We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award winning law firm.

Visit our debt recovery website

We provide the complete commercial debt recovery service; from outsourced early arrears collections through to expert litigation, all handled in-house by a multi-award winning law firm.

Visit our debt recovery website

Search

Insight

Subject access requests: pupil information

How to deal with and respond to a subject access request (SAR) for information about a child.

The ICO provides useful, detailed guidance on SARs, which can be accessed via this link: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

What are individuals entitled to?

Under the right of access, an individual is only entitled to their own personal data. They are not entitled to information
relating to other people, unless:

  • their data also relates to other individuals; or
  • they are exercising another individual’s right of access on their behalf (for example, a parent making a request on
    behalf of their child).

Please note, a parent making a request for educational records may not necessarily be a SAR. Therefore it is important that you correctly differentiate between the two. Our advice note on dealing with requests for educational records can be accessed here: https://flintbishop.co.uk/insights/education-data-ensuring-best-practice/

The following steps outline the process that should be followed when dealing with a SAR to ensure compliance with the law.

Step 1: Recognising a request

A SAR can be made verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data. This means an individual would not need to refer to the DPA or direct the request to a specific contact, for their request to be valid.

Step 2: Diarising the final date to respond

You must comply with a SAR without undue delay and at the latest within one month of receiving the request. In some cases, where the request is complex, you can extend the time to respond by a further two months, but you should only do this if it is absolutely necessary.

You should start the process of responding as soon as you can but also make a note of and diarise the long-stop date, so that it is not missed. If you fail to respond within the required timeframe, you will be in breach of the law.

Step 3: What to consider before replying

Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident that they can understand their rights, you should usually respond directly to the child. You may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.

When dealing with a SAR for information about a child that has come from a parent or carer, you should consider the following before responding:

  • the child’s level of maturity;
  • the nature of the personal data;
  • court orders relating to parental access or responsibility;
  • whether there is a duty of confidence owed to the child;
  • allegations of abuse or ill treatment;
  • whether there would be any detriment to the child if the information about them is disclosed to a parent or carer (or even, withheld from the parent or carer); and
  • what the child’s views are on the disclosure of their personal data.

Step 4: Compiling the response

Once you have had made a decision on whether or not you will disclose the personal data (or some of it) to the parent or carer making the request, you should record that decision (explaining your reasons for reaching it) and also communicate your response to the parent or carer.

When making a disclosure of personal information (whether disclosure is made to the parent or carer or, directly to the pupil), your SAR response should include a description of the following:

  • what personal data the school holds about the child;
  • how the school processes it;
  • how long the data is kept;
  • what is being disclosed;
  • whether any personal information is being withheld from disclosure; and
  • details of the pupil’s right to complain.

You should take care to ensure that you are providing the information in a clear, transparent and accessible manner (particularly when responding to a young person directly).

Care should be taken to ensure the information can be understood and that plain language is used.

Contact Us

Do you need assistance?

If you need assistance with responding to a subject access request or any other data protection matter, contact our Commercial team on 01332 226 466 or fill in the form below.

Related Services

Other areas of interest

Data protection

Knowledge

The latest from our experts

Insight

The UK Data Reform Bill: a step in the right direction or a risk to individual rights?

On 10 May 2022, Prince Charles announced in the Queen’s speech that the UK will be reforming its data protection laws.

 Read more

Insight

What are framework and call-off contracts and how should they be reviewed?

Our Commercial team has provided guidance on how to make use of these agreements to arrange long-term business relationships.

 Read more

Insight

New Government white paper for schools published

The Government has published its new white paper for schools, titled ‘Opportunity for all: strong schools with great teachers for your child’.

 Read more

Insight

Could reforms be coming for international trade documents?

The Law Commission has published a report proposing to reform the law on the use of trade documents in international shipping.

 Read more

Insight

What you need to know about the new international data transfer laws

Here is what the UK International Data Transfer Agreement (IDTA) and International Data Transfer Addendum (Addendum) mean for you and your business.

 Read more

Insight

Data Privacy Week – how to remain compliant and look after customers in 2022

Data Privacy Week commemorates the signing of convention 108 on 28 January 1981, raising awareness of data protection and highlighting its importance.

 Read more

Insight

Teachers taking on extra responsibilities – how should schools handle these?

Over the last year or so, additional tutoring has become more prevalent in an attempt to ensure that children are not disadvantaged by the school closures.

 Read more

Insight

Age Discrimination: caution advised in light of recent Employment Appeal Tribunal decisions

A mandatory retirement policy has proved contentious after leading the Employment Tribunals to make two opposing decisions.

 Read more

Insight

Children's Code: firms must be compliant from 02 September

Our experts discuss how organisations can ensure compliance with the Code.

 Read more

Insight

Unfair dismissal appeal overturned in teacher’s indecent images case

Was it unfair to dismiss a teacher accused of - but not prosecuted for - possessing indecent images of children?

 Read more

Insight

Dealing with long term absence in schools

Our employment experts look at the key considerations to make when faced with an employee on long term sick leave.

 Read more

Insight

Acas publishes guidance for employers on how to handle Long-COVID

Our employment experts summarise the recently published Long-COVID guidance from Acas.

 Read more
SHARE

Share

Scroll to next section

Scroll back to the top