When Suppliers Use AI: Contractual and Data Risks for Businesses
How suppliers’ use of AI can create IP, data protection, and contractual risks, and how businesses can manage them.
Read More
Under the Data Protection Act 2018 (DPA) individuals (such as pupils) have the right to obtain a copy of their personal data.
In this article, our Commercial & Data Protection team provides a useful overview for education providers on what information individuals are entitled to access and a step-by-step outline of the process that should be followed when dealing with a SAR to ensure compliance with the law.
Commercial & Data Protection|08 September 2021
Insight
The ICO provides useful, detailed guidance on SARs.
Under the right of access, an individual is only entitled to their own personal data. They are not entitled to information
relating to other people, unless:
Please note, a parent making a request for educational records may not necessarily be a SAR. Therefore it is important that you correctly differentiate between the two. Our advice note on dealing with requests for educational records can be accessed here: https://flintbishop.co.uk/insights/education-data-ensuring-best-practice/
The following steps outline the process that should be followed when dealing with a SAR to ensure compliance with the law.
A SAR can be made verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data. This means an individual would not need to refer to the DPA or direct the request to a specific contact, for their request to be valid.
You must comply with a SAR without undue delay and at the latest within one month of receiving the request. In some cases, where the request is complex, you can extend the time to respond by a further two months, but you should only do this if it is absolutely necessary.
You should start the process of responding as soon as you can but also make a note of and diarise the long-stop date, so that it is not missed. If you fail to respond within the required timeframe, you will be in breach of the law.
Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident that they can understand their rights, you should usually respond directly to the child. You may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
When dealing with a SAR for information about a child that has come from a parent or carer, you should consider the following before responding:
Once you have had made a decision on whether or not you will disclose the personal data (or some of it) to the parent or carer making the request, you should record that decision (explaining your reasons for reaching it) and also communicate your response to the parent or carer.
When making a disclosure of personal information (whether disclosure is made to the parent or carer or, directly to the pupil), your SAR response should include a description of the following:
You should take care to ensure that you are providing the information in a clear, transparent and accessible manner (particularly when responding to a young person directly).
Care should be taken to ensure the information can be understood and that plain language is used.
Contact Us
If you need assistance with responding to a subject access request or any other data protection matter, contact our Commercial team on 01332 226 466 or fill in the form below.
Related Services
Knowledge
How suppliers’ use of AI can create IP, data protection, and contractual risks, and how businesses can manage them.
Read MoreDrop shipping is growing fast. Find out how the right contracts can protect your margins, brand and legal position.
Read MoreLearn about fiduciary duties, commission disclosure, and legal compliance after the Expert Tooling v Engie ruling.
Read MoreLearn how Rukhadze v Recovery Partners reinforces strict fiduciary duties and what it means for your business and governance.
Read MoreThe ICO and CMA's joint statement outlines new AI in finance regulations, focusing on data protection, competition, and consumer safeguards.
Read MoreA decade of progress – but the fight against modern slavery isn’t over, we highlight how businesses can meet stricter transparency rules.
Read MoreNavigate AI regulations in financial services. Key insights from the FCA & ICO on compliance, data protection, and innovation.
Read MoreExplore how to create an AI usage policy that mitigates risks and ensures responsible adoption for your business.
Read MoreEffective data safety and optimisation are key to business success, reducing risks and improving efficiency in a digital world.
Read MoreLandmark EU court ruling awards damages for unlawful data transfer. Learn what this means for GDPR compliance and safeguarding your business.
Read MoreProtect your SME from data breaches. Discover key tips for GDPR compliance and data security during Data Protection Week.
Read MoreBoost profitability with well-negotiated commercial contracts—learn essential terms to protect and grow your business.
Read MoreScroll to next section
Scroll back to the top
On Monday 29 September, Flint Bishop successfully completed the acquisition of the entire business of Lupton Fawcett LLP. You have been forwarded to the page most relevant to your visit.
Please feel free to explore our website and learn more about our legal services and professionals, including those who have recently joined us from Lupton Fawcett.