top of page
Search

Multi-Academy Trusts, Schools and Nurseries:

  • Writer: David West
    David West
  • Nov 20
  • 11 min read


When You Don’t Have to Comply with a DSAR or FOI Request


DSARs and FOI requests rarely land at a convenient moment.

They tend to arrive in the middle of restructures, live grievances, safeguarding concerns or threatened litigation. For MATs, schools and nurseries, the instinct is often:

“We have to give them everything… don’t we?”

Not always.

The law expects education providers to be transparent and accountable, but it also recognises that there are times when you must protect:

  • Children and vulnerable adults

  • Staff and third parties

  • Ongoing investigations and proceedings

  • Your organisation’s legally privileged position

This article explains, in clear but legally robust terms, when a MAT, school or nursery may not have to fully comply with a Data Subject Access Request (DSAR) or a Freedom of Information (FOI) request – including the key roles of legal advice privilege and litigation privilege.


At a glance: When you don’t have to disclose everything

Education providers may be able to refuse or limit a response where:

  • A DSAR is manifestly unfounded or manifestly excessive, or disclosure would unfairly impact other people’s rights, safeguarding, or live investigations.

  • The information is covered by legal professional privilege – including legal advice privilege and litigation privilege (for example, solicitor correspondence and litigation strategy).

  • An FOI request would exceed the cost limit, is vexatious or repeated, or relates to personal data, confidential information, commercially sensitive information, or privileged legal advice.

  • Under the Environmental Information Regulations 2004 (EIR), the request is manifestly unreasonable, or involves personal data which is better dealt with under data protection law.

You must still:

  • Apply any required public interest test (for qualified FOI/EIR exemptions);

  • Provide what you can disclose safely and lawfully;

  • Keep a clear audit trail of your decision-making.


1. DSARs – When You Can Say “No”, “Not Yet” or “Not All”

Under UK GDPR (Articles 12 and 15) and the Data Protection Act 2018 (DPA 2018), individuals (staff, pupils and, in some cases, parents) can request access to their personal data.


Default rule:

You must respond without undue delay and within one month, with a possible extension of up to two further months for complex requests.

The Data (Use and Access) Act 2025 confirms that organisations are expected to carry out reasonable and proportionate searches, not limitless trawls through every conceivable system.


There are lawful grounds to refuse entirely, charge a fee, or withhold parts of the information.


1.1 Manifestly unfounded or manifestly excessive requests

You may refuse a DSAR, or charge a reasonable fee, if it is:

Manifestly unfounded – for example:

  • The requester openly states they are using the DSAR to “punish” the Trust or to harass staff.

  • Their behaviour shows no genuine interest in exercising privacy rights, only in disruption or causing nuisance.

Manifestly excessive – for example:

  • The scope is extraordinarily broad (“all information about me, in any format, ever”) with no attempt to narrow dates, systems or topics.

  • The request mostly duplicates earlier DSARs without meaningful change, generating disproportionate work.

In assessing whether a request is manifestly excessive, you may take into account:

  • The volume and complexity of data;

  • The overlap with previous requests;

  • The effort required to search, retrieve and redact – bearing in mind that searches only need to be reasonable and proportionate, and that responding should not involve genuinely disproportionate effort.

To rely on these grounds, you should:

  • Be able to evidence why the request is unfounded or excessive (pattern of correspondence, prior DSARs, refusal to narrow).

  • Normally offer the requester a chance to refine or clarify scope first.

  • Explain your decision, their right to complain to the ICO, and their right to seek a judicial remedy.

1.2 Protecting the rights and freedoms of others

A DSAR is not a licence to obtain other people’s data.

Under Article 15(4) UK GDPR, you must not disclose personal data where doing so would adversely affect the rights and freedoms of other individuals.

Typical education examples:

  • A parent requests all records of a playground or classroom incident involving several children.

  • A member of staff asks for complete HR investigation notes including detailed witness statements by colleagues.

In practice:

  1. Identify third-party data (other pupils, staff, parents, professionals).

  2. Redact or anonymise wherever reasonably possible.

  3. Where redaction cannot adequately protect others, withhold those parts.

You should balance:

  • Privacy and safety of others;

  • Any duty of confidence;

  • Your safeguarding responsibilities;

  • The requester’s right of access.

