How do you respond to a subject access request?

Under the GDPR you are required to explain your legal grounds when answering a SAR. Lisa Griffin describes what is involved in receiving a right to access request

Author details

Lisa Griffin is content lead at Optimus Education, focusing on leadership and governance. 

A subject access request (SAR) allows individuals to access their personal data held by an organisation. If you receive what you believe is a SAR, the first step is to establish whether the information requested falls within the definition of personal data.

Personal data

Personal data includes any information relating to an identified or identifiable natural person (the data subject). This could be, but is not limited to, a:

  • name
  • photo
  • physical ID
  • school report
  • school register
  • medical report 
  • safeguarding report
  • CCTV image.

A data subject is defined as ‘any person whose personal data is being collected, held or processed’. It means anything that is done to, or with, personal data, such as collecting, storing, sharing and deleting data. Individuals can submit a SAR to understand how and why you are using their data, and check you are doing it lawfully.

There are no restrictions on who can submit a SAR. You may receive one from a:

  • pupil
  • parent or carer
  • staff member
  • visitor or contractor.

There are also no restrictions on how to submit a request. SARs can be made verbally, in writing, electronically on email, in person, via social media etc.

Any of your staff could receive a request in any of the above ways so it is important to train staff to be able to recognise a SAR, and how to deal with requests as efficiently as possible.

Responding to a SAR: what to do

  • You have 30 days to respond to a request so reply as soon as possible (and at the latest within one month from the day the SAR is received).
  • If you have doubts about the identity of the person making the request, you can ask for more information to verify that they are who they claim. 
  • You should let the individual know as soon as possible if you need more information from them before you respond to their request.
  • You can extend the 30-day period by a further two months where requests are complex or numerous.
  • If you do extend the period, you must inform the individual within one month of the receipt of the request and explain why it is necessary.
  • Provide the individual with a copy of the personal data requested free of charge.
  • Provide the information in a commonly used format (electronically if the request was received that way).
  • Provide the information in a concise, transparent, and easily accessible form, using clear and plain language.

Guidance from the ICO states that you can charge a ‘reasonable fee’ for admin costs when a request is manifestly unfounded or excessive, or if an individual requests further copies of the same data.

You can refuse a request if it is deemed too expensive and time-consuming, is vexatious or if it repeats a previous request from the same person. You’ll need to provide the requester with a written refusal notice if you do so.

Most importantly, when handling a SAR, aim to be open, fair, transparent and co-operative. 

Removing data about others

It is vital that you only supply information which is about the person making the SAR. If a document contains personal data about other individuals, including the data subject, you should not disclose the information about the third parties. 

When answering a request, you may have to redact parts of a document if it contains personal data about other individuals.

Evidencing a SAR

The ICO recommends having a process for recording details of all requests you receive. This should include each stage of handling the SAR until completion.

  • Keep copies of the correspondence between yourself and the data subject, and between yourself and any third parties.
  • Keep a record of any correspondence used to verify the identity of the data subject.
  • Record all decisions and how they were made.
  • Keep a copy of the information sent to the data subject.
  • Report the SAR to the SLT and governors.

Information to provide

As well as providing the personal data that you hold on the requester, you must also provide the following information.

  • What you are using the data for.
  • Who you are sharing the data with.
  • Where the data came from.
  • How long you will store the data, and how this decision was made.
  • The individuals’ rights to challenge the accuracy of your data, have it deleted, or object to its use.
  • The individual’s right to complain to the ICO.
  • Whether data is used for profiling or automated decision making and the process for doing this.
  • If you have transferred the data to a third country or an international organisation, what security measures were taken.

SARs from pupils

Children and young people have the same rights as adults pertaining to use of their personal data, including the right to access it. 

If consent is your lawful basis for processing personal data regarding a child, in the UK children must be 13 and over to provide their own consent (you may need to verify this if you are concerned). 

For children younger than this, rights over data are likely to be exercised by their parents or carers.

If you are confident that the child is old enough and mature enough to understand their rights, you should correspond directly to the child. 

You may, however, allow the parent to exercise the child’s rights on their behalf if the child authorises this, if the child is not competent or mature enough, or if it is evident that this is in the best interests of the child.

The main thing is you are confident that the child understands what it means to make a SAR and how to interpret the information you will send.

Last Updated: 
03 Aug 2022