Best Practice Update

    You are here:  
  1. Home
  2. Best Practice Update
  3. Handling Subject Access Requests (SARs) - at the end of term
Graphic illustrating Subject Access Requests (SARs) spiking during holidays, emphasizing data protection compliance for organizations
Best Practice Updates

Handling Subject Access Requests (SARs) - at the end of term

We typically see a spike in Subject Access Requests (SARs) at the end of term.  Understanding how to recognise and response to these requests is vital for staying compliant with Data Protection Law.

What exactly is a SAR?

A SAR gives an individual the right to obtain a copy of their personal information held by your organisation.

Key Facts:

  • No Fixed Format: A request can be made verbally, in writing, or even via social media.

  • The "FOI" Confusion: Requesters often mistakenly label their request as a "Freedom of Information" (FOI) request. Regardless of the label, if it’s about personal data, it must be treated as a SAR.

  • Everyone is a Sensor: Ensure all staff can recognise a SAR and know exactly who to notify the moment one arrives.

What can we do if the SAR arrives on the last day of term?

 A common misconception is that school holidays "pause" the clock. They do not. The 30-day statutory time limit remains in place.

  • Communication is Key: If you cannot meet the deadline due to school closure, contact the requester immediately to discuss the situation.

  • No Guarantee: While you can propose a new deadline for your return, the requester is not obliged to agree. Every effort must be made to respond as soon as possible.

  • Out of Office: Ensure your automated email response clearly states the mailbox is not monitored and provides an alternative contact:

    "If you have an urgent data protection concern, please contact our Data Protection Officer at: This email address is being protected from spambots. You need JavaScript enabled to view it.."

SAR Guidance:

The ICO has published some guidance: SARs for employers.

As recommended by the ICO, there are simple ways to make your next subject access request easier to handle:

  1. Plan ahead
  2. Practice good records management
  3. Train your staff
  4. Check you've understood


The full guidance can be read here: Simple ways to make your next subject access request easier to handle.

The ICO offers a webinar on subject access requests and talks though everything you need to know to prepare and answers some of the common questions about SARs: How to make your next subject access request easier to handle

If you are short on time, there is a two minute video: Two minutes on subject access requests.

There is a step by step video guide on how to deal with the request: How to deal with a request for information: a step-by-step guide.

If you are a Data Protection Education customer we would recommend logging on the Knowledge Bank and adding a Data Rights Log from the the Dashboard; answering all of the questions on the form will ensure you log all the relevant information. 

You can also email: This email address is being protected from spambots. You need JavaScript enabled to view it. which will raise a ticket with the team but will not add it to the data rights log.  We always recommend that a subject access request is added to the data rights log where possible for auditing and reporting purposes. 

Further information about how to use the Knowledge Bank for logging a SAR: How to contact us for support, subject access requests, data breaches and FOI's

Further help and advice can be found in our Subject Access Requests Best Practice Library, which also includes awareness and training information for staff. If you are unsure about what data to disclose, please contact us for further advice.   

Safeguarding data can cover a wide range, and while child abuse data does not have to be shared, given it could cause harm to the child if it is divulged, there is not a 'blanket' no to all safeguarding data.  In this instance, consulting with the DSL in your school may provide the best advice. 

Remember that just because information resides in a system designed for holding safeguarding data, it does not necessarily mean that all data within it is safeguarding data. 


This article gives further guidance about information schools can share: Dealing with Subject Access Requests

How will I know what to redact?

DPE Customers should review our Redaction Best Practice Library because in order to comply with a SAR, organisations may be required to provide some information that identifies another individual.  In order to protect their data protection rights this personally identifiable information must be removed by editing the document before release.  We provide further redaction guidelines:  document Redaction Guidelines(457 KB)

Data Protection Education provides a free redaction tool to all of its customers available from the Knowledge Bank Dashboard widget which follows the redaction guidance provided by the ICO: How to disclose information safely. Although redaction is not part of our usual SLA service it is something that Data Protection Education can provide as an additional service if you feel unable to manage this yourself.  We can give quotes for an 'all you can eat' type of service or a 'pay as you go' service. If this is a requirement please email: This email address is being protected from spambots. You need JavaScript enabled to view it.for prices.

Redaction service graphic ensuring data protection compliance when handling Subject Access Requests (SARs).

©2025 Data Protection Education Ltd.

Search