1.3 Safeguarding, crime and serious harm

You may restrict or withhold personal data where disclosure would be likely to:

  • Prejudice the prevention or detection of crime;

  • Prejudice the apprehension or prosecution of offenders; or

  • Cause serious harm to the physical or mental health of any individual. ICO

Education-sector scenarios:

  • Safeguarding records that overlap with ongoing police or children’s social care investigations.

  • Information which, if disclosed to a parent, could escalate domestic abuse or place a child, staff member or carer at risk.

  • Sensitive security information such as safe addresses or detailed security arrangements.

Good practice:

  • Liaise, where appropriate, with police, social care and/or the LADO before deciding.

  • Record your risk assessment and reasons for withholding.

  • Provide a partial response where possible, explaining in general terms why some content is withheld.

1.4 Legal professional privilege – advice and litigation privilege

Some information is protected by legal professional privilege (LPP). Privileged material can normally be withheld in response to a DSAR under the DPA 2018 exemptions for legally privileged material.

There are two key limbs, both highly relevant to MATs, schools and nurseries.

(a) Legal advice privilege

Covers:

  • Confidential communications between your organisation (the “client”) and its lawyers;

  • Made for the dominant purpose of giving or receiving legal advice.

Examples:

  • Emails and letters from external solicitors about dismissals, grievances, restructures, SEND disputes or exclusions.

  • Internal notes summarising that legal advice for SLT, HR or trustees/local governors.

(b) Litigation privilege

Covers:

  • Confidential communications between:

    • your organisation and its lawyers; and/or

    • your organisation, its lawyers and third parties (e.g. HR consultants, expert witnesses);

  • Where the dominant purpose is actual, pending or reasonably contemplated litigation – e.g. Employment Tribunal proceedings, SEND Tribunal appeals, judicial review or other court proceedings.

Examples:

  • Draft witness statements prepared for an anticipated Employment Tribunal claim.

  • Expert reports obtained primarily for use in litigation (e.g. medical, occupational health, SEND or capability evidence).

  • Communications with an external HR/investigations provider whose main purpose is to assist with strategy for threatened litigation.

Key points:

  • LPP is narrow and strictly interpreted – you must be able to justify why it applies.

  • Not every email involving a lawyer is privileged: routine HR or safeguarding correspondence copied to legal “for information” will rarely attract privilege in its own right.

  • Privilege belongs to the client organisation (the Trust or school), not individual staff.

  • Privileged material may lawfully be withheld in response to DSARs.

Good practice:

  • Label relevant documents clearly: “Legally Privileged – Legal Advice” or “Legally Privileged – Litigation”.

  • Avoid mixing legal advice with general operational commentary in sprawling email chains.

  • Store privileged material separately from general HR or pupil records, with appropriate access controls.

1.5 Confidential references and exam information

Some DSAR exemptions are particularly relevant in education:

  • Confidential references that your institution has given about an individual (for education, employment or services) can be exempt from disclosure to that individual in many circumstances under the DPA 2018.

  • Exam scripts and exam marks:

    • Students do not have the right of access to copies of their own exam answers (scripts) under the right of access;

    • They may have rights to marks and certain examiner comments, subject to specific rules and time limits.

Given the technical nature of these exemptions, always check current ICO guidance before releasing exam or reference material under a DSAR.

1.6 Disproportionate effort and repeat DSARs

The right of access requires a reasonable and proportionate response, not an unlimited commitment of time and resource.

In practice:

  • You are not required to conduct searches that would involve genuinely disproportionate effort, particularly for duplicate sets of information already supplied – though the threshold is high.

  • Where an individual makes repeated DSARs for substantially the same information in a short period, and nothing material has changed, you may treat later requests as manifestly excessive.

You should:

  • Assess each new request on its own facts, even if there has been a previous DSAR.

  • Explain clearly what has already been provided and why further searches would be excessive.

  • Record your search strategy and reasoning in case of ICO scrutiny.


2. FOI and EIR – When You Can Lawfully Refuse a Request

The Freedom of Information Act 2000 (FOIA) applies to many education providers, including:

  • Maintained schools

  • Academies and multi-academy trusts

  • Many FE institutions

Independent schools and private nurseries may be outside FOIA, but can still be caught by the Environmental Information Regulations 2004 (EIR) for environmental information, and are always subject to UK GDPR.

