Subject Access Requests (SAR) and Freedom of Information (FOI) requests

Information for forums on how to manage requests about data such as SARs and FOI.

In UK law individuals can access data in several ways including Freedom of Information requests (FOI) and Subject Access Requests (SAR).

All forums will collect data as part of their daily functions. This could be membership data, parent carer reps or employee’s details, information related to events run by the forum or through surveys to name just a few ways. Forums like all groups and organisations have duties related to how they store and process data. It is good for a forum to have a policy which outlines this clearly. See our General data protection regulation (GDPR) and privacy page for more information

Freedom of information requests (FOI) 

The Freedom of Information Act 2000 provides access to information held by public authorities.  A public authority can include government departments, Councils, the NHS, state schools and police forces. Not every organisation that receives public money is covered, for example, it does not cover charities that receive grants. It is very unlikely that a forum would be subject to a FOI request. 

If a forum receives a request under the FOI laws and is unsure of the forums status they can: 

Subject Access Requests (SAR) 

Subject access requests give individuals the right to obtain a copy of their personal data, as well as other supplementary information. It can help individuals to understand how and why forums are using their data, and check they are doing it lawfully. If a forum receives a SAR it would be best to start by looking at the forums policies on Data protection and processing. 

SAR can be made in writing or verbally, including via social media platforms and emails. The request can also be made via a third party and before responding you need to be sure the third party making the request is entitled to the data. SAR can also be made for information about a child (see the ICO website for guidance). 

SAR must be processed as soon as possible and within one month of the request. The ICO outlines 10 steps that forums may want to follow when dealing with a SAR. 

  1. Choose a data protection lead (check your policy).
  1. Know who you’re dealing with.
  1. Check the request is valid. 
  1. Set yourself some reminders. 
  1. Check you’re on the same page about what they’ve asked to see. 
  1. Search for the relevant information. 
  1. Check what you need to redact. 
  1. Consider the impact of releasing data about other people. 
  1. Prepare your reply. 
  1. Send your reply securely and keep a record of what you have sent. Here is a Template SAR log spreadsheet.

You may want to look at this Subject Access Request Procedure Flowchart from NICVA – This flowchart describes the steps and decisions made in handling Subject Access Requests from when they are initially received. 

Forums may want to also talk to Community Matters if they receive a SAR. 

Do you have any thoughts about this page? Visit our How to feedback page to share them.

Looking for something else? You can find a full list of pages on our Parent carer forum handbook contents page.

More information and support for forums

green community matters logo on a white background

Community Matters

Find support for forums on policies and procedures

Community Matters Yorkshire  
Man sitting at a desk with a pen in his hand looking through a document

Policies and procedures

Find examples and downloadable templates here

Policies and Procedures 

General data protection regulations (GDPR) and privacy

Find out more about GDPR and privacy

General Data Protection Regulation (GDPR) and Privacy