Subject Access Request
What is a subject access request?
Under GDPR, individuals have the right to access the personal data and other information the school holds about them. This allows them to be aware of and understand the legal basis for processing this data.
This right applies to everyone whose personal data the school holds, including staff, governors, volunteers, parents, carers and pupils.
How do I make a subject access request?
A request can be made in any manner; in person, by telephone, via email or by post. However, in order to ensure we have all the information we need to process your request and provide you with the correct information you can simply download the SAR form and return it to the school for the attention of the Data Protection Officer.
Who deals with subject access requests?
The school's Data Protection Officer will deal with all subject access requests received. This is based on advice from the Information Commissioner's Office's guidance.
How we will respond to subject access requests
On receiving a request, our Data Protection Officer will contact the individual to confirm the request was made. We will then verify the identity of the person making the request using 'reasonable means'. This will usually mean we will ask for two forms of identification.
In most cases, we will provide the information within one month and there will be no charge. If the request is complex or numerous, we can comply within three months but, we will inform the individual of this within one month and explain why the extension is necessary.
If the request is made electronically, we will provide the information in a commonly used electronic format.
Unfounded or excessive requests
Where a request is unfounded or excessive, we will either:
- charge a reasonable fee to comply, based on the administrative cost of providing the information
- refuse to respond
- comply within three months, rather than the usual deadline of one month. We will always inform the individual of this and the reasons why
Usually, 'unfounded or excessive' means that the request is repetitive, or asks for further copies of the same information.
Refusing the request
When we refuse a request, we will:
- respond to the individual within one month
- explain why we are refusing the request
- inform the individual that they have the right to complain to the Information Commissioner's Office