SAR redaction checklist
A practical, step-by-step checklist for redacting a Subject Access Request correctly — from scoping the request to logging your decisions. Print it or save it as a PDF.
For schools & academy trusts
A SAR is the pupil’s own right — a parent can make one on their child’s behalf only if the child is not competent to act for themselves or has consented. Separately, in England, parents of children at maintained schools have a statutory right to their child’s educational record, which must be provided within 15 school days — this is distinct from a UK GDPR SAR and has its own rules.
1. Log the request & confirm identity
- Recognise that a SAR can arrive by any means (email, letter, verbally) and to anyone in the organisation — log it the day it arrives.
- Confirm the requester’s identity. If you need ID to do so, the one-month clock starts when you receive that information.
- Check who is entitled to the data: it is the individual’s own right. For a child it is the pupil’s right — a parent can request on the child’s behalf only if the child is not competent to act for themselves, or has consented.
2. Diary the deadline
- Respond without undue delay and within one calendar month of receipt (running from the day you receive the request — or the ID info — to the corresponding date the next month).
- You may extend by up to two further months only if the request is complex or you have received several from the same person — and you must tell them within the first month and explain why.
3. Collect the data
- Export the relevant mailboxes or emails (Outlook PST/MSG, Google Workspace MBOX, or EML) plus any attachments and documents referenced.
- Keep the original, un-redacted copies secure and separate from your working set.
4. Redact third-party & exempt data
- Where an email contains another person’s personal data, first consider whether you need their consent. If you can’t get it, weigh whether it is reasonable to disclose without consent — taking account of any duty of confidentiality and the sensitivity of the data. This is a balancing act between the requester’s rights and the third party’s.
- If it is not reasonable to disclose, redact that person’s information (other pupils, parents, staff, customers).
- Apply any relevant exemptions (Schedules 2 & 3 of the DPA 2018 — e.g. legal privilege, management forecasts, confidential references, crime/safeguarding) and note the basis for each.
- Watch the education-specific rules: information a candidate recorded in an exam script is exempt, and exam marks requested before results are announced follow special, extended timescales.
- Redact across every email at once — search for a name or address and bulk-redact, rather than going message by message.
5. Verify before you disclose
- Confirm redactions permanently remove the text — a black box you can copy, move or delete is not a redaction.
- Spot-check that no third-party data survives in quoted replies, signatures, headers, attachments or metadata.
- Check you have not over-redacted anything the requester is entitled to.
6. Disclose & log
- Provide the information in an accessible format — export a clean PDF pack where redactions are permanent and unrecoverable.
- Keep a record of what you redacted and why, to evidence your accountability if the ICO asks.
- It is normally free. You may charge a reasonable fee only if the request is manifestly unfounded or excessive, or for further copies.
- Send securely, and record what you disclosed and when.
This checklist reflects the ICO’s Right of access guidance and the UK GDPR / Data Protection Act 2018. It is general guidance to help you plan a redaction workflow — it is not legal advice, and the right approach depends on your circumstances. Always check the current ICO guidance for your situation.
Redact your next SAR in a fraction of the time
RedactBox does steps 3–5 for you — bulk redaction across every email, permanent removal, and an audit-ready log.
Start freeMore on redaction software for schools and how to redact an email.