Subject Access Requests- A Common Misconception.

by | Apr 23, 2025 | Uncategorized

Subject Access Requests- A Common Misconception.

Subject Access Request (SAR)

Last week I spoke to a new client and asked if they had ever had any problems in responding to a Subject Access Request. (SAR) To my surprise they told me that they had never had one. 

I was very surprised by this as experience told me this would almost be a unique situation.  

 
When asked if they had ever been asked by a parent for details relating to their child they said “Oh yes, but that was just asked at reception not by completing our form on the website so it isn’t recorded as a SAR”. I immediately explained that they had not been complying with UK GDPR. 
 
This is probably a common misconception amongst many schools so here are a few points that should be considered and understood. 
 
A SAR is when an individual exercises their right to find out what data is being held about them or their child and how it is being used.  Individuals may also ask for a copy of the data itself.
 
When such requests are made to the school you must respond within one month of receipt of the request or you may face legal proceedings and regulatory action.
As in the scenario above, a person does not need to state it is a SAR when submitting a request so its vital that all staff recognize a request. They can be made in person to anyone in the school, by email or even via social media if you use it. 
The request may be made in writing but also verbally. 
Once the SAR has been received make sure the staff know to inform the data protection lead in the school or the DPO. They should log the request and track it so that it is responded to in the appropriate manner. This includes some potential time delays for excessive requests and exemptions under the Data Protection Act 2018. 
SARs are on the rise as more people understand their rights so don’t be caught out and face a complaint. 
If you have any questions contact info@dpoforeducation.co.uk 
Sharing Personal Data with the Police

Sharing Personal Data with the Police

One of the most common questions we get asked concerns sharing data with law enforcement offices. The UK GDPR does not prevent you sharing personal data with such bodies such as the police (known under data protection law as “competent authorities”) who are...

Core Principles of Data Protection

Core Principles of Data Protection

And the rights of individuals  Core Principles of Data Protection  Data must be processed lawfully, fairly and in a transparent manner Data must be collected for specified, explicit and legitimate purposesThe data collected must be adequate, relevant and limited to...

New Data Retention Guidance

New Data Retention Guidance

This is a subtitle for your new post The UK government recently issued updated guidance on record keeping for academies and trusts to assist them with their record keeping obligations.  Click here to be taken to the Government site....