Children's Code: firms must be compliant from 02 September
Our experts discuss how organisations can ensure compliance with the Code.Read more
The ICO provides useful, detailed guidance on SARs, which can be accessed via this link: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
Under the right of access, an individual is only entitled to their own personal data. They are not entitled to information
relating to other people, unless:
Please note, a parent making a request for educational records may not necessarily be a SAR. Therefore it is important that you correctly differentiate between the two. Our advice note on dealing with requests for educational records can be accessed here: https://flintbishop.co.uk/insights/education-data-ensuring-best-practice/
The following steps outline the process that should be followed when dealing with a SAR to ensure compliance with the law.
A SAR can be made verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data. This means an individual would not need to refer to the DPA or direct the request to a specific contact, for their request to be valid.
You must comply with a SAR without undue delay and at the latest within one month of receiving the request. In some cases, where the request is complex, you can extend the time to respond by a further two months, but you should only do this if it is absolutely necessary.
You should start the process of responding as soon as you can but also make a note of and diarise the long-stop date, so that it is not missed. If you fail to respond within the required timeframe, you will be in breach of the law.
Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident that they can understand their rights, you should usually respond directly to the child. You may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
When dealing with a SAR for information about a child that has come from a parent or carer, you should consider the following before responding:
Once you have had made a decision on whether or not you will disclose the personal data (or some of it) to the parent or carer making the request, you should record that decision (explaining your reasons for reaching it) and also communicate your response to the parent or carer.
When making a disclosure of personal information (whether disclosure is made to the parent or carer or, directly to the pupil), your SAR response should include a description of the following:
You should take care to ensure that you are providing the information in a clear, transparent and accessible manner (particularly when responding to a young person directly).
Care should be taken to ensure the information can be understood and that plain language is used.
If you need assistance with responding to a subject access request or any other data protection matter, contact our Commercial team on 01332 226 466 or fill in the form below.
Scroll to next section
Scroll back to the top