Skip to content
  • info@equracollege.org.uk
  • Twickenham, United Kingdom
  • How to Apply
  • Fees & Funding
  • Visit/ Open day
REGISTER NOW

Records Access and Subject Access Request (SAR) Procedure

1. Purpose

This procedure explains how Equra College London (“Equra”) manages:

  • Internal access to records by staff (need-to-know access), and
  • Requests from individuals to access their personal data, including subject access requests (SARs).

2. Scope

This procedure applies to all personal data held by Equra in any format, including emails, casework records, learning platform records, paper files, and system logs where these contain personal data.

This procedure applies to requests from:

  • Students and applicants
  • Staff and former staff
  • Website users and enquirers
  • Any other data subjects whose data Equra holds

3. Internal access to records (staff access rules)

3.1 Access must be based on role and need-to-know.
3.2 Staff must not access records out of curiosity or for personal reasons.
3.3 Highly sensitive categories (safeguarding, health, disciplinary) must have restricted access.
3.4 Staff must not download or store records outside approved systems unless authorised.
3.5 Any suspected unauthorised access must be reported as a security incident.

4. What counts as a SAR

A SAR is a request by an individual for confirmation of whether Equra processes their personal data and to receive a copy of that personal data.

A SAR can be made verbally or in writing, and does not need to mention “SAR” or “GDPR” to be valid.

5. How to submit a SAR

Requests should be sent to:
dataprotection@equracollege.org.uk (or info@equracollege.org.uk until set)

Equra will accept SARs submitted by:

  • Email
  • Letter
  • In person (recorded by staff and forwarded to the Data Protection Lead)

6. Identity verification

6.1 Equra may request reasonable proof of identity before releasing personal data.
6.2 Where a representative is acting on someone’s behalf, Equra may request evidence of authority (for example, signed consent or legal authority).
6.3 Equra will not request excessive identity information.

The response timeframe begins once Equra has sufficient information to verify identity and locate the data.

7. Clarifying the request

7.1 Equra may ask the requester to clarify or narrow a request to help locate data efficiently.
7.2 The requester is not required to narrow the request, but clarification can speed up response.
7.3 Equra will proceed using a reasonable search approach even if the request is broad.

8. Timeframes

8.1 Equra will respond without undue delay and normally within one month of receiving a valid request.
8.2 Where a request is complex or numerous, Equra may extend by up to two further months and will inform the requester within the first month with reasons for the extension.

9. Searching and collecting data

9.1 Equra will conduct proportionate searches across relevant systems, which may include:

  • Student record systems
  • Learning platforms
  • Email accounts and shared mailboxes used for official purposes
  • Casework folders (complaints, misconduct, disciplinary, safeguarding where applicable)
  • Shared drives and approved cloud storage
  • Finance records (where personal data is relevant)
  • Website/enquiry systems (where applicable)

9.2 Searches will be documented at a high level to show reasonable steps were taken.

10. Third-party data and redactions

10.1 Equra will protect the rights of others when responding to SARs.
10.2 Where documents contain third-party personal data, Equra may redact or withhold information where appropriate, unless consent is obtained or it is reasonable to disclose.
10.3 Equra may also redact information where legally permitted due to applicable exemptions.

11. Exemptions and withheld information

Equra may withhold data where lawful exemptions apply. Where Equra relies on an exemption, it will explain the basis of the decision where appropriate and lawful.

12. Format of response

12.1 Equra will provide the response in a commonly used electronic format unless the requester asks otherwise.
12.2 Equra will provide:

  • Confirmation of whether Equra processes the requester’s personal data
  • A copy of the personal data within scope
  • Supporting information, such as purposes, categories, recipients, retention, and rights, where required

13. Fees

SAR responses are normally free of charge. Equra may charge a reasonable fee or refuse to act where requests are manifestly unfounded or excessive, and will explain the reasons.

14. Record keeping

Equra will keep a log of SARs including:

  • Date received and identity verification steps
  • Clarification requests (if any)
  • Response date and any extension reasons
  • A summary of searches conducted
  • Any exemptions applied and rationale

15. Complaints about SAR handling

If a requester is unhappy with Equra’s response, they should contact Equra first. They also have the right to complain to the Information Commissioner’s Office (ICO).

16. Related procedures

Security incidents and personal data breaches are handled under Equra’s Data Breach Incident Response Procedure.