The Right of Access (SAR)
Request for personal information (Subject access request)
Individuals have the right to obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information - this largely corresponds to the information that you should provide in a privacy notice (see ‘Supplementary information’ below).
In addition to a copy of their personal data, you also have to provide individuals with the following information:
- the purposes of your processing;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
You may be providing much of this information already in your privacy notice.
Can we charge a fee?
In most cases you cannot charge a fee to comply with a subject access request.
However, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.
You can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.
How long do we have to comply?
You must act on the subject access request without undue delay and at the latest within one month of receipt.
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Can we extend the time for a response?
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
- Schools should have a procedure in place to assist with such requests - Appendix 1 Procedure for Access to Personal Information (DOC, 56.0 KB)
- Guidance on access to pupil's information (PDF, 37.2 KB) held by schools in England.
- Advice from Department of Education - access to pupil records.
Request for education records
|Number of pages||Maximum fee|