A Subject Access Request (SAR) is simply a request made by or on behalf of an individual for the information which he or she is entitled to ask for under Articles 12 and 15 of the GDPR. The request does not have to be in any particular form, nor does it have to include the words ‘subject access’ or make any reference to the GDPR.
These requests are most often made by individuals who want to see a copy of the information an organisation holds about them. However, except where an exemption applies subject access entitles an individual to be:
told whether any personal data is being processed;
given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
given details of the source of the data (where this is available).
Subject access provides a right to see the personal information or a right to have copies of the documents that include that information. If the request is made electronically, you should provide the information in a commonly used electronic format.
Under GDPR a Subject Access Request (SAR) can be made either verbally or in writing. If the request is received verbally then it is best practice for the individual taking the request to record and agree the nature and content of the request with the requestor. The school has a Subject Access Request form which can be used by staff to record a request and a Data Protection Policy, both of which are available from our website.
Although, the form may make it easier for an individual to ensure they include all the information that we need there is no requirement for them to use this form. Requests may also be received via email, fax, letter etc.
Adults and children who can understand their subject access rights can apply to the school for their personal information. The form also allows official representatives to apply on behalf of vulnerable or less able applicants (see section on requests made on behalf of others and requests for information about children).
To avoid personal data about one individual being sent to someone who is not entitled to it, the school need to be satisfied that they know the identity of the applicant. Enough information should be requested to confirm the individual’s identity, however this must be reasonable especially in situations where the individual is known to the school through ongoing contact.
Subject Access Requests to the school are free under GDPR.
The statutory response time is one month.