Imagine it’s a rainy Thursday afternoon. You’ve just finished playground duty and you’re halfway through a lukewarm coffee when the email pings into your inbox. It’s a Subject Access Request (SAR), and not just any SAR, it’s one of those SARs: someone wants “all the information you hold about them.”
Cue internal screaming.
But don’t panic. Whether the request comes from a parent, a staff member, or even a student themselves, SARs are a regular part of school life under data protection law. They might not arrive every day, but when they do, they tend to bring a flurry of questions, and a fair bit of admin.
And thanks to the Data Use and Access Act (DUAA), the rules have been sharpened, the expectations clearer, and some of the grey areas just got a little less grey.
Let’s take a breath and walk through what this actually means for you, the person who now has one calendar month (no, that hasn’t changed) to find and deliver everything that qualifies as “personal data.”
So what does “all the information” actually mean?
Here’s where things get interesting. When someone submits a SAR asking for “everything you hold about them,” they’re invoking their rights under the UK GDPR and now the Data Use and Access Act (DUAA), which has reaffirmed and clarified how those rights apply in public bodies like schools.
They’re not just asking for what’s in their file folder; they want everything (digital, physical, historical) that says something about them and is stored by the school.
This could be emails that mention them (yes, even those ones you wish you’d written more diplomatically), reports, assessments, meeting notes, disciplinary hearings, communications between staff about that person, and more.
But it’s not everything, everything.
That private WhatsApp message you sent to a colleague about your frustrating morning? Still probably out of scope, unless you’ve somehow used it to make a formal decision or documented it in school systems.
The DUAA now gives clearer boundaries here: personal communications not forming part of a school’s official processing activities are generally not in scope. But always assess context and purpose.
And here’s a welcome relief:
The DUAA also gives you the right to seek clarification when a request is unclear or too broad. If someone asks for “everything,” but you reasonably believe they’re looking for something specific (say, safeguarding records or a particular incident), you can pause the clock while you ask them to narrow it down. Just make sure you document the clarification request and don’t delay unnecessarily.
This can save hours of time and reduce the risk of over-disclosure or missed data.
What should you be including?
If the data says something about the person and you’re holding it in your professional capacity, odds are it’s in.
Think emails, student records, safeguarding files (yes, even the tricky ones), disciplinary records, performance reviews, and any formal or informal notes that contribute to school decisions or knowledge.
Even if the person wasn’t the author of the document, if it’s about them, they get to see it.
And don’t forget metadata, timestamps, usernames, and version history. Under the DUAA, the definition of “personal data” remains broad, and these still count if they can identify the individual.
What can you leave out?
Thankfully, not everything needs to be handed over. The DUAA clarifies exemptions around safeguarding, exam scripts, and third-party data, but it also tightens how schools must apply them.
Here’s what remains true (with some added clarity):
- Truly personal notes not part of the school’s records or decision-making process? Still probably exempt.
- Informal, handwritten notes not used to inform decisions? Possibly out of scope but under the DUAA, if they’re later referenced in emails or meetings, they become part of the record.
- Other people’s data? Now more explicitly protected. The DUAA reinforces that schools must redact or anonymise third parties, especially in safeguarding reports or behavioural logs.
Also, the DUAA introduced a more formal “harm-based test” for withholding certain disclosures, especially when releasing data could put someone at risk (e.g. in child protection cases). So while the exemptions are narrow, they are now better defined.
Where do you even look?
Data hides in more places than you think. The usual suspects: your MIS, email servers, safeguarding platforms, and cloud learning tools.
But the DUAA now places a firmer expectation on schools to have documented data maps or records of processing, so you can actually find what you need without resorting to digital archaeology.
That means staff shared drives, laptop folders, Teams logs, and even archived paper files may still hold data that must be reviewed.
You don’t need to become Sherlock Holmes, but you are expected to conduct a “reasonable and proportionate search” and the DUAA now helps define what that looks like. It’s less about exhausting every dusty archive and more about having a clear search strategy and audit trail of your efforts.
A final word to the wise
A SAR is not just a bureaucratic hoop to jump through. It’s a window into how much we record, how we talk about people, and what assumptions sit in our systems.
The Data Use and Access Act reinforces that access is a right, but also that handling these requests should be structured, documented, and mindful of harm. It’s not just about handing over a stack of papers; it’s about transparency done properly.
So yes, receiving a SAR might still feel like being put under a microscope but, it’s also an opportunity. A moment to tidy up your data habits, update your record-keeping, and reflect on how information flows through your school.
And next time someone asks for “everything you’ve got,” you’ll know where to start, what to include, what to redact and, most importantly, how to stay sane while doing it.
