The Right of Access (SAR)
Request for personal information (Subject access request)
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully. Under this right and individual is entitled only to their own personal information and not to information relating to other people (unless they are acting on behalf of that person).
Individuals have the right to obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information - this largely corresponds to the information that you should provide in a privacy notice (see ‘Supplementary information’ below).
In addition to a copy of their personal data, you also have to provide individuals with the following information:
- the purposes of your processing;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
You may be providing much of this information already in your privacy notice.
Can we charge a fee?
In most cases you cannot charge a fee to comply with a subject access request.
However, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.
You can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.
How long do we have to comply?
You must act on the subject access request without undue delay and at the latest within one month of receipt.
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Can we extend the time for a response?
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
- Schools should have a procedure in place to assist with such requests - Appendix 1 Procedure for Access to Personal Information (DOC, 56.0 KB)
- Guidance on access to pupil's information (PDF, 37.2 KB) held by schools in England.
- Advice from Department of Education - access to pupil records.
Request for education records
The Education (Pupil Information) Regulations 2005 gives parents a right to the official education records for their child. A fee of up to £50 for photocopying may be charged (see scale of fees below) and the school must respond within 15 school days from date of receipt of request.
| Number of pages | Maximum fee |
|---|---|
| 1-19 | £1 |
| 20-29 | £2 |
| 30-39 | £3 |
| 40-49 | £4 |
| 50-59 | £5 |
| 60-69 | £6 |
| 70-79 | £7 |
| 80-89 | £8 |
| 90-99 | £9 |
| 100-149 | £10 |
| 150-199 | £15 |
| 200-249 | £20 |
| 300-349 | £25 |
| 350-399 | £30 |
| 400-449 | £40 |
| 500+ | £50 |
Information Commissioner produces advice for schools on data protection
A survey of 400 schools across nine local authority areas showed that schools need to pay more attention to complying with data protection law. One finding from the survey showed that a third of schools with password protected computer systems were using passwords that were not necessarily strong enough or changed regularly.
This survey prompted guidance and advice (PDF, 492.2 KB) delivered to schools by the Information Commissioner Office in 2012.
Information Commissioner's Office
You can visit the Information Commissioner's Office for more information about the Data Protection Act and for training toolkits.
Data protection enquiries
Please email dataprotection@kent.gov.uk if you have any questions relating to data protection in your school or setting.