How do I make a subject access request at my school?

Overview

You might have heard of a subject access request but might be unsure of what it actually is.

The Information Commissioner’s Office (ICO) explains you have the right to ask an organisation, such as a school, whether or not they are using or storing your personal information. This is called the right of access and is commonly known as making a subject access request or (SAR).

You can also ask them for copies of your personal information, verbally or in writing.

As a result of GDPR, you can make subject access requests for free. For more information about GDPR please see another one of our articles.

Why should I make a subject access request?

You can make a subject access request to find out:

  • What personal information an organisation holds about you
  • How they are using it
  • Who they are sharing with
  • Where they got your data from

In a school context, sometimes staff can find it useful to make a SAR when making a grievance to find out the relevant information the school might hold.

We have published another article which outlines more details about how to make a grievance in school.

Your school might also have a SAR policy which you will want to consult.

What should my SAR include?

The ICO suggest your SAR should include:

  • A clear heading for your request (for example, use ‘subject access request’ as your email subject line or a heading for your letter)
  • The date of your request
  • Your name
  • Any other information used by the organisation to identify or distinguish you from other individuals (for example, customer account number)
  • A comprehensive list of what personal data you want to access, based on what you need
  • Any details, relevant dates, or search criteria that will help the organisation identify what you want
  • How you would like to receive the information (for example by email or printed out)

Do not include:

  • Other information with your request, such as details about a wider complaint
  • A request for all the information the organisation holds on you, unless that is what you want (if an organisation holds a lot of information about you, it could take them longer to respond, or make it more difficult for you to locate the specific information you need in their response)
  • Threatening or offensive language

Where possible, send your request directly to the individual who would deal with subject access requests, such as the data protection officer.

What does a subject access request look like?

Below, is one example of what a subject access request can look like:

Dear (Insert name)

Subject access request

[Include your full name and other relevant details to help identify you].

Please supply the personal data you hold about me, which I am entitled to receive under data protection law, held in:

[Give specific details of where to search for the personal data you want, for example,:

  • my personnel file
  • emails between ‘person A’ and ‘person B’ (from 1 June 2019 to 1 September 2019)
  • The CCTV camera situated at (‘location E’) on 23 May 2019 between 11am and 5pm

If you need any more information, please let me know as soon as possible.

It may be helpful for you to know that data protection law requires you to respond to a request for personal data within one calendar month.

If you do not normally deal with these requests, please pass this letter to your data protection officer or relevant staff member.

If you need advice on dealing with this request, the Information Commissioner’s Office can assist you.

Yours faithfully

[Signature]

How long does an organisation have to respond?

An organisation normally has to respond to your request within one month.

If you have made a number of requests or your request is complex, they may need extra time to consider your request and they can take up to an extra two months to respond.

If they are going to do this, they should let you know within one month that they need more time and why.

What should an organisation send back to me?

When an organisation responds to your request, they should normally tell you whether or not they process your personal information and, if they do, give you copies of it.

The organisation should also include:

  • what they are using your information for
  • who they are sharing your information with
  • how long they will store your information, and how they made this decision
  • details on your rights to challenge the accuracy of your information, to have it deleted, or to object to its use
  • your right to complain to the ICO

Will I always receive everything I asked for?

Not always. Depending on the circumstances:

  • You may receive only part of the information you asked for; or
  • The organisation may not provide you with any personal information at all

An organisation can refuse to comply with your SAR if they think it is ‘manifestly unfounded or excessive.’

What should I do if I do not hear a response?

The ICO explains that you can resolve many problems directly with the organisation.

If you have already received a response, but are unhappy for any reason, you should first make a complaint to the organisation.

If you think personal information is missing from their response, you should clearly list what other information you think they also hold.

Remember to keep copies of any correspondence about your complaint, as evidence.

Was this article helpful?

The information contained within this article is not a complete or final statement of the law.
While Edapt has sought to ensure that the information is accurate and up-to-date, it is not responsible and will not be held liable for any inaccuracies and their consequences, including any loss arising from relying on this information. This article may contain information sourced from public sector bodies and licensed under the Open Government Licence. If you are an Edapt subscriber with an employment-related issue, please contact us and we will be able to refer you to one of our caseworkers.