The Summer SAR Surge: AI-Generated Requests, FOIs and Staying Compliant When School's Out

Posted  8th July 2026

It is not surprising to see an increase in Subject Access Requests (SARs) and Freedom of Information (FOI) requests during or just before the summer holidays. Implementing steps to manage the requester’s expectations and ensure a transparent process can go a long way when handling what might be a surge in requests outside of school days.

What are the Differences Between SARs and FOI Requests?

Subject Access Request (SAR)

SAR, also referred to as the right of access, falls under one of the many individual rights. It the right that the individual has to obtain a copy of their personal data, as well as other supplementary information which the school holds or processes.

SARs can be made in writing or verbally. In writing includes in the form of a letter, a form, or even through your social media account; whereas verbally could be over the phone, during a meeting or even at the school gate at the end of a school day. This is important to keep in mind as SARs can be received in many ways as the summer period approaches.

The timeframe for a school to respond to SARs is one calendar month, even during holiday periods. School holidays alone cannot be the reason to extend the legal timeframe; however, it can be part of the consideration in an extension, which will be discussed in more details later.

Freedom of Information Request (FOI)

A FOI request is a request for information held by the school as a public body. This is different from SARs as an FOI is not a request for personal information. Some recent FOI requests we have seen include asking for information on how schools train their staff to recognise extremist ideology or if they serve halal meat. These are good examples to show the more general information that can be requested under this type of request instead of someone asking for personal data that the school holds.

The timeframe to respond to an FOI is 20 school days or 60 working days, whichever is shorter. Unlike SARs, this pauses when there is a school closure, which is a key difference.

For both type of requests, your Data Protection Officer (DPO) would assist you in calculating a response date, drafting a formal acknowledgement to set the deadline and request ID, clarification and/or consent where appropriate. They would also draft a final response once the data has been collated and is ready to be sent.

Managing SARs and FOI Requests During School Closures

Streamlining Pre-Closure Preparation

Schools should collaborate with their DPO ahead of time to establish a simple, agreed-upon checklist, which is then shared with anyone responsible for picking up requests. This is also a great time to review your school’s data retention policy. By ensuring your school is not holding onto email or file archives longer than necessary, you naturally reduce the volume of data that needs searching. When complex or overly broad requests do arrive, it is worth remembering that schools are only required to carry out a reasonable and proportionate search in likely locations. If a request lands right before closure, staff should immediately begin gathering information rather than waiting for autumn, as even partial progress can save a significant amount of time later.

Clarifying Staff Responsibilities and Workflows

While the school is accountable for compliance, any staff member can receive an inquiry. In the final weeks of term, a quick reminder via email or a staff newsletter can ensure everyone knows how to handle a request. This reminder is particularly vital for front-facing team members, such as reception staff, who need to recognise a request instantly and route it correctly. All inquiries should flow into a centralised inbox and be recorded in a live tracker that logs deadlines and progress. Updating this log fully before closing ensures that when the school reopens in September, staff can pick up exactly where they left off without losing track. Furthermore, leaders must decide in advance whether anyone will monitor this central inbox over the break or if operations will pause entirely, allowing internal expectations to align with holiday capacity.

Prioritising Transparency and Communication

Managing the expectations of parents and individuals is the most effective way to avoid confusion and friction during a closure. If a school cannot realistically complete a request before the holidays, the key is to be entirely open about the delay. Staff should contact the requester to explain the timeline, and where possible, consider sending a partial disclosure of whatever data has already been gathered to show good faith. During the closure itself, detailed out-of-office replies should be active on all primary mailboxes. These automated messages need to clearly state how requests are being handled, whether the inbox is being actively monitored, and when a full response can be expected. For long-term transparency, schools should ensure their public Data Protection Policy explicitly details how holiday closures impact statutory timescales. This public clarity supports openness and often encourages individuals to submit their requests earlier in the academic year.

Increase in AI-generated SARs

Increased AI use in creating long, detailed and often complex SARs may give the impression that a larger volume of information must be provided than is actually required.

In many cases, AI-generated requests will use broad or generic wording, such as asking for “all data held” or including extensive lists of possible information types like metadata. While these requests may appear more formal or technical, they should still be treated the same way as any other SARs. The school is not required to respond to every possible category listed if it is not relevant, and only needs to carry out a reasonable and proportionate search based on the scope of the request.

Ahead of the summer closure, this is particularly important to keep in mind. AI-generated requests may require additional time to review and clarify, especially if the scope is unclear or overly broad. Where appropriate, schools should feel confident in seeking clarification from the requester to help narrow the scope and ensure the response in manageable and focused. Reaching out to your DPO early in these cases will help you manage these types of requests.

