Subject Access Requests- A Common Misconception.

Subject Access Request (SAR)

Last week I spoke to a new client and asked if they had ever had any problems in responding to a Subject Access Request. (SAR) To my surprise they told me that they had never had one.

I was very surprised by this as experience told me this would almost be a unique situation.

When asked if they had ever been asked by a parent for details relating to their child they said “Oh yes, but that was just asked at reception not by completing our form on the website so it isn’t recorded as a SAR”. I immediately explained that they had not been complying with UK GDPR.

This is probably a common misconception amongst many schools so here are a few points that should be considered and understood.

A SAR is when an individual exercises their right to find out what data is being held about them or their child and how it is being used.  Individuals may also ask for a copy of the data itself.

When such requests are made to the school you must respond within one month of receipt of the request or you may face legal proceedings and regulatory action.

As in the scenario above, a person does not need to state it is a SAR when submitting a request so its vital that all staff recognize a request. They can be made in person to anyone in the school, by email or even via social media if you use it.

The request may be made in writing but also verbally.

Once the SAR has been received make sure the staff know to inform the data protection lead in the school or the DPO. They should log the request and track it so that it is responded to in the appropriate manner. This includes some potential time delays for excessive requests and exemptions under the Data Protection Act 2018.

SARs are on the rise as more people understand their rights so don’t be caught out and face a complaint.

If you have any questions contact info@dpoforeducation.co.uk

Schools have responsibility but not control over pupils’ data

New report states “Schools have responsibility but not control over pupils’ data” A new report by the Digital Futures Commission recommends that the government ‘s Data Reform Bill should regulate data taken by educational technologies (EdTech) services widely used...

New school resources for teachers

The ICO has produced a suite of school resources for teachers to use when discussing privacy issues and the value of personal data. The lesson plans cover what counts as personal data, why it’s valuable and how to keep it safe when using social media. The resources...

Are Educational Institutions at risk from a phishing attack?

Absolutely they are! The Cyber Breaches 2022 Survey Education Annex has some brilliant insights into what educational institutions are currently facing in terms of cybercrime and as in previous years, phishing is the top detected cyber-attack and it’s easy to see...

« Older Entries

Next Entries »

Subject Access Requests- A Common Misconception.