From Request to Response: Navigating Subject Access Requests the Smart Way

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 12th December, with our Data Protection Consultant Daniel Richardson.

Poll 1- Part 1

Poll 1 - Part 2

What is a Subject Access Requests (SARs) and Why Are They Important?

SARs are the area where schools and trusts most commonly interact with Data Protection legislation in an “adversarial” environment. In simple terms, SARs give people the right to see the personal information that an organisation holds about them. There are clear legal obligations on data controllers and potential repercussions should they not act in line with their obligations. This should not be viewed as an “us vs them” situation, it is better to consider it a collaborative exercise where the school are working together with the requestor to ensure that their rights are respected.

What is Not a SAR?

Educational Records Requests – The authority to make these requests is granted by different legislation entirely and they have significant differences to SARs. They only apply to maintained schools and you have 15 school days to comply. They allow access to the educational record only and so any request for emails or safeguarding is still a SAR.

Requests resulting from a Court Order/ Requests from the Police – The lawful basis for sharing is entirely separate and distinct.

Freedom of Information Requests (FOIs)– These are not a request for personal data.

While these are all fairly common forms of requests, SARs will typically represent the bulk of the data requests schools typically receive. We suggest you seek assistance from your data protection officer for assistance in complying with any of the above request types. For judicium data protection clients, simply reach out and we can advise on each individual request received. 

Poll 2 

When are we required to respond to a SAR?

In its most basic form, a SAR is a request to see the information the school holds relating to a specific person. The ability to make such a request is conferred by the Data Protection Act 2018.

How can a SAR be made?

The Data Protection Act provides scope as to the format of a valid SAR. It can be made:-

• To any member of staff
• In writing OR verbally
• Without any reference to the Data Protection Act or Subject Access Request legislation at all.

When to know it is a valid request

1. Identity

Is the requestor who they say they are? Establishing identity does not need to be as formal as demanding to see a passport or driver's license. If the requestor is a parent, you are likely to be sufficiently familiar with them to say that the email address the request originated from provides reasonable proof of their identity.

There is no formal requirement, when it comes down to you being reasonably satisfied they are who they say they are. In cases where the request has been made by a solicitor’s firm, then you are entitled to rely on the fact that the firm will already have appropriately confirmed the requestor's identity and as such further proof is not required in these cases.

2. Authority/Consent

A person obviously has the authority to make a request for their own personal data. Similarly, a person is free to authorise another person to make such a request on their behalf. The situation is complicated where a request is made on behalf of a child who lacks the capacity to provide valid consent. At this point, it is worth considering what we mean by “capacity.”

Capacity is the ability for a person to understand (and enforce) their data rights. This is important in the context of SARs because if someone is deemed to possess capacity, then their consent would be required before their data could be disclosed to a third party requestor (typically a parent). There are no hard and fast rules when it comes to capacity and every case needs to be considered on its own basis. The Information Commissioner's Office provide a starting point by advising that a typical 12-year-old would be presumed to have capacity. However, it is perfectly possible for a child under 12 to have capacity or one over 12 to lack it, and thus requires individual assessment.

In terms of SARs capacity, it is important if a request is made on behalf of a data subject who has capacity, their consent must also be provided. As this consent is necessary for the SAR to be considered to be valid, the one month deadline to comply with the request does not start until this has been received.

3. Clarity 

It must be clear what is being requested. Unfortunately, this can be as simple as saying they want “everything” the school holds relating to them/their child. Even in these cases however, you are always free to approach the requester and ask them if there is any specific data they are interested in, which can make locating and disclosing this data much less onerous on the school. 

Fulfilling the SAR within the deadline and how to undertake a search

Deadline

One of the most common questions we get is “how long do we have to respond to this?” Assuming all of the previously mentioned requirements have been met, the deadline is one calendar month from the date of receipt. Unfortunately, unlike FOIs, school holidays are not a factor when working out the deadline for a SAR. If it is received at the start of term then you have a month. If you receive it the day you break up for summer, or even within the summer holidays, then it is still a month. The ICO typically are understanding when it comes to the difficulties that a school faces when trying to fulfil SARs over school holidays, and so provided they act openly and in good faith, it is usually not an issue. Most requestors are also reasonable, so if you are open about the difficulties you may encounter fulfilling their request, they are often amenable to agreeing on an extended deadline. You are always free to agree a departure from the strict statutory requirements of an SAR with the requestor.  

"Reasonable and Proportionate” searches

Even if the request asks for absolutely everything the school hold, this does not necessarily mean every part of their systems needs to be interrogated to pull up every scrap of relevant data.

In almost all cases, the requestor has a desired outcome in mind when they make the request. Simply asking them what information they are actually interested in can often save a significant amount of work and produce a much more satisfactory outcome for both school and requestor.

