Navigating SARs in schools

28 February 2025

Claire Archibald

A practical guide to dealing with subject access requests

The Information Commissioner’s Office (ICO) has made it clear: organisations must comply with subject access requests (SARs) and make sure that senior leadership engages with the need to comply.

The ICO has committed to taking enforcement action against organisations, including public authorities, who allow backlogs to mount.

The ICO themselves know the complexities of dealing with requests for information, as they also receive many requests. They’ve shared their own experience of dealing with them providing some top tips for organisations when handling SARs and Freedom of Information Act (FOI) requests.

Remember: Requests are not always reasonable

There are circumstances where you can refuse to accept SAR if it is an unreasonable request. These include:

Manifestly unfounded requests

You can refuse a SAR if it is ‘manifestly unfounded’. There is no definition of what this means in the legislation, but ICO guidance confirms that a request will be unfounded where it is clear the requester has no intention in exercising their rights, where the request is malicious in intent or targets a particular employee against whom they hold a grudge.

In practice, the ICO recognises that these types of requests can be difficult to manage as individuals will rarely openly declare their malicious intent.

Multiple requests

One of the indicators for the ICO when dealing with these is they look at their overall relationship with the requester and looking at other indicators, for example making multiple FOI or SAR requests. This can indicate that the request is motivated by the desire to harass or cause disruption.

This is useful approach for schools to take – consider the correspondence received from the requester e.g., perhaps they are simultaneously pursuing a number of different complaint avenues, sending multiple communications, or issuing their own ‘deadlines’ for response.

Warnings and clear explanations

If you are dealing with multiple requests from the same individual, the ICO suggested providing the requester with a warning that further requests may be refused and offer guidance on making valid requests.

Where it is appropriate to refuse a request, you must provide a clear explanation to the requester about your reasons for refusing the requesting and detailing why you believe it is.

Manifestly unreasonable requests

Similarly, the ICO say that organisations can refuse a SAR if it is ‘manifestly excessive’. This means you need to consider whether the request is clearly unreasonable and disproportionate when balanced with the burden or costs involved in dealing with the request.

Whether or not the request is excessive will depend on several factors including the size of the request and the resource the organisation has available to deal with the request. Again, looking at all the circumstances of the request can help to determine if it is excessive.

Giving everything you’ve got

If the requestor has asked for “everything you have got” but refuses to provide any clarification or engage with discussion about the request, then the organisation may deem it to be manifestly excessive, where the volume of records in initial searches indicates there would be a large burden to extract, review and disclose.

In these circumstances the organisation can either refuse the request or make what they deem to be a reasonable response. Again, providing clear explanations and keeping evidence in case of later complaint will help the school to defend itself.

Make dealing with SARs easier: Reduce the administrative burden

It’s worth trying to reduce the administrative burden of complying with requests wherever possible.

The ICO do not conduct organisation-wide searches but target their efforts by considering where the information is most likely to be held and who in the organisation is most likely to hold it.

So, where a request is for “all information held”, the ICO recommends seeking clarification from the requester and agreeing additional criteria to search (e.g. which staff are likely to hold information, where it is likely to be stored, timelines to search).

In schools, consider which systems and which members of staff are likely to hold information- so in relation to pupils this is likely to be their main teacher/form tutor, head of year, pastoral and safeguarding leads.

They’re far more likely to know what information they hold about an individual pupil. This means that work that could have taken hours, can be reduced to ten/fifteen minutes for a small number of selected staff.

Records retention policy

The ICO’s records retention policy helps to reduce their burden in complying with SARs and FOI requests. They ensure that information is routinely deleted in accordance with their retention policy. As an example, the ICO stores emails within Outlook accounts for 12 months and Teams chats are kept for just one week.

When dealing with FOI requests, the ICO considers what it routinely publishes online and whether it is already available to the requester (or will be published at a later date). They advise larger organisations to consider publishing a disclosure log of previous FOI requests so you can easily direct requesters to previous responses if the same request is made again.

Many academy trusts classify as large organisations, receiving an increased volume of FOI requests, so this may be worth putting in place.

Summary: practical advice for schools

We know from our work with education clients that schools struggle with the burden of complying with SARs and FOI requests, particularly against the ever-increasing number of parental complaints being received.

However, the guidance provided from the ICO demonstrates that there are practical steps you can take to reduce the burden of these requests including:

Do you have grounds to believe the request is manifestly unfounded or excessive?

Ensure you consider all the communications you have with the requester, not just the information rights requests that have been made. This may support you refusing the request as manifestly unfounded or excessive. If so, make sure you clearly document your reason for refusing the request and explain to the requester the reasons why you are refusing the request.

Avoid blanket searches when dealing with SARs

Tailor the search to the individuals/locations where the information is most likely to be held. Additionally, focus your search for information on that which is specifically about the requester rather than routine or incidental mentions of their name.

Ensure information is routinely deleted in accordance with your retention policy

This will reduce the amount of information you are required to search.

Consider publishing a disclosure log

If you receive high volumes of FOI requests, consider publishing your disclosure log so that if you receive repeated requests, you can direct individuals to your disclosure log.

Further Information

The tips were discussed in detail during the ICO’s annual conference with recordings available online. The ICO has also published detailed Right of access SAR guidance.

Our expert team are here to help. We can provide advice and support for handling SARs including advice on conducting searches, refusing requests, exemptions and extending the deadline for responding where appropriate to do so.