Subject Access Request (SAR) Policy

Effective Date: 25 May 2018


1. Purpose

1.1 The purpose of this policy is to:

  • Ensure that individuals understand they have the right to access their personal data and supplementary information, and this right of access allows individuals to be aware of, and verify, the lawfulness of the processing
  • Ensure the organisation is compliant with the General Data Protection Regulation (GDPR), Data Protection Act, and other relevant privacy and data protection legislation.

2. Policy Statement

2.1 Individuals may request details of personal information which the organisation holds about him or her under the General Data Protection Regulation (GDPR), and this request must be made in writing to the appropriate person in the organisation.

2.2 The organisation will ensure it manages any subject access requests received in accordance with the timeframes and other prescribed processes provided in Articles 12 and 15 of the GDPR [Regulation (EU) 2016/679 if the European Parliament and of the Council] and other relevant privacy and data protection legislation.

Subject Access Request (SAR)

3. Making a Subject Access Request

3.1 An individual has the right to obtain from the organisation (“Data Controller”) confirmation as to whether or not their personal data is being processed, and where processing is occurring, access to the personal data, and the following information:

  1. the purpose(s) of the processing;
  2. the categories of personal data concerned;
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request from the organisation rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. the right to lodge a complaint with the supervisory authority (ICO – Information Commissioner’s Office);
  7. where personal data is not collected from the data subject, any available information as to its source; and
  8. the extent to which the organisation is using the personal data for the purpose of making automated decisions related to the individual (data subject) and, if so, what logic is being used for that purpose.

3.2 A subject access request (SAR) should be made in writing (either letter or email) to the organisation’s Data Protection Officer:

Data Protection Officer
The Schools HR Co-operative
Unit 1 Britannia Court
The Green
West Drayton

This email address is being protected from spambots. You need JavaScript enabled to view it.

3.3 You may be asked to specify the information the request relates to where we process a large quantity of information about you.

3.4 “Reasonable means” will be used to verify the identity of the person making the request – you may be asked to provide proof of your identity before your SAR can be processed.

3.5 You will generally be provided with a copy of the information requested free of charge, however a “reasonable fee” can be charged when a request is manifestly unfounded or excessive (particularly if it is repetitive). Any fee charged will be advised and will be based on the administrative cost of providing the information.

3.6 If the SAR is deemed to be manifestly unfounded or excessive (particularly if it is repetitive) the organisation may refuse to act on your request. Where the organisation refuses to act on a request we will explain to you the reason for this refusal and inform you of your right to complain to the ICO (Information Commissioner’s Office), no later than 30 calendar days after receiving your request.

3.7 If the SAR is made electronically the information will be provided in a commonly used electronic format. If the SAR is made by letter (hard copy) then you may be asked if you would like to receive the information electronically.

3.8 The organisation will provide the requested information within 30 calendar days of receiving your request. If the SAR is complex or numerous the organisation may extend the response timeframe by a further two calendar months (60 calendar days) – if this is this case we will inform you within 30 calendar days after receiving your request and explain why an extension is necessary.  

3.9 If you have a concern about the way we are collecting or using your personal data, please raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office (ICO) at


Further Information

4. Where to seek assistance

4.1 Individuals should contact the organisation’s Data Protection Officer if they have any questions regarding the processing of their subject access request. The Data Protection Officer can be contacted on 01895 717499 (Option 5) or This email address is being protected from spambots. You need JavaScript enabled to view it.