Subject Access Requests: key issues for independent schools
Subject access requests (SARs) continue to pose significant challenges for independent schools. They are often time-consuming, resource-intensive, and frequently linked to wider complaints or disputes. Here are some practical tips to help your school manage SARs effectively.
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent in July, although most of its provisions are not yet in force. It introduces several changes to UK data protection law, including putting some of the ICO’s existing SAR guidance on a statutory footing. This is a welcome development; many of the new SAR provisions are controller-friendly and will help schools resist unreasonable or disproportionate requests. When managing SARs, some key areas to consider:
1- Searches
The obligation is to complete a reasonable and proportionate search for personal data (and this will be on a statutory footing once the relevant provisions of the DUAA start to apply). In practice, we often see searches extending far beyond what is legally required, leading to unnecessary work. For example, if keyword searches reveal vast amounts of information, it may indicate that the search terms have been set too widely. Requesters sometimes attempt to dictate how the SAR should be handled by the school, for example, by specifying search terms or search locations. There is no legal obligation to use the criteria provided by the requester (or even, in some cases, to do keyword searches at all), provided that the school has done enough to satisfy the 'reasonable and proportionate' search threshold.
2- Safeguarding information
Requests made for pupil information can often be problematic, particularly where there is a safeguarding angle. Consider, for example, a request made by a parent for information following an allegation of bullying at school. Such requests will often engage multiple issues, such as whether it would be appropriate to seek the child's views on disclosure to their parents for older children, personal data about others, such as other pupils and wider strategic considerations around managing the incident and any parental complaints.
There is no blanket 'safeguarding' exemption, but there are exemptions that often allow information to be withheld for safeguarding reasons. In our experience, often the most effective approach is to begin by considering what degree of disclosure would be in the child’s best interests, and then identify any applicable exemptions to see if the preferred position can be supported.
3- Personal data rather than documents
A SAR gives the requester the right to their personal data, not to specific documents. It is lawful to extract the relevant data and present it in a schedule or table, rather than disclosing the documents themselves. Whilst providing originals may sometimes be appropriate if there are minimal redactions, it is often clearer to provide the data in an alternative format to avoid further queries if a lot of redactions will be required.
4- Extending the response timeframe
Schools must normally respond to a SAR within one month, but the period can be extended by a further two months if the request is complex (which can be particularly welcome if a request runs over a school holiday). In our experience, schools often underutilise the right to extend. The threshold for complexity is relatively low, and we are not aware of the ICO criticising a school for relying on the extension where it was justifiable to do so.
5- Managing complaints
The DUAA will require schools to have a formal process for handling data protection complaints for the first time.
We often find that schools can get caught up in prolonged correspondence with a requester. Having a clear complaints pathway provides requesters with clarity while giving schools a defined point at which escalation to the ICO is appropriate. This should help reduce the protracted correspondence we often see regarding SAR complaints.
How can we help?
We are running in-depth training on subject access requests this autumn for our education and charity clients. 'Data Protection Academy - Mastering Subject Access Requests' will run online on 8 October and in our London office on 18 November. We are capping the places to ensure an interactive and practical session. The session will include group exercises to ensure delegates can confidently apply the rules in real-life scenarios. Book now to secure your place.