While AI tools are changing how requests are being submitted, they do not change the school’s obligations. A calm, consistent, and proportionate approach will help ensure that requests are handled appropriately, even during busier periods such as the summer closure.

Factors to Consider For Any Potential Extensions on SARS

Here are some key things to think about when considering extending the time frame on SARS requests.

Consider an extension if one or more apply:

  • Volume of data – large pupil record, multiple years, multiple systems (MIS, safeguarding, emails, CPOMs, etc.)
  • Multiple systems or data source – data held across archives, third-party processors, paper files, etc.
  • Third-party data/redaction complexity – information involving other pupils, staff opinions, safeguarding concerns, or ones that require careful balancing and redaction
  • Unstructured data – emails, Teams chats, shared drives requiring keyword searches, etc.
  • Multiple or overlapping requests

Do not extend only because of:

  • Summer holiday closures
  • Reduced staffing
  • Staff absence/annual leave
  • “We are busy” or backlog
  • Waiting for a specific staff member

The ICO are sympathetic to schools receiving and managing requests over the summer periods and will consider the school closure and staff not being able to work on SARs as another consideration along with the other reasons for any delay.

We advise schools, where possible, to partially fulfil the request before the school closes and to be transparent from the first communication that there may be a delay; this will also help if a request or complaint goes to the ICO, as they would likely be more understanding in those situations.

Typical Process When Receiving Requests Over This Period

Step 1: Assess Early (within the first few days)
Within the first few days, make sure to carefully review the request to get a better idea on scope, systems involved and likely redactions involved.

Step 2: Communicate Promptly 
If extending (SAR only): Decide quickly if extension may be needed so the requester can be told at the start of this process

Step 3: Explain Clearly 
Your response should include that an extension is being applied, the corresponding reasons and the new deadline. Your DPO can help prepare a draft response for SARs that are received around this time which will explain all the above.  

Step 4: Continue Processing as normal for now 
An extension should not be considered a reason to start the collating of information later, work should continue as usual, including data gathering and redaction. Even if it has to be paused, you should still try to complete as much as possible. 

Step 5: Consider Narrowing the Request 
Explain to the requester that with specification, it can sometimes avoid extensions entirely, and offer them the option to focus on a date range or prioritise certain records. Do note that a requester does not need to specify or clarify their request and if not you should continue the process where possible. 

While this is the typical process, your DPO will be able to help with acknowledgment of these requests where timescales and further transparency information can be included. They will also be able to advise on if any information can be provided before the closure and how to address partial disclosure. 

FOIs do not have the same criteria as the time frame pauses for the school holiday period, so this will follow the normal process. However, if extensions are required, it is best to speak with your DPO as there will be different exemptions to apply that will not be based on school closure time frames.  

    How Judicium can help...

    You can find information regarding our School Data Protection service here.

    Jedu is Judicium's online UK GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor UK GDPR compliance; and to assist you in managing your data protection.

    If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

    If you require any support in any of these steps or would like to talk to someone about some support for your school, please do not hesitate to call us on 0345 548 7000 or email enquiries@judicium.com.

     Follow us on Twitter: @DPOforSchools and @JudiciumEDU.

    © This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you from accessing our sessions and/or follow-up content.


    How Schools and Trusts Must Align Filtering and Monitoring with Data Protection
      July 03 2026

    Filtering and monitoring are now explicit data protection expectations for schools. Discover how to align your safeguarding systems with updated DfE compliance standards, manage data retention, and implement cross-functional governance across your trust.

    Read more

    The Do’s and Don'ts of Biometric Data in Schools
      May 13 2026

    Learn the do’s and don’ts of processing biometric data in schools. Discover how to manage privacy risks, handle ICO audits, and ensure school compliance.

    Read more

    Data Retention in Schools – Your Key to Unlocking Effective Data Breach Management
      March 18 2026

    Understand the link between data retention and effective breach management in schools. This article covers the fundamental building blocks of a retention strategy, the risks of keeping data too long, and how structured disposal makes responding to a breach more manageable.

    Read more

    Caught on Camera: Getting CCTV Right in Schools
      February 11 2026

    This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 11th February, with our Data Protection consultant, Shaafah Mohamed. This session explored the use of CCTV within school settings and its link to data protection. Why CCTV is considered privacy intrusive, the legal basis for its use under UK GDPR, and practical steps schools should take to ensure compliance. 

    Read more

    From Request to Response: Navigating Subject Access Requests the Smart Way
      December 10 2025

    This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 12th December, with our Data Protection Consultant Daniel Richardson.

    Read more

    Data Breach Alert: No system is Safe - But Your Response Can Be
      October 21 2025

    This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 22nd October, with our Data Protection Consultant Jessica Vannan. In this session, we broke down what constitutes a data breach, how it should be assessed, and what effective breach management looks like.

    Read more