Data protection and complaints

Data protection can come up when managing a complaint in different ways. The main things schools need to be aware of are freedom of information (FOI) and subject access requests (SAR). It is important that schools have policies in place that set out how these are dealt with and guidance is available from the Information Commissioners website. It is also important that data protection policies are followed.

A FOI request is a request for information and should be complied with unless an exception applies. SARs are requests for all information about an individual that is held by the school and these will include e-mails. Again, exceptions apply, but the general principle that all staff (and governors) should be aware of is not to put anything in writing which they would not want a person to see. When dealing with difficult individuals, there may be a temptation to let off steam in an e-mail and there should be caution around this.

Sometimes parents may use FOI/SARs as part of a complaints process.  It is important that policy is followed and if there are particular concerns about disclosing information then it is important to seek advice about what can be disclosed. A person may complain to the Information Commissioner if they do not consider that requests have been properly dealt with. In schools, a common exemption may be requests which concern the personal data of third parties. For example, if the complaint is about bullying, information may be sought about other children. These can be refused.

In May 2018, the General Data Protection Regulation (GDPR) will be introduced throughout the EU. This will largely replace the current UK data protection law, regardless of Brexit. The GDPR will bring many new and enhanced obligations and so schools and multi-academy trusts should start preparing themselves for the upcoming changes now.

If you would like more information on this topic, please contact Russell Holland at