When I first started auditing schools, I’d suggest they practise handling a subject access request (SAR) “just in case”. That suggestion would be laughable today.
Despite new legislation providing a clearer framework for managing this burden, schools are struggling to keep pace with the changing landscape.
Understanding the SAR surge
A SAR is triggered when an individual requests a copy of their own personal data under the UK General Data Protection Regulation (GDPR), exercising their right to access their personal data being processed by an organisation.
Experience shows that SARs typically arise from unhappy employees during grievance or disciplinary procedures, as well as from parents concerned about their child’s special educational needs, behavioural incidents or a school’s handling of issues.
Increasingly, any complaint, disciplinary action, exclusion or accident on school premises is followed by a SAR.
Requests are handled by staff with additional responsibilities within schools or trusts – school business managers, office teams, special educational needs co-ordinators, headteachers, CEOs and COOs.
There have been several attempts to change the law to make SARs less burdensome, including one abandoned proposal that would allow organisations to refuse “vexatious” requests.
However, the Data (Use and Access) Act 2025, passed in June and being rolled out gradually over the coming months, provides schools with a clearer framework by requiring only “reasonable and proportionate” searches when responding to requests.
The AI-generated requests problem
But a key issue is that requesters increasingly use AI tools like ChatGPT to generate requests.
While this democratises access by giving people confidence to submit requests, it can overcomplicate the process.
AI-generated SARs and follow-up correspondence are often threatening in tone and request irrelevant information, going beyond what an SAR should be – a simple request for personal information held.
Common sense about what’s reasonable and proportionate is essential.
One SAR we handled included a request for every staff meeting minute mentioning the requester’s daughter. When we asked whether they’d ever discussed this pupil in staff meetings, the answer was no – so no search was needed.
Sounds obvious, but the request (and its tone) had put the organisation into a spin about what they needed to search through.
So how can schools better handle SARs?
1. Prioritise human conversation
The Information Commissioner’s Office, during a session on SARs at its annual Data Protection Practitioners’ Conference in October, recommended acknowledging the use of AI in correspondence when handling a request. Rather than responding to every aspect of a long AI-generated request, instead asking for a human-led discussion on what specifically the requester really wants can often resolve a deadlock.
2. Clarify, clarify, clarify
Don’t rush into searching. Spend time analysing the request carefully, determining exactly what’s wanted and the best data collection strategy.
3. Don’t treat the request as a search map
The requester states what they want; the organisation determines what to search for using a reasonable and proportionate strategy.
4. Do intentional searches, not just e-searches
While e-searches can be useful, restrict them to particular mailboxes, drives or timeframes. Consider manual searching – asking a teacher or line manager which emails and records they may have about the requester – with e-searches supporting rather than leading.
5. Know when to stop
The ICO doesn’t expect organisations to have ongoing, never-ending correspondence with an unhappy requester. Review decision-making processes to ensure communication beyond an initial SAR response is indeed reasonable and proportionate.
Taking back control
The Data (Use and Access) Act 2025 provides schools with the legal backing to take a more reasonable and proportionate approach to SARs.
Having a complementary strategy for responding to SARs and searching for information will ensure schools don’t fall victim to the volume of requests.
Your thoughts