Subject Access Requests (SARs)

People have the right to request a copy of the personal data schools hold on them. This right applies in both maintained schools and academies due to the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR).

Requests for personal data are called subject access requests because under UK GDPR each person is called a data subject. They may also be known as DSARs, for data subject access request. (UK GDPR is the new name for GDPR after Brexit.)

Subject access, freedom of information or school file request?

Subject access requests are often confused with other rights to request information from schools.

A subject access request lets you see personal data.

A freedom of information request lets you see general information that is not about you.

A request for a child’s school file (in maintained schools only) lets parents see educational records.

Below is a summary of the difference between subject access requests (SARs), freedom of information (FOI) requests and requests to see a child’s school file.

SARFOISchool File (Maintained Schools Only)
What info can be requested?Personal dataGeneral info held by public authoritiesA pupil’s educational records
Usual response time?One calendar month20 school days15 school days
Can deadline be extended?Only for complex requests or multiple requests from one person.Only to consider the public interest test.No
Can we charge a fee?Only if request is “manifestly unfounded or excessive” or is asking for an extra copy.Yes, to cover costs like printing or postage.
(Can charge more if it will cost the school over £450 to produce.)		No, if parent just wants to see the record.
Yes, if they want a copy.
Must the request be in writing?NoYesYes

Who can submit a subject access request?

Anyone whose personal data is held by the school. This could be pupils, parents, school employees, volunteers, governors or anyone who used to be in one of these categories. Usually SARs should be sent to the school’s data protection officer.

What data can be requested?

Any personal data that relates to a living, identifiable person can be requested. The DfE advise that personal data in schools includes (but is not limited to) the following:

  • contact information about pupils, students, learners, staff and carers
  • health information
  • details about recipients of pupil premium
  • employee references
  • safeguarding information about an individual
  • passport information, if planning trips to the EU
  • pupil exam references and results.

When someone submits an SAR they may specify exactly what kind of data they want, eg: please supply a copy of any health records you hold on me.

If they submit a much broader request, perhaps one that asks for any and all personal data the school holds, staff must make reasonable efforts to search through all the school records. This includes:

  • emails (including emails moved to a trash folder, as well as any archived emails)
  • Word documents
  • spreadsheets
  • databases
  • record systems
  • CCTV
  • USB sticks or CDs
  • paper records in filing systems.

Can personal data from governing body meetings be requested?

Yes. Any personal data in confidential governing body documents like minutes and papers from meetings is covered by UK GDPR. (Any minutes and papers the governing body have not marked as confidential are public documents anyway and must be given to anyone who asks for them.)

However, in most circumstances there should be little or no personal data in governor paperwork because of the strategic role of governors. They rarely talk about individual children and personal data such as salaries of staff should be anonymised so specific employees cannot be identified.

How long does a school have to respond to a subject access request?

The school must respond to a subject access request within one calendar month, but your response may be either to send the actual data or to tell someone you need more time, depending on the nature of the request.

For straightforward requests you must provide the requested data with one month.

For complex or multiple requests where you need to extend the deadline you must tell the requester you are extending the deadline by two further months, giving you three months in total to send the data.

“The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

“The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.”

UK GDPR

What if we need to clarify the request?

If the school holds a large amount of data you can ask the requester to specify exactly what they wish to receive. The clock stops until the clarification is received. Here is the advice from the Information Commissioner’s Office (ICO).

“If you process a large amount of information about an individual, you may ask them to specify the information or processing activities their request relates to before responding to the request.

“The time limit for responding to the request is paused until you receive clarification. This is referred to as ‘stopping the clock’.”

What Should We Consider When Responding To A Request? (ICO)

The DfE advise that asking for clarification is good practice because parents may well be looking for specific information that can be retrieved quickly if the school knows exactly where to look.

“Have a conversation to see if the requestor is willing to clarify the scope of the data requested. A parent may only be interested in one small part of the data record and would far rather get a quick response focussed on that scope rather than await a full SAR response.”

