The guidance is laid out step by step in a way that schools would work, giving details about what a SAR is and how to respond to one. It makes it clear that anyone in the organisation could receive a request for personal information and so everyone should understand how to recognise a SAR. This is something we always recommend as part of any data protection training: Learning Nugget: Subject Access Requests.
There are clear examples of the kinds of request that students and parents might make to schools. A lot of the guidance covers a lot of the questions that we are asked, for example: ' Do I need to check the ID of a parent?' The guidance states: In a school setting, pupils and their parents or carers are generally well-known to school staff. If you know the requester and are sure of their identity and authority, you do not have to request ID. Make a record of why you made this decision.
There are details about receiving the request from a child and from the parent of the child and when to check with the child if it is OK to share that information with a parent or a carer. The guidance advises that you must check you are sure the child is mature enough to receive the information if they have put in the request themselves.
Another question that we are frequently asked is about responding to a SAR if it is received on the last day of term. Again this guidance is specific:
Receiving a SAR during the school holidays
If you receive a SAR on the last day of the school term, or during the school holidays, you must still respond within one calendar month.
Education settings cannot extend a SAR response because it is the school holidays.
There is guidance about where to look for the information when responding to a SAR, for example, not just in your systems or email but in other documents and records, with a specific list of the types of system and documents. As part of this there is a recommendation to review Records Management, we advise reviewing our Records Management Best Practice Area.
Redaction guidance and making sure that the redaction cannot be undone is detailed with guidance about what you might need to redact. This includes CCTV. If you need further help and guidance with redaction and redacting CCTV, please review our Redaction Best Practice Area. Our redaction tool conforms with the DfE guidelines and can be accessed here: Document Redaction Tool. If you need help with redaction or need us to review it, please contact us. We can also redact CCTV footage, which may incur an additional cost, depending on footage amount.
Advice about recording the SAR process is very comprehensive and one we would recommend:
Recording the SAR process is especially helpful if a requester submits a complaint or if you are audited by the ICO.
You may want to record:
- the date the request was received
- any time the response was paused and why (for example getting identification)
- a copy of all correspondence
- information about which records and systems were searched and what was found
- any information that was redacted and the reason why
- the date you sent the response and a copy of it
- copies of any ongoing correspondence with the requester (such as confirmation of receipt, complaints)
- evidence of decision to refuse a SAR
- evidence of decision to exempt any information
The full guidance update can be viewed :Dealing with subject access requests (SARs), with an additional update of Handling other information rights requests