2.1 DSAR vs FOI vs EIR – who, what and how?

A quick comparison:


DSAR (UK GDPR / DPA 2018)

FOI (FOIA 2000)

EIR (2004 Regs)

Who can request?

The data subject (or parent in some contexts)

Any person, anywhere

Any person, anywhere

What is requested?

Personal data about the requester

Recorded information (not limited to personal data)

Environmental information (broadly defined)

Applies to…

All controllers (incl. private nurseries/independent schools)

Public authorities (incl. most schools/MATs)

Public authorities & some private bodies performing public environmental functions

Typical deadline

1 month (extendable by up to 2 months for complexity)

20 working days (extendable in some cases)

20 working days (extendable in some cases)

Can you refuse?

Yes – e.g. manifestly unfounded/excessive, privilege, others’ rights, safeguarding

Yes – e.g. cost, vexatious, exemptions (s.21, 40, 41, 42, 43 etc.)

Yes – e.g. manifestly unreasonable, personal data, others

One of the most common (and avoidable) pitfalls is treating a DSAR as an FOI, or vice versa.

2.2 FOI exemptions – absolute and qualified

FOIA is built around exemptions which allow you to withhold information. Some are absolute, others are qualified (requiring a public interest test).

Absolute exemptions (no separate FOIA public interest test)

Relevant absolute exemptions for education providers include:

  • Section 21 – Information accessible by other means Already reasonably accessible (e.g. on your website, published reports).

  • Section 40 – Personal data Requests for personal data about the requester should be treated as DSARs instead. Personal data about other individuals may be withheld if disclosure would breach UK GDPR.

  • Section 41 – Information provided in confidence Information obtained from another person (including another public authority) where disclosure would constitute an actionable breach of confidence. Section 41 is classed as an absolute exemption, but the underlying law of confidence contains its own public-interest defence, so you still need to consider whether a sufficiently strong public interest justifies disclosure.

  • Section 44 – Prohibitions on disclosure Where another law or court order directly prohibits disclosure.

Qualified exemptions (public interest test required)

These require you to weigh the public interest in disclosure against the public interest in maintaining the exemption:

  • Section 22 – Information intended for future publication Information you plan to publish at a future date.

  • Section 36 – Prejudice to effective conduct of public affairs Often relevant to risk registers, sensitive internal deliberations or some board/committee minutes. Requires a reasonable opinion from the “qualified person” (e.g. CEO, Headteacher, Chair).

  • Section 38 – Health and safety Where disclosure would be likely to endanger the physical or mental health or safety of any person (e.g. detailed security arrangements).

  • Section 42 – Legal professional privilege (LPP)Exempts information covered by legal advice privilege or litigation privilege. Given the strong public interest in allowing organisations to seek frank legal advice, this exemption is rarely outweighed.

  • Section 43 – Commercial interests Used where disclosure would prejudice your or a third party’s commercial interests (e.g. tender pricing, commercially sensitive contract clauses).

For qualified exemptions, you must record the public interest test: the arguments for disclosure and for withholding, and your conclusion.

2.3 Vexatious and repeated FOI requests (section 14)

FOIA recognises that some requests are not made in good faith.

  • Section 14(1) – Vexatious requests You may refuse where a request is likely to cause unjustified harassment, disruption or burden and lacks serious purpose or value.

  • Section 14(2) – Repeated requests You may refuse identical or substantially similar requests where a reasonable interval has not elapsed and you have already complied.

Patterns typical in education:

  • A persistent complainant sends multiple overlapping FOI requests to pursue a personal dispute with the Trust.

  • The same request is submitted repeatedly despite having already been answered.

If you rely on s.14:

  • Maintain a clear evidence trail of the number, scope, tone and impact of requests.

  • Show why the burden on staff and the organisation outweighs any residual public interest.

2.4 Cost grounds and “manifestly unreasonable” environmental requests

You do not have to comply with an FOI request if doing so would exceed the appropriate limit under section 12 FOIA (currently £450 for most education bodies, calculated at £25/hour up to 18 hours of staff time).

Under the EIR, you may refuse a request that is “manifestly unreasonable”, including on cost grounds.