Data Protection: A Toolkit For Schools

The clock also stops if you cannot work out whether someone intends to make a subject access request or not.

“If you receive a request where it is genuinely unclear whether an individual is making a SAR, then the time limit does not begin until you have clarified whether the individual is making a SAR, and what personal data they are requesting.

“In such cases, you are expected to contact the individual as quickly as possible (eg: by phone or email where this is appropriate).”

What Should We Consider When Responding To A Request? (ICO)

When does the clock start ticking?

The one calendar month time limit starts from the day you receive the request, unless you are either a) charging a fee or b) asking for a clarification of the request, in which case the time limit starts from the day the fee or clarification is received.

If the next month is shorter than the current month the time limit runs to the last day of the next month. So if a request is received on 31 March the deadline is 30 April.

If the deadline falls on a weekend or public holiday you can add one extra day to the time period, eg: a request received on 2 April is due on 2 May (Mayday bank holiday) but should be answered by 3 May.

To avoid having to worry about months of differing length and bank holidays you could set a deadline of 28 days for all requests rather than one calendar month.

“You should calculate the time limit from the day you receive the request, fee or other requested information (whether it is a working day or not) until the corresponding calendar date in the next month.

“If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.

“If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond.”

What Should We Consider When Responding To A Request? (ICO)

What if we receive a subject access request in school holidays?

Deadlines for subject access requests do not distinguish between school days and school holidays or INSET days. If the school receives a request on 20 July it has until 20 August to respond.

“There are no special rules which allow you to extend the time period for dealing with a SAR you receive it during school holidays. Regardless of whether a school is closed, if you receive a SAR then you have the normal time period to comply.”

Education Data (ICO)

However, in their Data Protection Toolkit For Schools the DfE advise that although schools must follow the deadlines, they can tell parents that they may find this more difficult in the holidays.

“Include your willingness to help data subjects access their data in your privacy notice. Explain to parents that most of the year you aim to do this in a timely manner, but during school holidays this may become more difficult.”

Data Protection: A Toolkit For Schools

Can we ask for subject access requests to be submitted on a specific form?

Yes, you can ask, but not insist. The ICO recommend providing a form because it helps to collect the necessary information and avoid asking for clarification.

I’ve produced a template school subject access request form which you can download below.

Download Template School Subject Access Request Form (.docx file)

Can we reject a request that is not submitted via our form?

No. SARs submitted through other means are equally valid, so you cannot insist that your own form is used.

It is good practice to provide a SAR form on the organisation’s website, although you must make it clear that completion of a SAR form is not compulsory.

“A form can act as a guide for requesters and staff and help to ensure that all relevant information is captured at the outset. This helps to minimise the need to ask for further clarification, ID or proof of consent from the requester further into the process.”

Findings From ICO Reviews of Subject Access Request Handling Within Educational Establishments (ICO) (.pdf)

Note that SARs can be submitted via social media or email and even verbal requests must be responded to.

“However, you should note that a SAR is equally valid whether an individual submits it to you by letter, email or verbally. You must therefore make it clear that it is not compulsory to use the form and simply invite individuals to do so.”

How Do We Recognise a Subject Access Request? (ICO)

If a verbal request is received the school can ask for a form to be completed to help them understand and respond to the request, but if the form is not filled in they must still respond.

Should we ask for ID?

You can ask for ID but whether you should depends on who is making the request.

If you are sure of their identify, for example they are a previous employee or a parent who regularly picks up their child and is known to the staff, you should not ask for ID.

If their identity is not obvious or there is a risk that they could be confused with someone else you should ask for ID.

“To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that you know the identity of the requester (or the person the request is made on behalf of) and the data you hold relates to the individual in question.

“The key point is that you must be reasonable and proportionate about what you ask for. You should not request more information if the requester’s identity is obvious to you. This is particularly the case when you have an ongoing relationship with the individual.”

What Should We Consider When Responding To A Request? (ICO)

How do we send the data?

