Subject Access Requests- A Common Misconception.

by | Apr 23, 2025 | Uncategorized

Subject Access Requests- A Common Misconception.

Subject Access Request (SAR)

Last week I spoke to a new client and asked if they had ever had any problems in responding to a Subject Access Request. (SAR) To my surprise they told me that they had never had one. 

I was very surprised by this as experience told me this would almost be a unique situation.  

 
When asked if they had ever been asked by a parent for details relating to their child they said “Oh yes, but that was just asked at reception not by completing our form on the website so it isn’t recorded as a SAR”. I immediately explained that they had not been complying with UK GDPR. 
 
This is probably a common misconception amongst many schools so here are a few points that should be considered and understood. 
 
A SAR is when an individual exercises their right to find out what data is being held about them or their child and how it is being used.  Individuals may also ask for a copy of the data itself.
 
When such requests are made to the school you must respond within one month of receipt of the request or you may face legal proceedings and regulatory action.
As in the scenario above, a person does not need to state it is a SAR when submitting a request so its vital that all staff recognize a request. They can be made in person to anyone in the school, by email or even via social media if you use it. 
The request may be made in writing but also verbally. 
Once the SAR has been received make sure the staff know to inform the data protection lead in the school or the DPO. They should log the request and track it so that it is responded to in the appropriate manner. This includes some potential time delays for excessive requests and exemptions under the Data Protection Act 2018. 
SARs are on the rise as more people understand their rights so don’t be caught out and face a complaint. 
If you have any questions contact info@dpoforeducation.co.uk 
Cyber Essentials

Cyber Essentials

Is it worth all the hassle and cost As outsourced DPOs for a number of schools, we have spent a great deal of time advising clients to gain Cyber Essential accreditation. We are well aware that it is not the highest level of IT security accreditation but it does...

New ICO Surveillance Guidance

New ICO Surveillance Guidance

New ICO guidance for Video Surveillance The ICO has published guidance on the processing of personal data by video surveillance systems, click here to go to the ICO website  The guidance outlines how data protection principles must be complied with when using certain...

Privacy Snakes and Ladders

Privacy Snakes and Ladders

Play this game to learn how to make smart privacy choices We would like to thank our friends at the “Office of the Privacy Commissioner of Canada for sharing these great games. How to play activity sheet You need a game piece for every player and a die. The person who...