Subject Access Requests- A Common Misconception.

by | Apr 23, 2025 | Uncategorized

Subject Access Requests- A Common Misconception.

Subject Access Request (SAR)

Last week I spoke to a new client and asked if they had ever had any problems in responding to a Subject Access Request. (SAR) To my surprise they told me that they had never had one. 

I was very surprised by this as experience told me this would almost be a unique situation.  

 
When asked if they had ever been asked by a parent for details relating to their child they said “Oh yes, but that was just asked at reception not by completing our form on the website so it isn’t recorded as a SAR”. I immediately explained that they had not been complying with UK GDPR. 
 
This is probably a common misconception amongst many schools so here are a few points that should be considered and understood. 
 
A SAR is when an individual exercises their right to find out what data is being held about them or their child and how it is being used.  Individuals may also ask for a copy of the data itself.
 
When such requests are made to the school you must respond within one month of receipt of the request or you may face legal proceedings and regulatory action.
As in the scenario above, a person does not need to state it is a SAR when submitting a request so its vital that all staff recognize a request. They can be made in person to anyone in the school, by email or even via social media if you use it. 
The request may be made in writing but also verbally. 
Once the SAR has been received make sure the staff know to inform the data protection lead in the school or the DPO. They should log the request and track it so that it is responded to in the appropriate manner. This includes some potential time delays for excessive requests and exemptions under the Data Protection Act 2018. 
SARs are on the rise as more people understand their rights so don’t be caught out and face a complaint. 
If you have any questions contact info@dpoforeducation.co.uk 
All you need to know about data breaches

All you need to know about data breaches

All you need to know about data breaches... The ICO states that “a personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that...

Use of facial recognition in schools. DPIA’s are essential.

Use of facial recognition in schools. DPIA’s are essential.

Facial Recognition - DPIA's are essential North Ayrshire council was criticised for attempting to introduce facial recognition technology so that pupils can pay for school meals in an attempt to speed up service and to reduce the risk of spreading Covid-19 via pin...

Collecting Staff Vaccination Data

Collecting Staff Vaccination Data

Collecting Staff Vaccination Data There is no quick answer as to whether schools are legally permitted to collect vaccination data.   As well as considerations under data protection law, employers must also be mindful of obligations arising under areas such as...