UK GDPR states that when a request has come in electronically the data should be sent electronically “where possible”, unless the person has asked for a different format of reply. For non-electronic requests the school can decide how to send data.

Can we refuse to release data?

Yes. You can refuse the request in one of three situations:

  1. an exemption applies
  2. the request is manifestly unfounded
  3. the request is manifestly excessive.

“Can we refuse to comply with a request? Yes.

If an exemption applies, you can refuse to comply with a SAR (wholly or partly). Not all exemptions apply in the same way and you should look at each exemption carefully to see how it applies to a particular request.

“You can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive.”

When Can We Refuse To Comply With A Request? (ICO)

What exemptions apply?

The exemptions that are most likely to apply in schools involve requests where disclosing the data might:

  • cause serious harm to the pupil (either their physical or mental health) or another person
  • reveal that a child is at risk of abuse, where that revelation would not be in the best interests of the child
  • reveal information in adoption papers or parental order records
  • involve court proceedings
  • include data on another person (a “third party”), although in this case the extra data could be redacted or removed before disclosure.

Detailed guidance on applying exemptions is available on the ICO website.

What does manifestly unfounded mean?

Broadly speaking manifestly unfounded means someone is obviously mis-using their right of access and does not genuinely wish to access their data. For example, if a parent clashed with the headteacher and then submitted weekly SARs solely to make the head’s life harder.

It could also be manifestly unfounded if someone submitted a request and then offered to withdraw it in return for a favour, or used the system for malicious purposes to harass the school or an employee.

A request may be manifestly unfounded if:

– the individual clearly has no intention to exercise their right of access. For example an individual makes a request, but then offers to withdraw it in return for some form of benefit from the organisation; or

– the request is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption. For example, the individual:

– explicitly states, in the request itself or in other communications, that they intend to cause disruption;

– makes unsubstantiated accusations against you or specific employees which are clearly prompted by malice;

– targets a particular employee against whom they have some personal grudge;

– or systematically sends different requests to you as part of a campaign, eg once a week, with the intention of causing disruption.”

When Can We Refuse To Comply With A Request? (ICO)

What does manifestly excessive mean?

A request would be manifestly excessive if it is obviously unreasonable, in light of the time or cost it would take to supply the data. This doesn’t just mean someone has requested a lot of information, but it might mean that you have limited staff resources and it is not reasonable to spend so much time finding the info.

What do we include in the refusal letter?

If you do decide to refuse the request you must:

  • tell the requester within one month
  • include your reasoning
  • let them know they can complain to the ICO
  • let them know they can seek a “judicial remedy” (take the school to court).

“If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with the Commissioner and seeking a judicial remedy.”

UK GDPR

Can we charge a fee?

No, in the majority of cases. Schools are only allowed to charge a “reasonable” fee for admin costs if the request is manifestly unfounded or excessive or someone has already received one copy of their data and now wants an extra copy. The fee could cover photocopying costs and staff time.

“In most cases, you cannot charge a fee to comply with a SAR. However, you can charge a ‘reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive or an individual requests further copies of their data following a request.”

What Should We Consider When Responding To A Request? (ICO)

Can parents request data on their child?

The right to submit an SAR belongs to the individual data subject, so the right to see a child’s data belong to the child, not the parent. However, if the child is not able to act on their own behalf or gives their consent the parent can submit a request.

“Unlike the parent’s right of access to their child’s educational record, it is the pupil’s right to make a SAR. Parents can only submit a SAR for information about their child if the child is not competent to act on their own behalf or has given their consent.”

Education Data (ICO)

As a rule of thumb, the ICO advises that children under 12 are probably not mature enough to submit a subject access request themselves, whereas children of 12 or over probably are. They say for children under 12 it is “usually appropriate” to accept subject access requests from their parents.

“In Scotland, a person aged 12 years or over is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown. This does not apply in England, Wales or Northern Ireland but would be a reasonable starting point.

“If you are satisfied that the child is not competent and the request is from a person with parental responsibility for the child, then it is usually appropriate to let the holder of parental responsibility exercise the child’s rights on their behalf.”

