How to manage Subject Access Requests within your school or Multi-Academy Trust!
What is a Subject Access Request?
A Subject Access Request (SAR) is a request made by an individual to receive confirmation, and a copy, of the personal data that your school or MAT holds about them. It is the individual’s right of access as set out in s.45 Data Protection Act 2018 and Article 15 UK GDPR.
Who can make a Subject Access Request?
Anyone could submit a Subject Access Request if they believe that you might hold personal information about them. Usually, you might expect to receive a Subject Access Request from:
- a current or former member of staff,
- a current or former pupil,
- the parent of a current or former pupil for information you hold about the parent, or
- the parent of a current or former pupil for information you hold about the pupil.
- You may also receive a request from a volunteer or Governor.
How will a Subject Access Request be made?
There is a common misconception that a Subject Access Request must be made in writing using a prescribed form, this is not the case. A Subject Access Request may be made in writing or verbally and there is no need for the requester to use a template or form that you may have provided.
This is crucial as your time to respond will start from the moment the request is made, even if you do ask the requester to complete a form or confirm the details of their request in writing, the time will have already started ticking.
How long do we have to respond to a Subject Access Request?
You will be required to provide a response with the information requested as soon as possible, without delay, and usually within one month of receiving the request.
If the request is for a large amount of information and it would take longer than one month to collate and provide the response, you are entitled to extend this period by a further two months. Giving you a total of three months to provide your response.
You should notify the requester as soon as it becomes clear that you are likely to require the extension. This is usually something you would know as soon as the request is received and an initial search for the data is carried out.
Can a parent make a request on behalf of their child?
Anyone with parental responsibility for a child has a legal right to receive certain information about their child’s education irrespective of their rights under the Data Protection Act 2018.
If you are a maintained school in England, then anyone with parental responsibility is entitled to ask you for a copy of their child’s education record under The Education (Pupil Information) (England) Regulations 2005.
You would have 15 school days to provide a response with a copy of the information requested.
You could only refuse to provide a copy of the education record if you believed that releasing it could lead to physical or mental harm to the pupil or another individual or if it would mean providing examination marks before they have been officially released.
If you are an Academy, this does not apply to you. Instead, you have an obligation under The Education (Independent School Standards) Regulations 2014 Schedule Part 6 s.32(1)(f) to provide an annual report to anyone with parental responsibility, setting out the progress and attainment for the main subjects taught.
Requests for a child’s education record or annual report of progress and attainment are not regulated by the Information Commissioners Office.
Unless a parent specifically requests a copy of their child’s education record or cites The Education (Pupil Information) (England) Regulations 2005 or The Education (Independent School Standards) Regulations 2014, you should work on the basis that the parent has made a Subject Access Request under the Data Protection Act 2018 and UK GDPR.
A parent’s right to make a Subject Access Request on behalf of their child
If a parent makes a request for data regarding their child, you must establish the following information:
- That the parent has parental responsibility or a court order which entitles them to make such a request on behalf of their child,
- That the parent has provided photo identification to prove that they are the person making the request, and
- Consent from the child if they are over the age of 13 years old, stating that they allow their parent to receive a copy of the information requested.
You should ask for ID and consent as soon as you have received the request to avoid any delay, but you MUST NOT provide any information until you have received these.
It is recommended that a member of staff approaches the child to obtain their consent directly to avoid them being put under any undue duress by the parent. In most cases, the child will provide consent and support their parent in obtaining the information but there are cases where a child might not want the parent to receive the information but consent due to fear of repercussions from the parent.
If it is not possible to obtain consent from the pupil directly, you will have to ask the parent to facilitate this with their child.
Whilst you are awaiting confirmation of consent and the parental ID, you should begin to collate the records that have been requested.
Other than obtaining consent and ID, you should treat the request the same as you would if it had been made by the individual data subject.
How should we respond to a Subject Access Request?
It is best practice to acknowledge receipt of the Subject Access Request as soon as possible. If the request is made verbally, it is recommended to email or write to the requester to acknowledge the request and ensure that the details are documented in writing.
Once the information has been collated, a response should be provided with the data and other required information including why the information is held and who it is shared with.
What information can be requested as part of a Subject Access Request?
An individual can ask to receive all/any information that the school or MAT holds about them, this can include emails, so it is important to ensure that all staff are aware of this.
Schools and MATs should support individuals in making a Subject Access Request, so the individual is provided with the information that they are looking for and the school/MAT do not have to spend unnecessary time collating and redacting records that the individual is not interested in receiving.
The key to this is clear communication with the requester. This is sometimes easier said than done if the request is made in the context of a complaint/dispute. Your DPO will be highly skilled in dealing with the appropriate communication in this situation.
What information should we withhold or redact?
Deciding what information to provide and what to withhold and redact is a tricky topic and would require specialist advice from your Data Protection Officer. You should not provide any information that identifies, or is capable of identifying, another individual unless you have their consent. This does not normally apply to staff names or other personnel working in a professional capacity, but certain exceptions would apply.
Other redactions should be made to only provide the information that relates to the individual, this would mean redacting or withholding information that is administrative or organisational in nature.
What happens if the individual isn’t happy with our response to their Subject Access Request?
You should try to work with the individual who has made the request to provide the information that they are looking for. This can sometimes be tricky if the individual doesn’t know or want to tell you what that information is.
When you provide a response to a Subject Access Request you should make it clear what options the individual has if they wish to make a complaint about the way their request has been processed, this would include providing the details of the Information Commissioners Office.
If the individual makes a complaint to the ICO, you will be contacted by a case worker and asked to review the way you processed the request and provide information to the caseworker for a decision to be made.
You should consult your Data Protection Officer as soon as you receive a Subject Access Request, and they will be able to advise and guide you through the process.
If you would like further assistance, you can register for our Software ++ package with full DPO service and resources, which includes unlimited advice and assistance on all data protection matters.