GDPR Subject Access Request Policy and Procedure

Date CreatedDate 1st Review DueDate ReviewedVersionNext Review Due
February 2023February 2024  1 
February 20242February 2025

Introduction

The UK General Data Protection Regulation 2016/679 (“UK GDPR”) gives individuals (otherwise referred to as Data Subjects) the right of access to their Personal Data. In general, Egham Park School’s Data Subjects may be pupils, parents/carers and employees. A Data Subject can send Egham Park School a ‘Subject Access Request’ (commonly referred to as a “SAR”) in writing or via the SAR Form requiring the school to provide details about the Personal Data that the school holds about them and to provide them with a copy of that information. Egham Park School must respond to a valid Subject Access Request within (one) calendar month of receiving it.    

Procedure

What is a valid Subject Access Request?

A valid SAR must:

  • be for a Data Subject (even if it is made by a third party on the Data Subject’s behalf)
  • provide/contain sufficient information to verify the identity of the Applicant, i.e. driving licence or passport, and their authority to make the SAR be made in writing.

It is important to remember that, while a SAR must be in writing (such as a letter or email), there is no prescribed format / content for such a request. A SAR letter can be a simple written note made by a Data Subject which makes no reference to “subject access”, “data subject rights” and/or the UK GDPR, it might even refer to former legislation such as the Data Protection Act 1998. Whatever the format or content, Egham Park School must examine the purpose of all/any requests received from Applicants, and proactively assist Data Subjects exercise their right to access their Personal Data.

Upon making a valid SAR, the Applicant is entitled to be informed whether Egham Park School is processing the Data Subject’s Personal Data, and where this is the case, access to his/her personal Data, together with the following information:

  • the purposes for which their Personal Data are being Processed
  • categories of Personal Data concerned
  • where possible, envisaged period for which their Personal Data will be stored, or if not possible, criteria used to determine that period
  • any third parties to whom their Personal Data is or may be disclosed
  • the existence of Data Subject rights, such as right to rectification or erasure etc.
  • their right to lodge a complaint to the supervisory authority, which is the Information Commissioner’s Office.

Where to Send a SAR

All SARs must be sent directly to the Egham Park School Office either in writing to office@eghamparkschool.co.uk or via post to: Waspe Farm, 68 Station Road, Egham, Surrey, TW20 9LF

Time Limits and Extensions The statutory time limit for complying with a SAR is 1 (one) calendar month from receipt of the SAR (“1 month time limit“). However, if one or more of the items listed below have not been provided by the Applicant, the 1 month time limit will not commence until that item has been provided:

  • information reasonably required to validate the identity of the Data Subject, i.e. some form of ID such as driving licence, passport, National identity card or birth certificate and a recent utility or council tax bill (within the last 3 months)
  • (where the scope or nature of the request is uncertain) further information/clarification from the Applicant
  • (where a person is applying on behalf of the Data Subject) written authority from the Data Subject and proof of identity, i.e. some form of ID such as driving licence, passport, national identity card or birth certificate and a recent utility or council tax bill (within the last 3 months)

The 1 month time limit may be extended by 2 (two) further months where the SAR is particularly complex, or where the Applicant has made multiple requests. However, this will only apply in exceptional circumstances and all decisions about whether to apply an extension must be taken by the Senior Leadership Team.

Receiving and Acknowledging a SAR upon receipt of a SAR, school staff must send a letter acknowledging the request to the Applicant (a template letter is attached at Appendix A).

The receipt letter must indicate a likely timescale for a response (within the 1 month time limit). Unless the SAR has already covered these points, the receipt letter will request:

  • further information to verify the identity of the Data Subject, proof of identity, i.e. some form of ID such as driving licence, passport, national identity card or birth certificate and a recent utility or council tax bill (within the last 3 months)
  • (where the scope or nature of the SAR is uncertain) further information/clarification from the Applicant
  • (where a person is applying on behalf of the Data Subject) written authority from the Data Subject and proof of identity of the Applicant, proof of identity, i.e. some form of ID such as driving licence, passport, national identity card or birth certificate and a recent utility or council tax bill (within the last 3 months)

Redaction and Consent for Disclosure

Some Personal Data may be in records that refer to individuals other than the Data Subject. Data Subject rights are personal in nature and the exercising of a SAR must always be balanced against the parallel rights of other individuals (i.e. other Data Subjects). In particular, Egham Park School must consider whether it is appropriate to comply with a SAR if it would mean disclosing the Personal Data of other Data Subjects.

It will generally be appropriate to do so if the other Data Subject has given their consent to the disclosure (although this is unlikely to be appropriate if the other Data Subject is an Employee), or if the disclosure is otherwise fair, within the reasonable expectations of the other Data Subject, and unlikely to harm their fundamental rights.

 Despatch and Completion

Once the requested Personal Data has been collated and (where necessary) redacted, the data must be reviewed and verified. A copy should then be sent with a covering letter to the Applicant in paper format, and posted to the requestor via recorded delivery. This letter must be sent to the Applicant within the 1 month time limit.

Appendix A

Strictly Private & Confidential

[Insert address] [Insert date]

 Dear [insert name of Applicant]

Acknowledgement of your Data Subject access request under the General Data Protection Regulation (EU) 2016/679 (GDPR)

I write to acknowledge receipt of your Data Subject access request under the GDPR and confirm that I am dealing with your request under the terms of the GDPR.

Your request was received on [insert relevant date] and, unless there are grounds for extending the statutory deadline of 1 calendar month, we expect to be able to give you a response by [insert relevant date].

EITHER

I also acknowledge receipt of the copy of your [driving licence / passport/ National Identity card/ birth certificate] and proof of address as confirmation of your identity

OR

To enable me to deal with your request, I would be grateful if you could provide proof of your identity (copy of your driving licence, national identity card or birth certificate) plus proof of address (either bank statement, credit card statement (no more than 3 months old), current driving licence, utility or council tax bill)

Please note that the statutory deadline of 1 month from the date of receipt of request for us to respond to your request will not start to run until we receive the above-mentioned proof of your identity.

If you have any queries about this letter, please contact me.

Yours sincerely