Subject Access Requests- A Common Misconception.

by | Apr 23, 2025 | Uncategorized

Subject Access Requests- A Common Misconception.

Subject Access Request (SAR)

Last week I spoke to a new client and asked if they had ever had any problems in responding to a Subject Access Request. (SAR) To my surprise they told me that they had never had one. 

I was very surprised by this as experience told me this would almost be a unique situation.  

 
When asked if they had ever been asked by a parent for details relating to their child they said “Oh yes, but that was just asked at reception not by completing our form on the website so it isn’t recorded as a SAR”. I immediately explained that they had not been complying with UK GDPR. 
 
This is probably a common misconception amongst many schools so here are a few points that should be considered and understood. 
 
A SAR is when an individual exercises their right to find out what data is being held about them or their child and how it is being used.  Individuals may also ask for a copy of the data itself.
 
When such requests are made to the school you must respond within one month of receipt of the request or you may face legal proceedings and regulatory action.
As in the scenario above, a person does not need to state it is a SAR when submitting a request so its vital that all staff recognize a request. They can be made in person to anyone in the school, by email or even via social media if you use it. 
The request may be made in writing but also verbally. 
Once the SAR has been received make sure the staff know to inform the data protection lead in the school or the DPO. They should log the request and track it so that it is responded to in the appropriate manner. This includes some potential time delays for excessive requests and exemptions under the Data Protection Act 2018. 
SARs are on the rise as more people understand their rights so don’t be caught out and face a complaint. 
If you have any questions contact info@dpoforeducation.co.uk 
Electronic vs. Paper copies

Electronic vs. Paper copies

Should you keep both electronic and paper records of some important data? In light of the ever increasing number of cyber attacks on the education sector, and the advice given by the NCSC,  we at DPO For Education continue to advise our clients to keep both electronic...

Appointing a Data Protection Officer

Appointing a Data Protection Officer

A simple guide to understand the role of a DPO in schools and who is and who is not suitable for the role. Whatever the size and setting of your school, the GDPR (General Data Protection Regulation) places high expectations on you to protect the personal data in your...

GDPR DOs & DONT’S Infographic

GDPR DOs & DONT’S Infographic

Training and Awareness is a way to inform your staff that data protection is everyone’s responsibility and that small steps to protect data can make a big difference. Print this poster to display in the staff room and offices. Poster: GDPR - Data Protection Dos and...