The Right of Access (SAR)
If you cannot find the answer to your question from the information provided on each of the Information Governance pages, schools should in the first instance contact their Data Protection Officer (DPO). If your school has purchased the DPOaaS from SPS or Cantium Business Solutions please email email@example.com or call 0208 0501387 or 07487 264222.
Request for personal information (subject access request)
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully. Under this right and individual is entitled only to their own personal information and not to information relating to other people (unless they are acting on behalf of that person).
Individuals have the right to obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information - see below. You may be providing much of this information already in your privacy notice.
In addition to a copy of their personal data, you also have to provide individuals with the following information:
- the purposes of your processing;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
You must not knowingly give the information to the wrong person, so you may ask for proof of identification and address before you process a request.
Can we charge a fee?
In most cases you cannot charge a fee to comply with a subject access request.
However, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.
You can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.
How long do we have to comply?
You must act on the subject access request without undue delay and at the latest within one month of receipt.
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request was made.
For practical purposes, if a consistent number of days is required (e.g. for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Can we extend the time for a response?
You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know within one month of receiving their request and explain why the extension is necessary.
Request made on behalf of others
The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney.
If you think an individual may not understand what information would be disclosed to a third party who has made a subject access request on their behalf, you may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it.
Request for information about children
Even if a child is too young to understand the implications of subject access rights, it is still the right of the child rather than of anyone else such as a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them.
Before responding to a subject access request for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights, then you should usually respond directly to the child. You may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so. When considering borderline cases, you should take into account, among other things:
- the child’s level of maturity and their ability to make decisions like this;
- the nature of the personal data;
- any court orders relating to parental access or responsibility that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;
- any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
Information about other people
Responding to a subject access request may involve providing information that relates both to the individual making the request and to another individual (a third party).
The DPA 2018 says that you do not have to comply with the request if it would mean disclosing information about another individual who can be identified from that information, except if:
- the other individual has consented to the disclosure; or
- it is reasonable to comply with the request without that individual’s consent.
In determining whether it is reasonable to disclose the information, you must take into account all of the relevant circumstances, including:
- the type of information that you would disclose;
- any duty of confidentiality you owe to the other individual;
- any steps you have taken to seek consent from the other individual;
- whether the other individual is capable of giving consent; and
- any express refusal of consent by the other individual.
So, although you may sometimes be able to disclose information relating to a third party, you need to decide whether it is appropriate to do so in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights. If the other person consents to you disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, you must decide whether to disclose the information anyway.
Can we require an individual to make a SAR?
In the DPA 2018 it is a criminal offence, in certain circumstances and in relation to certain information, to require an individual to make a subject access request. The ICO will provide further guidance on this offence in due course.
- Schools should have a procedure in place to assist with such requests - Appendix 1 Procedure for Access to Personal Information (DOC, 56.0 KB)
- Guidance on access to pupil's information (PDF, 37.2 KB) held by schools in England.
- Advice from Department of Education - access to pupil records.
Request for education records
The Education (Pupil Information) Regulations 2005 gives parents an independent right of access to the official education records for their child. A fee of up to £50 for photocopying may be charged (for example, 1-19 pages will cost £1.20; 29 pages will cost £2 and so on, up to a maximum of 500+ pages which will cost £50. The school must respond within 15 school days from date of receipt of request.
ICO Review of subject access request handling within Educational Establishments
Post GDPR, the most common data protection complaint received by the ICO concerning schools was in relation to subject access requests (SARs). The ICO carried out a review of eight educational establishments (EEs) in relation to their compliance with data protection legislation, particularly their SAR handling. The reviewed EEs consisted of multi academy trusts (MATs), local authority maintained primary schools and independent schools. The reviews concluded in 2019.
This report is based on these reviews. It highlights the ICO experience of how effective the controls in place were in relation to the handling of SARs and how embedded they were. It is intended to help schools and others in the sector recognise where they can make improvements. No individual organisations are named in this report.
ICO gives advice to schools on data protection
A survey of 400 schools across nine local authority areas showed that schools need to pay more attention to complying with data protection law. One finding from the survey showed that a third of schools with password protected computer systems were using passwords that were not necessarily strong enough or changed regularly.
This survey prompted guidance and advice (PDF, 492.2 KB) delivered to schools by the Information Commissioner Office in 2012.
Information Commissioner's Office
You can visit the Information Commissioner's Office for more information about the Data Protection Act and for training toolkits.
Data protection enquiries
Please email firstname.lastname@example.org if you have any questions relating to data protection in your school or setting.