a black and white cat laying on top of a white wall

Steps to Take When Responding to a Subject Access Request (SAR)

In recent years, the amount of Subject Access Requests received by schools has increased. Would you know what to do if your school received one?

What is a Subject Access Request?

A Subject Access Request (SAR)—also known as a Data Subject Access Request (DSAR)—is a request from an individual to access their personal data. Under the UK GDPR, individuals have the right to know what personal data is held about them and how it is used.

SARs can be made in any format (verbally, in writing, email, etc.), and you cannot require that the request be made in writing. However, it's helpful to ask the requester to clarify what specific data they are seeking.

You must respond to a SAR within one calendar month of receipt. This deadline can be extended by up to two months if the request is particularly complex or involves multiple requests, but you must:

  • Notify the requester of the extension within the initial one-month period, and

  • Explain the reasons for the delay.

Anyone with parental responsibility for a student aged 18 or under may request a copy of the child’s pupil record

text
text
person using laptop
person using laptop

Handsam Resources

DA01 Data Protection: Points of Law

DA03 Freedom of Information in Schools

DA12 School Workforce Information

DA17 Freedom of Information: Checklist for Action on Receipt of a Request for Information

DA18 A Guide to The General Data Protection Regulation (GDPR)

DA24 Responding to Subject Access Requests: Exemplar Letters

DA26 Data Protection Posters

Example Data Protection and Confidentiality Policy for Staff

Example Data Protection Policy for Pupils

Charging a Fee

In most cases, you cannot charge a fee for responding to a SAR. However, you may charge a reasonable fee if the request is:

  • Manifestly unfounded or excessive, or

  • A request for further copies of previously provided data.

You may also refuse to comply with such requests. See ‘When can we refuse to comply?’ for further guidance.

Reasonable fees may cover the cost of:

  • Assessing, locating, retrieving, and extracting the information;

  • Producing and communicating the response;

  • Physical or digital delivery (e.g. printing, postage, USBs); and

  • Staff time, calculated at a reasonable hourly rate.

Ensure you do not double-charge where activities overlap.

It’s good practice to have a clear, consistent charging policy, including:

  • When you charge fees;

  • Standard costs (e.g. per A4 page);

  • How you calculate charges;

  • A breakdown of staff time and admin costs.

Provide this information on request, and always explain fees clearly when asking the individual to pay.

If you choose to charge a fee:

  • You are not required to comply with the SAR until the fee is paid;

  • You must request the fee promptly, and no later than one month after receiving the SAR;

  • If you delay fee requests, you should document your reasons and be prepared to justify them to the ICO; and

  • Allow a reasonable timeframe for the individual to pay—one month is typically reasonable, but context matters.

SAR Compliance and Responsibilities

The right of access is a key part of data protection law. Organisations must have a clear process in place for:

  • Receiving and recognising SARs,

  • Responding within statutory timeframes, and

  • Ensuring staff know how to handle requests.

SAR Compliance and Responsibilities

You must respond to a Subject Access Request (SAR) without undue delay and within one month of receiving:

  • The request itself;

  • Any information needed to confirm the requester’s identity; or

  • A fee (only in limited cases.

The one-month period starts from the day the request (or relevant information/fee) is received—regardless of whether it’s a working day. The deadline is the same calendar date in the following month, if:

  • There’s no corresponding date (e.g. request received on January 31st), the response is due on the last day of the next month; and

  • If the deadline falls on a weekend or public holiday, you have until the next working day.

The number of days to respond may vary depending on the month. For operational consistency, some organisations choose to apply a 28-day timeframe.

Can the Response Time be Extended?

Yes. You can extend the response time by up to two additional months (making three months total) if:

  • The request is complex, or

  • The individual has made multiple requests (e.g. SAR, erasure, portability) at once.

If you decide to extend, you must:

• Inform the individual within one month of receiving the request, and

• Explain the reasons for the delay.

What Makes a Request Complex?

Complexity depends on your organisation's size, resources, and the nature of the request. Examples include:

  • Technical difficulties retrieving archived or sensitive data;

  • Applying exemptions to sensitive data;

  • Handling requests involving children, third parties, or legal guardians;

  • Needing expert input to make the data intelligible or legally compliant;and

  • Searching large volumes of unstructured manual records (for public authorities).

Note: Large volumes alone do not make a request complex, nor does reliance on third-party processors.

Can We Ask for Clarification?

Yes. If you hold a large amount of information about the individual, and their request is unclear, you may ask them to clarify what they want. In this case, the response time is paused until clarification is received (this is known as ‘stopping the clock’).

