A Subject Access Request (SAR) is a request to see personal data an organisation holds about an individual. In schools, this is usually information about a child (or occasionally a parent/carer) held in school systems and records.

A SAR can help you understand:

• what information we hold
• why we hold it and how we use it
• who we share it with (where relevant)

Not always.

• A Subject Access Request (SAR) provides access to personal data more broadly (not just the formal school record).

• Access to the “educational record” in some maintained schools, parents have a separate legal right to access their child’s educational record.

For academies and multi-academy trusts, requests for information are typically managed as Subject Access Requests (SARs) under data protection law.

At Gosforth Group, we follow this approach, and requests for information are therefore managed through the SAR process.

Personal data is information that relates to an identified person. In schools this can include things like:

• Contact details, attendance information, assessment data
• Behaviour/safeguarding logs (where disclosure is appropriate)
• Communications about a pupil (emails/letters) where the pupil is the focus
• Information held in management systems and case files.

Some information may be outside the educational record (e.g., notes kept solely for a teacher’s own use).

The right of access belongs to the child.

Parents and carers (with parental responsibility) can make a request on behalf of their child where the child is not able to understand or exercise their own data protection rights.

As children grow older and develop greater understanding (often from around secondary school age), they may be considered capable of making their own request. In these cases, in line with ICO guidance, the school may seek the child’s consent before responding to a request made on their behalf or may ask the child to submit the request themselves.

Each request is considered on a case-by-case basis, taking into account the child’s age, level of understanding, and best interests.

Yes.

Children have the same data protection rights as adults, including the right of access. A child can exercise these rights if they are competent to do so.

In most cases, we can confirm your details with the relevant school, including whether you have parental responsibility.

However, in some circumstances we may ask for proof of identity or authority to ensure information is only shared with the appropriate person. If this is required, the response timescale will begin once we have received the necessary information.

We will respond without undue delay and within one month of receiving your request.

If we need to request proof of identity, authority or further information, the one-month timescale will begin once this information has been received.

In some cases, we may extend the response period by up to a further two months if the request is complex, if multiple requests are made, or if we need to obtain information from a third party. If an extension is required, we will inform you within the initial one-month period and explain why.

Yes. If a request is very too broad, we may ask for clarification so we can locate the relevant information and respond effectively.

Providing a clear timeframe or specific details (such as the type of information or a particular incident) will help us process your request more quickly and accurately.

There is no administration charge for providing information electronically.  However, if you request a paper copy, a charge of 10p per A4 page will apply.

Not always.

We aim to share as much information as we can; however, there are some situations where information may need to be withheld or redacted (removed or blacked out), in line with data protection law.

We can usually share:

• Personal data relating to you or your child
• Information held in school or Trust systems and files that relates directly to you or your child (for example, attendance, assessment, behaviour, and case information)
• Relevant communications, including emails or correspondence between staff where you or your child is the main focus

We may not be able to share certain information where an exemption applies, including:

• Third-party information (information about other people), unless we have consent, or it is reasonable to disclose. This may include other pupils, parents, staff, external professionals (e.g. police or social workers), or records involving multiple individuals that cannot reasonably be separated.
• Internal or operational communications (e.g. draft notes or staff discussions) where these are not specifically about your child or cannot be shared without including information about others.

Where emails or internal communications contain personal data about you or your child, they may be included but may be shared in a redacted (blacked out) or summarised form.

• Confidential references or information provided in confidence.
• Legally protected information, such as legal advice (legal professional privilege).
• Information that could impact safeguarding or the wellbeing of others, including child protection information, details that could place someone at risk, or sensitive personal circumstances. Decisions are made carefully on a case-by-case basis.
• Other limited exemptions under the Data Protection Act 2018, applied where appropriate.

If information is withheld or redacted, we will explain this as far as we are able, including where information has been removed to protect the privacy of others.

In most cases, individuals have a right to access their personal data. However, there are limited circumstances where the Trust may refuse to provide some or all of the information requested.

For example, we may refuse or limit a request where:

• The request is manifestly unfounded or excessive (for example, if it is repetitive or intended to cause disruption)
• Providing the information would adversely affect the rights and freedoms of others (e.g. where it includes third party information)
• The information is subject to a legal exemption (for example, where disclosure could prejudice safeguarding, legal proceedings, or the prevention or detection of crime)
• If a child is able to make their own request and does not give permission for their information to be shared, the Trust may:
  • Refuse the request entirely, or
  • Provide only limited information, depending on the circumstances
• The request relates to information that is not your personal data

In some cases, we may provide the information in part, with certain details redacted.

We will usually provide the information in a secure electronic format, such as encrypted email (for example, via KnowBe4 Switch) or secure file transfer, to ensure your information is protected.

If you are unhappy with how your request has been handled, or you think something is missing, you can:

1. Contact us so we can review your request and/or try to resolve any concerns.
2. Raise a concern with the Information Commissioner’s Office (ICO) if you remain unsatisfied.

Useful guidance include:

• DFE Data protection in schools - Dealing with subject access requests (SARs)
• ICO Accessing pupils' information | ICO

• Complete the Subject Access Request form, which can be found here.
• You will receive an email confirming that your request has been received by the Trust.
• We may ask for proof of identity or authority to ensure that information is only shared with the appropriate person.
• We may contact you if we need further information to help us process your request.
• We will usually respond within one month.

If your request is complex, or if we need to obtain information from a third party or seek third-party consent before releasing information, we may extend this timeframe by up to a further two months. If this is the case, we will let you know.