Subject access requests in schools
A subject access request (SAR, also called a data subject access request (DSAR), is any request by a data subject for access to their personal data. Those with parental responsibility for students aged 18 and under can also request a copy of their child’s pupil record. Requests can be in any format and you cannot require them in writing. Asking someone to outline the data they are specifically interested in is helpful. You must respond to a SAR within one calendar month, but the time frame can be extended by up to two months for complex or numerous requests. If this is the case, you must inform the individual within the original one month with reasons for the extension.
The right of access is a specific data subject right under the Regulation and you must implement a process to ensure this right can be exercised and that staff understand what to do if someone asks for a copy of their data. Failure to comply with a SAR has been identified by the ICO as one of the most significant data protection issues at present. In 2018, 46% of the total complaints the ICO received were in relation to SARs.
Requests for the educational record
For maintained schools, education laws also apply, and parents are entitled to access or see a copy of their child’s educational record. This applies even if the pupil or the other parent does not want them to see it and until the child is 18. However, parents cannot be given information that the school could not lawfully disclose to the child under the GDPR or in relation to which the child would have no right of access. A request for the pupil record must be responded to within 15 days. Academies should check policies before responding to a request. There is more information on the ICO website
Important points about SARs:
Manage subject access requests through GDPR.co.uk
- You cannot charge for an access request (unless they are excessive or repetitive).
- You must respond to requests within one calendar month.
- You can refuse a request if it is manifestly unfounded, but you must inform the individual of this within one month, and explain that they have the right to complain to the supervisory authority.
GDPR.co.uk supports the management of SARs by providing an easy to use interface, countdown timer and reminder emails, ensuring you keep on top of SARs across your organisation.
Data Subject Access Request Services offered by GRCI Law
We can remove the pain of processing subject access requests and support you throughout this complex process with one-off or ongoing DSAR as a Service contracts. The DSARs are processed by a team from our law firm, GRCI Law that has extensive experience dealing with such requests. Visit the GRCI Law website for more information about the services available.