar month of the original request date.
In most cases, having to retrieve or redact a lot of information does not make a SAR complex. It is up to individual schools to assess whether a SAR is complex.
The ICO provides guidance on complex requests.
Calculating how long you have to respond to a SAR
Organisations have one calendar month to respond to a SAR, starting from the day a SAR is submitted.
If you receive a request on the last day of the month and the following month is shorter, a response must be made by the last day of the shorter month.
If a SAR is received on 31 January, a response is required by 28 February (29 February in a leap year).
If the deadline for a response falls on a weekend or bank holiday, you can respond on the next day.
For example, the deadline for response is 2 May which is a bank holiday, the response deadline becomes 3 May.
Read more about SARs response times on the ICO website.
There are online calculators that can help you work out how long you have to respond to a SAR.
Delays to SAR processing
In some cases, the calendar month response time can be paused if you are unable to progress with the request.
You may need to pause the request if:
- you are waiting for a requester to confirm their identification
- you are waiting for the requester to provide evidence of their authority to act on behalf of another individual
- you are seeking reasonable clarification about the request
Read more about delaying a SAR response on the ICO website.
Receiving a SAR during the school holidays
If you receive a SAR on the last day of the school term, or during the school holidays, you must still respond within one calendar month.
Education settings cannot extend a SAR response because it is the school holidays.
If you are unable to meet the legal deadline of one calendar month, you should let the requester know as soon as possible.
You cannot charge a fee to complete a SAR.
In some cases, you may be able to charge for administration costs associated with completing a SAR.
For example, if the requester insists on having multiple copies of information, you could charge for the cost of printing.
Read more about charging a fee on the ICO’s website.
Individuals have a right to know how their personal data is being used. A school’s privacy policy will usually include this information. You should include a link to your school’s privacy policy in your SAR response.
The ICO has more details on what other information an individual is entitled to.
Education settings must make reasonable efforts to search through all records, including:
- emails (including those in deleted or trash folders)
- documents
- spreadsheets
- databases
- record systems
- CCTV
- USB sticks or CDs
- paper records in filing systems
- instant messages
Good data storage and retention policies make it easier to identify personal information.
Moving to a cloud-based system may help you prepare for subject access requests. Cloud-based systems also offer other security benefits. You can find out more information in the guidance on cloud solution standards for schools and colleges.
You can include extra or contextual information in a SAR response. You will need to explain that extra information is being provided outside of the requester’s information rights.
Dealing with information already held by the requester
If a requester already has information previously provided by the school or has access to information, you do not need to resend this in your response. You will still need to explain that you hold that information and explain why you are not releasing it.
You should be able to evidence that the requester has already seen or had access to the information, in case you receive a complaint.
Example
A school governor makes a SAR. The school identifies a chain of emails relevant to the SAR. The school governor’s email address is included in the recipient list.
As the governor already holds a copy of the information, the school doesn’t need to include this in their SAR response. The school explains this in their response.
Redacting information
Depending on what the requester asks for, you may need to remove some information. This process is known as redacting.
You should redact personal information that identifies anyone other than the person the SAR is about. This is known as removing third party information.
In some cases, you may need to release third party information. This decision must be made on a case-by-case basis, and you should record any decisions you make about releasing third party data.
Read more on information about other individuals on the ICO’s website.
You may need to redact information about:
- other pupils
- other parents
- staff
When redacting identifiable information, make sure that redactions cannot be undone. You should use specific redaction software, such as Adobe Acrobat Pro.
Individuals may ask to see CCTV images of themselves or their child. CCTV images contain personal information. Images of other people appearing in CCTV images must be redacted, for example by blurring.
A SAR entitles a person to access their own personal information but does not entitle them to access full documents. You may extract personal information from a document to include in your SAR response, and provide context of where the information is held.
You should keep a copy of unredacted and redacted versions of information in case of review.
Example
Ebony Smith’s dad has submitted a SAR requesting Ebony’s behavioural record.
The school office’s record reads:
‘Ebony Smith was excluded due to a fight she had with Sajid Khan’.
When the school responds to the SAR, it should read ‘Ebony Smith was excluded due to a fight she had with (REDACTED)’.
Although Ebony’s dad might know who the fight was with, the school should not release this information. Ebony’s dad is only entitled to the personal data held about Ebony, not Sajid.
Example
A child has submitted a SAR for all information the school holds about their special educational needs.
The school identifies the child’s personal information is contained in the minutes of a governors’ meeting.
The child’s personal information in scope of the request amounts to 2 sentences within a 4-page document. The rest of the document is not about the child.
The school extracts the child’s personal information for inclusion in their response. They do not provide the whole document.
The school provides the requester with context about where the information is held. The remaining information is out of scope of the SAR and is not released.
Information that is no longer available
In some cases, a requester may ask for information you no longer hold. You should respond by telling them the information is no longer held by you.
You can refer the requester to your data retention policy or privacy notice.
