Subject access requests (SARs) aren’t new to schools. What is new, however, is the character of some requests now landing in school inboxes. Increasingly, schools and trusts are receiving SARs that are technically complex and include requests for metadata. Understanding where this trend comes from, and what it really means for your obligations, is the first step to responding with confidence. Where are these requests coming from? The rise of accessible AI tools has made it straightforward for anyone to generate a detailed, formally-worded SAR with minimal effort. Outputs from AI systems can produce requests that reference technical concepts, demand exhaustive categories of documents and adopt a tone that implies a much broader legal obligation than actually exists. The result is schools are receiving requests that can appear, at first glance, to require a significant technical and administrative undertaking. It’s important to recognise these for what they often are: templated documents that don’t necessarily reflect a genuine or informed exercise of data protection rights. That doesn’t mean you can ignore them, but it does mean you shouldn’t allow the tone or apparent complexity of a request to cause you to exceed what the law actually requires of you. Your core obligation under the UK General Data Protection Regulation remains unchanged: to conduct searches that are reasonable and proportionate to the request. A sophisticated-sounding request doesn’t automatically expand the scope of your duties. Metadata, and why people ask for it Metadata is one of the concepts most frequently appearing in AI-generated SARs. Put simply, metadata is information about a document or record, rather than the content of it. You will be already familiar with metadata, even if you haven’t used the term. When you look at an email, the to, from, subject, date and time fields are all metadata. They describe the email without being the email itself. In your safeguarding system, a log entry will display the name of the staff member who created it, the date and time of the entry and a unique reference number. Any linked replies sit beneath that reference. All of that is metadata, and in many cases, in education-related SARs, it appears on the face of the record when you retrieve it. In practice, this means schools shouldn’t feel obliged to conduct extensive technical searches for embedded or hidden metadata as a matter of course. Where the metadata appears on the face of the record and contains the requester’s personal data, it will already be captured in the disclosure. Where it doesn’t, it need not be separately extracted or provided. Requests that may go beyond what is necessary A blanket request for all metadata across all documents is not, on its own, a sign of bad faith. However, it may simply reflect the output of a template or AI tool rather than a considered and specific concern. It’s worth pausing to consider whether a request of that kind is genuinely directed at the requester’s personal data, or whether it’s simply casting the widest possible net. A requester who has a genuine concern that their personal data has been altered or tampered-with has a reasonable basis for asking about metadata, and that concern should be taken seriously. But where no such concern has been expressed, and the request simply demands all metadata for all documents as a matter of course, it’s reasonable to ask the requester to clarify why they consider metadata to be particularly relevant beyond what’s already contained within the documents themselves. Taking the time to seek that clarification is good practice. It also gives you an opportunity to explain to the requester that metadata is, in many cases, already captured within the documents being disclosed. If that information is already being provided, a separate demand for metadata may add very little of substance. It’s worth noting where a request feels designed to create maximum administrative burden rather than to genuinely exercise a data protection right. But the appropriate response is to engage constructively, seek clarification and apply the reasonable and proportionate standard throughout, rather than to refuse or dismiss the request outright. Staff names: a related myth worth busting A question that frequently arises alongside metadata requests is whether staff names should be redacted from disclosed documents. Some schools do this automatically, on the basis it’s the cautious approach. It is not. The data protection act 2018 (under paragraph 17, schedule 2, part 3) provides that the personal data of education-related workers is deemed reasonable to disclose in the context of an educational record SAR. Staff names should, as a general rule, remain in disclosed documents. There may be exceptional circumstances where removal is appropriate, but the starting point is inclusion. Practical next steps When a complex or metadata-heavy SAR arrives, take a breath before you act. Read the request carefully, identify what personal data of the data subject is being sought, and apply the reasonable and proportionate standard throughout. If a request asks for something that seems disproportionate or technically unfamiliar, seek clarification early. Responding thoroughly and lawfully doesn’t mean responding to every demand at face value.