Where the cost limit is likely to be exceeded:

  • You may refuse under section 12 FOIA; and

  • You should provide advice and assistance to help the requester narrow or refocus their request where reasonable.


3. Practical decision frameworks – DSARs and FOI/EIR

3.1 DSAR decision flow – a quick checklist

When a DSAR lands:

  1. Confirm it’s a DSARIs it clearly about personal data of the requester (not a general information request)?

  2. Clock the deadline One month from receipt (with possible extension for complexity).

  3. Clarify the scope Ask for date ranges, topics, individuals and systems if needed.

  4. Identify potential exemptions

    • Manifestly unfounded or manifestly excessive?

    • Rights and freedoms of others?

    • Safeguarding, crime or serious harm?

    • Legal advice privilege / litigation privilege?

    • Confidential references or exam scripts/marks?

  5. Decide what to disclose, redact or withhold Aim for maximum lawful transparency while protecting others and privileged material.

  6. Document and respond Record your searches and reasoning. Explain clearly what you have supplied, what you have withheld, and why – including signposting ICO complaint rights.

3.2 FOI/EIR decision flow – a quick checklist

When an FOI or potential EIR request arrives:

  1. Classify correctly FOI, EIR, DSAR – or a combination?

  2. Check deadlines Usually 20 working days, with limited scope for extension.

  3. Assess the scope and cost

    • Will the cost exceed the appropriate limit?

    • Could a narrower request be handled more easily?

  4. Identify exemptions

    • Absolute: s.21 (accessible elsewhere), s.40 (personal data), s.41 (confidence), s.44 (prohibitions).

    • Qualified: s.22, s.36, s.38, s.42 (LPP), s.43.

    • Section 14 (vexatious/repeated).

    • EIR: manifestly unreasonable, personal data.

  5. Apply any public interest tests Write down the arguments for disclosure vs withholding and your conclusion.

  6. Respond with clarity Cite the relevant sections, explain what you can and can’t disclose, and tell the requester how to escalate or complain.


4. Typical Education Scenarios Where You Don’t Have to Disclose Everything

A few familiar examples:

1. Safeguarding DSAR from a parent They request all safeguarding records relating to their child and an incident with other pupils.

  • You may need to withhold or heavily redact parts to protect other children, staff and any ongoing investigations, and to avoid serious harm.

2. DSAR from an employee who has raised a grievance and is threatening a claim They ask for “all information about me”, including legal advice and internal notes.

  • You must disclose non-privileged personal data, but you can withhold documents covered by legal advice privilege and litigation privilege (e.g. solicitor emails, counsel’s opinions, litigation strategy, draft witness statements).

3. FOI request from a journalist for “all legal advice and risk registers relating to proposed school closures”

  • You may rely on s.36 FOIA (prejudice to effective conduct of public affairs), s.42 (LPP) and s.43 (commercial interests), subject to the public interest test.

4. Persistent complainant using FOI and DSARs to harass staff

  • You may refuse FOI requests as vexatious (s.14) and DSARs as manifestly unfounded, provided your reasoning is well-evidenced and documented.


5. How DW Consulting Experts Can Help

For MATs, schools and nurseries, DSARs and FOI/EIR requests are rarely “just admin”. They often sit on top of:

  • Employment disputes and threatened Employment Tribunal claims

  • Complex safeguarding cases and multi-agency investigations

  • SEND disputes, parental complaints and appeals

  • Reputational risk and media interest


DW Consulting Experts can support you to:

  • Triage and risk-assess complex or hostile DSAR/FOI/EIR requests

  • Identify and correctly apply legal advice privilege and litigation privilege

  • Draft robust, defensible responses, including partial refusals and clear explanations

  • Develop practical redaction protocols for HR, pupil and safeguarding files

  • Review and update your policies and procedures for DSARs, FOI and data protection

  • Train your DPO, HR and SLT to handle contentious requests confidently and in an “ICO-ready” way


If you’re facing a DSAR or FOI request that feels tactical, hostile or linked to potential litigation, the most cost-effective time to seek specialist support is at the outset, not three days before the deadline.


Get in touch if you’d like to talk through a live situation (on an anonymised basis) and map out a legally defensible, pragmatic strategy tailored to your Trust, school or nursery.


ree

 
 
 

Recent Posts

See All

Comments

bottom of page