Surviving staff subject access requests in schools

Subject access requests (SARs) continue to be a significant challenge for schools, particularly academies managing large volumes of staff data across multiple sites and systems.

Whether prompted by workplace disputes, grievance processes or simply a desire by staff to understand what information is held about them, the use of SARs by employees and former employees shows no sign of slowing down.

Statistics published by the Information Commissioner’s Office (ICO), the regulator for data protection, confirm this trend. The ICO continues to receive a high volume of SAR-related complaints, which account for a significant proportion of all data protection complaints. This includes complaints made about how academies have handled requests.

When I speak to school staff about their experiences of dealing with SARs, there’s often little positive to say. A word frequently used is “nightmare” and it’s easy to see why. By the time an academy seeks advice, significant time may already have been spent retrieving a colleague’s data. Teams may have started trawling through large volumes of school records and emails, or may be dreading the prospect of doing so.

SARs can also be ill-timed. They often arrive when a school is already managing a difficult situation with the same colleague, such as a grievance or tribunal claim. It may also be received just before, or during, school holiday periods.

Back to basics

A SAR is a request made by any individual to an organisation, including academies, for access to their personal data held by the organisation.

SARs have existed in data protection law for decades, but the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 strengthened this right of access. Requesters no longer have to pay to make a SAR and there’s more focus on organisations being open with individuals about their data rights. More recently, the Data (Use and Access) Act 2025 (DUA Act) has introduced further changes to how SARs operate.

Nowhere is this rise more apparent, at least anecdotally, than in requests for staff or HR data. Schools may receive SARs from colleagues, past or present, seeking access to HR records, sickness and attendance records or performance and disciplinary records. Requests can also extend to CCTV footage, internal school emails and social media or WhatsApp messages, to name a few examples.

Academies can also receive requests from job candidates, particularly those who were unsuccessful and want to understand why.

ICO guidance

Given the volume of ICO complaints, it’s perhaps unsurprising that the regulator has said employers often misunderstand the nature of SARs or underestimate the importance of responding to requests. Organisations that fail to respond to SARs promptly, or at all, may be subject to fines or a reprimand.

To support employers, and address the high number of complaints, the ICO has published updated guidance on dealing with SARs, most recently in December 2025 to take account of the DUA Act. There’s also additional ICO guidance, including FAQs covering a wide range of practical topics relevant to academies. Some of the more pertinent points are set out below.

Recognising and clarifying requests

The ICO guidance reminds employers that there are no formal requirements for a valid SAR. Requests can be made verbally or via social media and don’t need to include the words ‘subject access request’ or refer explicitly to a right of access. A SAR could be as simple as a request for their HR file or, as used in the ICO FAQs, “can I have a copy of the notes from my last appraisal?”

A request can be made to anyone within an academy. However, best practice is to have a designated person responsible for dealing with SARs and to ensure staff know who this is so requests can be passed to them as soon as possible.

Regardless of how a request is received, schools have one calendar month to respond. Where a request is complex, this can be extended to a total of three months where necessary.

The DUA Act has strengthened employers’ ability to ask staff to clarify the scope of their SAR. Under the updated rules, controllers can now ‘stop the clock’ on the one-month response deadline where clarification is reasonably required to provide an effective response. While the legislation doesn’t define what’s reasonably required, this is likely to include requests that are vague or involve a large amount of data about the person. ICO guidance confirms that once a request for clarification is sent, the time limit pauses and doesn’t resume until the day after the requester responds.

Refusing to respond

A request can be refused in its entirety, or a reasonable fee charged, where it’s “manifestly unfounded” or “excessive”. Put simply, this applies where a requester lacks any genuine intention to access their data or where the request is clearly unreasonable. ICO guidance gives an example of a manifestly unfounded request where an employee makes a SAR but offers to withdraw it in return for a payment.

It can be difficult to meet this high threshold and any refusal to respond should be supported by clear evidence. The ICO can be reluctant to accept arguments made on this basis. Its guidance sets out various factors to consider before refusing a request and acknowledges that a request repeating the substance of a previous one may be excessive. A SAR may also be excessive, although not automatically, where the information has already been made available through other means, such as litigation.

This isn’t a straightforward area of data protection law and requires careful consideration, as requesters who receive no information at all are far more likely to make a complaint to the ICO.

Withholding information

Where academies are required to respond to a SAR, the relevant information must be searched and collated for review. Under the DUA Act, it’s now on a statutory footing that only a reasonable and proportionate search is required.

This doesn’t mean that all information collated must be disclosed. ICO guidance sets out a number of exemptions that may allow academies to withhold certain information from employees, including where it contains:

• Other people’s data, including witness statements and whistleblowing reports. Where personal data is mixed, schools have discretion to determine what’s reasonable in the circumstances. When it comes to witness statements made as part of internal disciplinary procedures, this includes considering staff expectations, any assurances of confidentiality and whether consent should be sought and has been refused. This may result in some redactions to a witness statement or, in some cases, information being withheld completely
• Confidential references, provided the reference is given in confidence and relates to a person’s suitability for education, training, employment, volunteering, appointment to office or provision of services
• Management information, where disclosure would be likely to prejudice school activities, for example by causing unrest if proposed redundancies were disclosed prematurely
• Negotiations, where disclosure could prejudice ongoing discussions, such as negotiations over a severance package.

Other considerations

Compliance with a SAR is required regardless of whether the requester has raised a grievance or initiated tribunal proceedings. Requesters are entitled to search for a ‘smoking gun’, although exemptions to withhold certain information may still apply.

The ICO’s updated guidance also confirms that the ‘rights of others’ exemption can apply not only to the personal data disclosed, but also to the supplementary information provided with a SAR response, such as the identities of specific recipients.

If a member of staff leaves an academy, the ICO is clear that their right of access to personal data “cannot be overridden” by a settlement or non-disclosure agreement. Any attempt to limit these rights will be unenforceable under data protection law. That said, such provisions may still act as a useful deterrent in practice.

The Data (Use and Access) Act 2025 and new ICO guidance

The Data (Use and Access) Act 2025 received Royal Assent last year and introduces several important changes to SAR management. As noted above, it reinforces the requirement for reasonable and proportionate searches on a statutory footing. It also allows academies to seek clarification from the requester more often.

The Act also introduces a new right for individuals to complain directly to the school if they believe it isn’t complying with data protection rules. Schools must now inform requesters of this right when responding to a SAR. The ICO’s updated guidance reflects these changes and provides practical support for organisations preparing to implement them.

Academies should review their SAR procedures to ensure they reflect the new requirements, including updating template response letters to include details of the right to complain to the academy trust.

In the meantime, it’s worth reviewing what information you already hold about colleagues and former colleagues to make sure it’s still needed. Anything recorded about them may be requested, including information held on personal devices or email and social media accounts used for school purposes.

Putting good records management procedures in place, complying with appropriate retention periods and training staff to recognise SARs and avoid recording unprofessional or embarrassing comments will all help SARs to be handled more efficiently.

HCR Law’s Education team regularly advises academies on SARs from staff, pupils and parents. We offer a SAR support package designed to reflect the recent legal reforms and to assist academies at any stage of the process, from early scoping through to response and redaction.

Further information about our SAR support is available here.