Example
A school’s data retention policy explains records of trip permission slips are held for a year after the trip has taken place. The school cannot provide permission slips for trips taken more than a year ago.
Another organisation, such as the local authority, may hold the information that’s been requested. You can signpost the requester to the relevant organisation where that data may be held.
Usually, a SAR response will be made in the same format as the request was received.
A written response is preferable, but if you receive a verbal request, you can provide a verbal response if the requester asks for one. You should make a written record of the response.
Make sure you submit the response in a secure way. You may want to submit the response by:
- encrypting the document
- saving the document in a secure workspace
- using tracked mail for physical documents
If delivering a response by hand, consider obtaining a signature to confirm receipt.
Making sure a SAR response is accessible
Education settings should make it simple for individuals who need additional support to make a SAR. You should make sure your response is in an accessible format that meets the needs of the requester.
Schools can refuse to comply with a SAR if:
- a data protection exemption can be applied to all the personal information in scope of the request
- the request is manifestly unfounded or manifestly excessive
Examples of exemptions that may apply to education settings include:
- releasing the information would cause serious harm to a child
- releasing information would not be in the best interests of a child
- information relating to third parties
- legal advice sought and received from a lawyer
- information that may prejudice an investigation
Find out more about exemptions on the ICO website.
Manifestly unfounded SARs
A manifestly unfounded SAR is when an individual submits multiple SARs with malicious intentions.
For example, a parent submits a SAR every week with the intention of harassing a staff member following an earlier disagreement. The parent offers to withdraw their SAR for personal benefit.
Before refusing to comply with a request on these grounds it is important you can show the reasons why you think a request is not genuine.
A request might not be genuine if:
- it includes details of an intention to cause disruption
- it targets an employee with unproven accusations
Read more about manifestly unfounded requests on the ICO website.
Manifestly excessive SARs
A manifestly excessive SAR means that the effort and cost of collecting the information makes responding to the request unreasonable or disproportionate.
This is not an easy assessment to make. You will need to consider all the circumstances of the request before making a decision. The ICO provides comprehensive guidance about what factors need to be considered.
Read more about manifestly excessive requests on the ICO website.
Notifying a requester about a refused SAR
You will need to notify a requester that their SAR has been refused within one calendar month from the day they made the SAR. You will also need to include the reason for the refusal. The requester should be given details about how to complain to the ICO or seek a judicial review.
Example
A school receives a SAR from the absent parent of a child aged 16. The requester has asked for details of the college they now attend.
This request immediately raises a red flag, that releasing the information may not be in the best interest of the child. Also, if the requester had a relationship with their child, it would be reasonable to expect that they would already know this information.
The school acknowledges the SAR and asks the requester to provide:
- identification and proof of their link to the child, such as a birth certificate
- any parental agreement or court order that may be in place
This is to establish parental responsibility and any restrictions to the requester’s parental role.
The parent provides their own identification and a copy of the child’s birth certificate and states no agreement or court order is in place. This means the school now has the requester ID and parental responsibility status.
The school contacts the child for consent to release the information, as they are aged 13 or over. The school also checks information and records they hold about the child.
The child asks the school not to release any of their personal information to the requester. The child states they have no relationship with their absent parent, due to historic emotional abuse towards them and their resident parent. The child feels releasing the requested information would adversely affect their mental health.
The school considers the rights of the parent and those of the child. As there is a risk to the child’s wellbeing, they make the decision not to release the child’s information.
In this case the child’s data protection rights exceed parental rights, and the SAR is refused.
Please note, education settings may need to be aware of their disclosure obligations under separate legislation. This example applies to a SAR only.
Complaints about a SAR response
A SAR response letter must include the following information:
- organisation contact regarding the response, usually the data protection officer
- details on how to complain to the ICO
- acknowledgement of their right to seek judicial remedy
- acknowledgement of their other data protection rights such as the right to have their information deleted or changed
If the requester is unhappy with their SAR response, you should offer them the chance for their case to be reviewed.
If the requester remains unhappy with the school’s response, they can complain to the ICO. The ICO will consider the complaint and contact the school for further information or to provide advice as appropriate.
When an organisation processes a SAR, they should anticipate any future challenge or a formal ICO complaint. Completing a case review record while handling a SAR, which details what decisions you have made and why may serve as a useful tool when responding to complaints.
Knowing where your school holds personal data will make it easier to find information when processing a SAR.
You should keep a record of the SAR process from start to finish.
Recording the SAR process is especially helpful if a requester submits a complaint or if you are audited by the ICO.
You may want to record:
- the date the request was received
- any time the response was paused and why (for example getting identification)
- a copy of all correspondence
- information about which records and systems were searched and what was found
- any information that was redacted and the reason why
- the date you sent the response and a copy of it
- copies of any ongoing correspondence with the requester (such as confirmation of receipt, complaints)
- evidence of decision to refuse a SAR
- evidence of decision to exempt any information