Education Data (ICO)

Can we redact information?

Yes. The school must “protect the rights and freedoms” of other people when responding to an SAR, so they must not release the personal data of others.

Redacting may include blanking out information with a blacker marker pen or removing it using software. A full record of the redactions should be kept in case you are asked to review the decision.

If records contain data on third parties the school must redact the extra data. For example, if emails talking about a child also name and discuss two other children, the parent must only see the information on their own child. Schools should not usually redact teacher’s names, however.

“If an educational record contains personal data relating to someone other than the requester (such as a family member), you must consider the rules about third-party data before disclosing it to the requester.

However, you should not normally withhold information that identifies a teacher.”

Education Data (ICO)

The ICO recommend the National Archives Redaction Toolkit (.pdf) which explains how to remove information from paper and electronic records. The appendices of this toolkit provide practical suggestions such as how to deal with Microsoft Office files that contain metadata and tracked changes (it is safer to send plain text files) and how to edit pdf files.

Can someone complain if they are unhappy with our response?

Yes. Article 15 of UK GDPR gives people “the right to lodge a complaint” with the ICO (although the ICO asks people to complain directly to the school first).

The ICO will not punish a school or give compensation, but they may advise the school on how to proceed. People also have the right to go to court.

Good Practice Tips For Dealing With SARs In Schools

In 2020 the ICO reviewed how eight schools handled SARs. Their report (.pdf) gives advice on good practice to follow and poor practice to avoid.

Good practice for schools includes:

  • having one specific person such as the data protection officer (DPO) deal with SARs
  • logging SARs in a central document which records the due date of each request, a brief explanation of any information withheld and the reasoning for an exemption or exception
  • using an information asset register or data map to list all types of data held and its location
  • sending a template acknowledgement letter when an SAR is received, explaining the deadline for the data to be sent
  • documenting the process for redactions.

Poor practice includes:

  • over a third of schools did not action SARs in the summer holidays, incorrectly delaying them until the new term
  • half of schools only recognised written requests
  • half of schools did not have a documented process for verifying ID
  • some schools did not explain how to make an SAR on their website
  • some schools did not tell people they had the right to complain to the ICO under Article 15(1)(f) of UK GDPR.

What if a parent asks to see their child’s school file?

In maintained schools parents can request to see a child’s school file – their educational record – under section 5 of the Education (Pupil Information) (England) Regulations 2005. (This law does not apply to academies.)

This right is not connected to subject access requests. Notice that the Pupil Information Regulations give parents the right to see the school file, whereas for subject access requests the right belongs to the child.

According to the ICO the educational record would cover “information such as the records of the pupil’s academic achievements as well as correspondence from teachers, local education authority employees and educational psychologists engaged by the school’s governing body”.

Parents must make a written request to see their child’s school file. They must then be shown the file free of charge. However, they ask for a copy of the file the school can charge a fee that covers the cost of supplying it.

“(2) Subject to paragraph (4), the governing body shall make a pupil’s educational record available for inspection by the parent, free of charge, within fifteen school days of receipt of the parent’s written request for access to that record.

“(3) Subject to paragraph (4), the governing body shall provide a copy of a pupil’s educational record to the parent, on payment of such fee (not exceeding the cost of supply), if any, as the governing body may prescribe, within fifteen school days of receipt of the parent’s written request for a copy of that record.

“(4) When complying with a request under paragraph (2) or paragraph (3), a governing body shall not make available for inspection or provide a copy of any information—

(a) which they could not lawfully disclose to the pupil himself under the GDPR; or

(b)in relation to which the pupil himself would have no right of access under the GDPR.”

Education (Pupil Information) (England) Regulations 2005 (Section 5)

Related posts:

  1. Freedom of Information (FOI) Requests
  2. Do governors need school email addresses under GDPR?
  3. Can governors use WhatsApp?
  4. Are minutes of school governor meetings public?
  5. What governing board diversity data should be published online?