Clarification requests should only be made if:

  • they are genuinely needed to identify the relevant information, and

  • your organisation processes a large volume of data about the requester.

You may ask for additional context (e.g. relevant dates or circumstances), but you cannot require the individual to narrow their request. If they refuse, you must still carry out a reasonable search based on the information you have.

In many cases, you can provide some information without needing clarification, depending on the circumstances. For example, you will often be able to confirm whether you hold personal data about the individual.

You should also be able to provide some of the supplementary information required under Article 15(1) of the UK GDPR, such as:

  • The individual's rights to request rectification, erasure, restriction of processing, or to object; and

  • The right to lodge a complaint with the ICO or another supervisory authority.

If you can reasonably provide this information without clarification, you must do so within one month. If your privacy notice already includes this information, it is sufficient to send the individual a link to it.

You should make the process of requesting and receiving clarification as straightforward as possible for the individual. Where appropriate, offer guidance to help them clarify their request. Be clear that the statutory time limit is paused from the date you ask for clarification and resumes once the individual responds. If applicable, let them know whether they need to reply by a specific date.

Where possible, use the same communication method the individual used to submit the SAR—e.g., respond by email if the request was sent by email.

If it’s genuinely unclear whether the individual is making a SAR or what personal data they are requesting, the one-month time limit does not begin until clarification is received. In such cases, you should contact the individual promptly—ideally by phone or email—and document the conversation, including when clarification was requested and received.

You must clearly explain why you're seeking further information and be prepared to justify your decision to the ICO if required.

Pausing the Clock for Clarification

When you request clarification, the response deadline is paused until you receive a reply. To calculate the new deadline:

1. Work out the original due date based on when the SAR was received.

2. Add the number of days the request was on hold (i.e., from the date clarification was requested to the date it was received) to the original deadline.

Requesting Clarification: Best Practices

You should seek clarification promptly and without undue delay after receiving a SAR. This helps you begin searching for relevant data early and ensures enough time to respond.

If it only becomes clear during your search that clarification is needed, document why it wasn't possible to request it sooner.

  • If you receive clarification on the same day you request it, the clock does not stop;

  • The clock only pauses when seeking clarification about the scope of the request—not for other matters like preferred response format; and

  • If no clarification is received, wait a reasonable period before closing the request—generally one month is appropriate, but you should be flexible (e.g. in cases involving complex issues or accessibility needs).

If you need to ask for both clarification and ID, do so as early as possible. Don’t delay one while waiting for the other—unless confirming identity is critical to avoid disclosing personal data to the wrong person.

Important: A request is not automatically complex just because clarification is needed

computer monitor
computer monitor

Reasonable Adjustments for Disabled People

You have a legal duty to make reasonable adjustments under the Equality Act 2010 (or the Disability Discrimination Act 1995 in Northern Ireland) for disabled individuals who may face communication difficulties.

  • If the request is unclear, help the individual express it and confirm the details in an accessible format; and

  • Discuss their needs to decide how best to respond—e.g. large print, audio, Braille, or email.

Further guidance is available from the Equality and Human Rights Commission.

Requesting ID

To protect personal data, you must be satisfied that:

  • You know the identity of the requester, and

  • The data you hold relates to them (especially in cases of similar names or shared identifiers).

Only request enough information to confirm identity—avoid excessive demands, particularly where you already have an existing relationship with the requester.

Prefer alternative, proportionate verification methods (e.g. login credentials) before requesting formal ID.

However, do not assume identity without question—if there is any doubt, it is reasonable to ask for verification.

The level of ID required may depend on the risk of harm from unauthorised disclosure.

  • Request ID promptly, not at the end of the one-month period; and

  • The response clock starts once ID is received (or once verification is completed, in exceptional cases).

Keep a simple log of:

  • What ID was provided;

  • When it was verified; and

  • Who verified it.

Before responding, always double-check that you have the correct contact details to send the data securely.

Handling Requests for Other Rights

If an individual submits SARs alongside other rights requests (e.g. erasure, portability), treat each one separately, while sharing common steps such as:

  • Verifying identity;

  • Confirming third-party authority (if applicable); and

  • Clarifying the scope of each request.

In cases involving multiple requests, you may be able to extend your response deadline by an additional two months.

What if the Individual Dies Before You Respond?

You are not required to comply with a SAR if the individual dies before you have responded, as personal data only relates to living individuals.

However, that does not mean the deceased’s data can be shared freely. You must still consider:

  • Other legal obligations (e.g. confidentiality), and

  • The context and sensitivity of the data.

Office 27, East Moons Moat Business Centre

Oxleasow Rd, Redditch B98 0RE

Phone: 0333 207 0737

info@handsam.co.uk