
Managing data protection complaints in schools - navigating the Independent School standards
From 19 June 2026, Section 164A of the Data Protection Act 2018 introduces a formalised framework for how organisations, including schools, must handle data protection complaints. While the statutory requirements themselves are relatively procedural in nature, their interaction with existing school complaints frameworks, particularly the ISSR Part 7 parental complaints procedure, raises important practical questions.
In this article, we set out our view on how schools can most effectively manage these overlapping regimes, ensuring compliance while preserving fairness and operational efficiency.
The regulatory position - alignment, not replacement
The Department for Education’s Independent School Standards guidance is clear that there is no inherent incompatibility between the new obligations under Section 164A and the existing parental complaints requirements under ISSR Part 7.
Schools are therefore not required to introduce a standalone data protection complaints process to deal with data protection complaints raised by parents of registered pupils. Instead, existing complaints procedures may be adapted to incorporate the new data protection requirements which are:
- Facilitating the making of complaints (e.g. accessible forms);
- Acknowledging receipt of complaints within 30 calendar days; and
- Taking appropriate steps, without undue delay, to respond to the complaint and informing the complainant of the outcome.
At first glance, this suggests a relatively straightforward compliance exercise. In practice, the position is more nuanced.
The practical challenge - categorisation of complaints
The complexity lies not in the mechanics of compliance, but in how complaints are categorised for action through the appropriate channel.
Clear-cut data protection complaints
Some parental complaints may clearly and explicitly relate solely to data protection matters (e.g. subject access issues, misuse of personal data). These are well-suited to being handled as standalone data protection complaints under a streamlined process aligned with Section 164A. DfE guidance, which is advisory for independent schools, suggests that complaints which are subject to a separate statutory procedure, may be lawfully excluded from the parent complaints procedures.
Complex parental complaints
Parental complaints, however, are often more layered. It is common for a parental complaint to concern a broader issue (e.g. safeguarding, discipline, communication) and contain a data protection element within it.
In these cases, the data protection issue is rarely the sole or even primary concern. This creates a risk that if a school extracts the data protection element for action under a separate Section 164A process, it may inadvertently fragment the complaint and restrict the parent’s access to the full three-stage ISSR Part 7 process, which is a statutory entitlement.
That outcome is unlikely to be appropriate and may risk compliance with the complaint handling regulatory standard.
A further consideration - proportionality and volume
There is also a practical burden to consider. The ISSR Part 7 process is formal and resource intensive.
Requiring every data protection complaint, no matter how minor, to go through this full three-stage process would create administrative strain and slow down resolution of straightforward issues.
This sits uneasily alongside the intent of Section 164A, which emphasises timely and efficient complaint handling.
Our recommended approach
In light of these competing considerations, we recommend a flexible approach.
Adapt the existing ISSR Part 7 procedure
Schools should ensure that their parental complaints procedure:
- Is fully compliant with Section 164A, and
- Can accommodate data protection elements within broader complaints
This ensures that:
- Parents retain access to the full three-stage process, and
- Schools meet their statutory data protection obligations where those complaints overlap.
Implement a separate data protection complaints process
Schools must also fulfil the data protection requirements in relation to complaints from others, for example, staff. We recommend implementing a short data protection complaints procedure to be used for:
- Complaints from non-parents; and
- Standalone data protection complaints from parents of registered pupils.
Schools must also update their privacy notices to tell people about their right to make data protection complaints.
We are currently updating our suite of data protection documents for schools to reflect these new requirements.
The key principle - careful categorisation
We suggest that schools should:
- Avoid rigid categorisation at the outset
- Assess the substance of each complaint holistically
- Retain discretion to determine the appropriate route.
Final thoughts
We think this framework underpinned by careful categorisation and flexibility, offers the most robust and pragmatic solution.
If you are reviewing your policies ahead of June 2026, this is an important opportunity not just to ensure compliance, but to design a complaints framework that is clear, fair, and workable in practice.
For support or advice in developing or refining your approach, please contact James Garside in our Regulatory Compliance team.
For support or advice in developing or refining your approach, please contact James Garside in our Regulatory Compliance team.
Get in touch today
Are you looking for legal services?
Fill out our form to find out how our specialist lawyers can help you.
