Kicking off the 2025/26 Academic Year: Processing subject access requests efficiently

Earlier this month, I had the pleasure of hosting attendees at our first AI & Data Protection Forum of the academic year. The forum is a practical and open space for professionals in the education sector to come together and discuss real-world questions about AI, governance, and data protection. While we’ve talked a lot about AI recently, this session focused on another critical topic: efficiently handling subject access requests (SARs).

Acknowledge and set expectations

When you receive a SAR, the first step is to acknowledge it. This is also your chance to set expectations and make things easier for your organisation. Here’s what you should include in your acknowledgment correspondence:

• Clarification: If any part of the request is unclear, this is the time to ask for clarification.

• Privacy Information: You should attach a copy of the relevant privacy notice for the data subject (e.g. parent, pupil, or staff). It’s also helpful to include a link to your Data Protection Policy, as it contains additional useful information for the data subject.

• Legal Rights: The acknowledgment should inform the data subject of their right to file a complaint with the ICO. It’s also beneficial to mention their right to enforce their request through the courts via s.167 of the DPA 2018.

• Response Deadline: You should provide a deadline for your response if possible. Keep in mind that the time limit is extended until you receive clarification or ID from the requester.

Pupil Information: It’s important to note that Regulation 5 of The Education (Pupil Information) (England) Regulations 2005 does not apply to multi-academy trusts. If a request is made under this legislation, you should inform the requester that it will be processed as a SAR instead.

Applying Exemptions: A Crucial Step

Once you have gathered all the data, you can begin applying exemptions. It’s crucial to gather all relevant data first and not preemptively exclude information based on potential exemptions.

You may refuse a request entirely if it’s considered manifestly unfounded or manifestly excessive.

• A request is manifestly unfounded if the individual has no intention of exercising their right of access, such as offering to withdraw the request for a benefit. It can also be considered unfounded if the request has a malicious intent, like harassing the organisation.

A request is manifestly excessive when it’s “clearly or obviously unreasonable”. This judgment should be based on whether the request is proportionate to the burden and cost of handling it. This often applies when a request largely repeats previous ones and a reasonable amount of time hasn’t passed since the last request.

Common Exemption to Consider in the Education Sector:

• Third-party data – Schedule 2, Part 3, paragraph 16(1): You will likely need to redact third-party data as it’s rare for data sources in the education sector to not include data relating to other individuals. Remember there is a “presumption of reasonableness” for disclosing the names of teaching staff in pupil data requests but this doesn’t apply to other individuals like parents or staff.
• Child abuse data – Schedule 3, Part 5, paragraph 21(3) of: Child abuse data is personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse. For this purpose, “child abuse” includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18. This exemption only applies if the request comes from someone who has parental responsibility.
• Serious Harm – Schedule 3, Part 4, paragraph 19: The serious harm test can apply to any class of data subject whenever complying with the request would be likely to cause serious harm to the physical or mental health of any individual. This exemption overrides the “presumption of reasonableness” for disclosing the names of teaching staff in pupil data
• Legal privilege – Schedule 2, Part 4, paragraph 19: If legal professional privilege applies to the data then it is exempt from disclosure to a data subject.
• Exam data – Schedule 2, Part 4, paragraph 25: For pupil data, you must redact an individual’s answers from exam scripts but keep the examiner’s marks and comments. This exemption extends the response period to five months from the request date or 40 days from the announcement of exam results, whichever is earlier. You need to inform the requester of this extended deadline in your acknowledgment.
• Staff data: You may need to apply exemptions for confidential references, records of potential negotiations, or management data such as redundancy or restructure considerations.

When responding, you must include details of the exemptions that have been applied, citing the relevant sections of the Data Protection Act 2018. When applying the serious harm test or the child abuse data exemption, you do not need to confirm you even hold the data and it is acceptable to refer to the exemption by the schedule alone. For example you could use the phrase “The Trust does not process the data which has been requested” or that “The data that you have requested is subject to an exemption under Schedule 3, Data Protection Act 2018.

The High Court decision in Ashley v HMRC [2025]

Ashley v HMRC [2025] offers important insights into what constitutes “disproportionate effort” in responding to a SAR. The court found that this isn’t limited to the time spent searching for data but can also include other difficulties in complying with the request. This may include time spent applying exemptions or redacting data

However, the ruling also clarified that time alone isn’t proof of disproportionate effort. In this case, HMRC’s argument of spending 150 hours on a request was challenged, as the time was largely spent on applying erroneous exemptions and dealing with poor data systems.

This decision highlights the need to have efficient systems and to ensure that any time spent on a SAR is necessary and justifiable when arguing that the request is disproportionate.

Final Thoughts

Subject access requests can be complex, and these are just some of the key takeaways from our forum discussion. As we move forward, we’ll continue to explore new challenges. Our next session, on Friday 10 October at 12:45pm will delve into the statutory requirements of your organisation’s privacy notices, particularly as the education sector continues to adopt AI features.

Click here to add it to your Google Calendar or download the attached .ics file.

Thanks again to everyone who joined the session—you made it what it was. See you at the next one.

Please feel free to reach out if you would like to find out more about our range of data protection, information governance & AI governance services.

Matthew