Providing vs Access

It is a common misconception amongst requestors that a SAR requires the school to provide them with copies of all their personal data. Instead, the requirement is that they are given access to it. This means, especially in cases where the requestor is a current employee, documents such as emails which were sent to them and they still have access to don't need to be provided again.

Redaction – What should we remove?

The starting point is that the requestor is not entitled to receive any third-party personal data. Personal data is defined widely as information that can be linked to an identified or identifiable individual. This means any data that identifies a third party can be redacted. A partial exception to this rule is where a person's personal data appears in the records as a result of them acting in the course of their profession. In these cases, the data can be redacted, but does not necessarily need to be.

Poll 3 

AI Requests

A very recent development is the use of AI by requestors to draft SARs. While SARs drafted by AI can appear intimidating as they tend to make explicit reference to legislation and are typically worded in a very formal way they are in essence no different to any other SAR.

CCTV

It is increasingly common for requestors to ask to see CCTV footage as a part of their SAR. As with paper records, third party personal data would need to be redacted from the footage before it is disclosed. While many CCTV systems support the blurring or otherwise anonymising people in the footage, this is not always possible. In these cases an alternative is to invite the requestor to view the footage on school premises. This satisfies the requirement to provide access to the personal data while also ensuring the footage itself always remains within the schools control, preventing further dissemination.

Care must be taken when allowing requestors to view footage to ensure they do not record or otherwise copy the footage and take it away with them.

Our Sofa Sessions tackle the main challenges that are happening in schools and trusts. In February 2026, we will be hosting a session specifically on CCTV in the Data Protection field. Booking for this will be open soon on our main Sofa Session page. 

Exemptions

1. Not the requestor’s personal data
   The simplest of the exemptions and one that will apply in almost every case. The rights provided by the Data Protection Act only apply to the requestor’s personal data. This means that unless the data relates to the requestor directly then it should not be provided. If you provide data relating to a third party, this would represent a data breach.
2. Safeguarding/Harm
   “Likely to cause serious harm to the mental or physical health of any individual”. A fairly high bar, but the harm does not need to relate to the requestor or their child. If disclosure is likely to cause serious harm to any individual, it can safely be excluded. In cases where you are unsure, we typically recommend erring on the side of caution and not disclosing the data. We can advise more specifically on each issue should it arise for our data protection clients, but I would much rather explain to the ICO why we chose to withhold information than why we disclosed it and harm was ultimately caused by it.
3. Legal privilege – This is very common in cases where the requestor is a current/previous employee. Personal data is exempt from the right of access if it consists of:
   • Information to which a claim to legal professional privilege could be maintained in legal proceedings
   • In respect of which a professional legal adviser owes a duty of confidentiality to his client.

These 3 are typically the exemptions that we apply most often. However, other exemptions can also be used. We recommend discussing with your DPO before utilising an exemption. 

Providing the disclosure

What format?

Effectively, the ICO expect the school to provide the data in the format specified by the requestor (if this is reasonable). As a general rule, in the absence of the requestor specifying a preference, the school should mirror the manner in which the request was made.  If it was made by post, the response should go by post. If it was made digitally, the response can be digital.

Subsequent requests

Typically a requestor will have one issue in mind when they make their request. Once the data has been provided, this will usually satisfy their needs and you will not receive another request from them. However, this isn’t always the case.

When handling follow-up requests, there are a few additional factors that you will need to consider. Firstly, any data provided under a previous SAR does not need to be provided again. With that said, the rights conferred by the Data Protection Act to make SARs are generally separate from any other mechanism by which a person may be able to access information, i.e. via litigation disclosure. Also data provided under a previous SAR does not need to be provided again.

Unfortunately, it is sometimes the case where a person is using the rights conferred by the Data Protection Act purely to inconvenience the school or trust. While the DPA does allow a school to disregard repeated or vexatious requests, establishing this is a high bar to clear. We suggest you discussing this with your DPO, and if Judicium clients, it's certainly something we would want to look at in detail before advising that any given request could be ignored on this basis

Key takeaways

1. Ask for clarification on any request - This may reduce workload on what the requestor is asking for and give them specifics for what they need, which benefits both parties.
2. Record reasoning - It's important to record why you've made decisions or why you may have redacted certain information. This gives a backboard for any queries or complaints you might receive.
3. Trust your gut - if something feels wrong, question it. There might be an exemption  you can place.
4. Training - every single member of staff needs to receive base level training to be able to identify a SAR. This will give a proactive approach and reduce tight deadlines with high workloads. 

Judicium hosts a breadth of CPD training courses for Data protection, designed specifically to meet the needs of schools. View our catalogue here.

How Judicium can help...

You can find information regarding our School Data Protection Officer (DPO) service here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.