Listen to this story Members can listen to an AI-generated audio version of this article. 1.0x Audio narration uses an AI-generated voice. 0:00 0:00 Become a member to listen to this article Subscribe Parental involvement in further education can be supportive, appropriate and genuinely in the learner’s best interests. Parents often arrive at FE after navigating school and other education providers on behalf of their child, particularly where there are additional learning needs, mental health concerns, or safeguarding issues. When something goes wrong at college, it is understandable that they want answers. Data subject access requests (DSARs) are sometimes used for that purpose. The difficulty for colleges is that, as learners get older, the right of access to personal data under UK GDPR shifts to them from their parents. In fact, for many school learners, they are deemed competent enough to exercise this right themselves. So even where a learner is under 18, parental responsibility does not automatically confer a right to receive their child’s personal data. This can come as a surprise to parents who are used to being closely involved with their child’s education. When parents’ rights end and learners’ rights begin In practice, colleges are already seeing the impact of these tensions. For example, a parent submitted a request for detailed attendance records to support a child maintenance dispute. The learner had not consented to disclosure, and there were safeguarding considerations linked to an estranged parental relationship. The college couldn’t therefore confirm any student data, even whether or not they attended that establishment. This led to repeated attempts to access the data from alternative channels, including direct emails to different teams, increasing the administrative burden and requiring consistent, coordinated responses to maintain confidentiality. That tension can be difficult to manage in practice. Colleges may face repeated follow-up requests, demands for wider disclosure, pressure to release third-party or confidential material, or attempts to use the DSAR process as a substitute appeal route. Sometimes the information disclosed does not reassure parents; instead, it may confirm concerns, provide access to statements or reports that they disagree with, or document decisions they feel are unfair. Colleges also need to navigate the limits of disclosure carefully. Any data provided must contain only the information to which the learner is entitled, with personal data relating to other students and, in certain cases, select staff members appropriately redacted. Generally, the names of staff directly working with the learner will not be redacted. For parents who are already distressed or frustrated, those legal limits can feel obstructive rather than protective. This means colleges must often explain, sometimes repeatedly, that the DSAR right belongs to the learner, and not all information is disclosable. DSARs are not mechanisms for challenging academic or disciplinary decisions, and the process has legal limits. In practice, this can be hard when parents are distressed, persistent or convinced they are acting in their child’s best interests. DSARs are not an appeals process In another case, a parent sought access to documentation relating to a disciplinary investigation involving their child, with the request appearing to be driven in part by disagreement with the outcome. While the college disclosed the learner’s personal data where appropriate, significant portions of the records required careful redaction to protect the personal data of other students and staff. This process is rarely straightforward; it often involves reviewing multiple documents line by line, applying consistent redaction decisions, and ensuring that exemptions are correctly applied. The parent viewed the response as incomplete and challenged the college further. However, they are unlikely ever to gain access to information reflecting other individuals’ views or recollections of the events, as this constitutes third-party personal data. In some instances, parents may escalate concerns to the Information Commissioner’s Office (ICO), but where the college has complied with its obligations under UK GDPR, no further regulatory action is typically required. Nonetheless, managing such cases can be time-consuming and resource-intensive, requiring coordinated input across teams to review material thoroughly and ensure a compliant response. Understanding and communicating the respective rights of parents and learners will become even more important as the volume of DSARs received by colleges grows. Clear boundaries protect everyone The most effective response is not to discourage parental involvement. In many cases, it is positive, constructive, and rooted in genuine care. Instead, colleges need a clear, consistent framework for handling parent-led DSARs. This framework should respect parents’ concerns while making clear that the rights of access and rectification belong to the individual learner and have legal limits. In practice, that means engaging with the learner directly where appropriate or making clear to the parent that the learner’s consent is required before their personal data is released. Learners will often agree, particularly where parents are supporting them with wider issues such as attendance, a change of course, a complaint or disciplinary procedures. It also means responding professionally and transparently to the scope of the request. Parents may be surprised that the names of other students in an incident involving their child have been redacted, or that a college can refuse to amend an incident report where the parent or learner simply disagrees with the account recorded. Colleges that explain these limits clearly and consistently are better placed to maintain trust without compromising legal compliance. The data use and access act 2025 reinforces that colleges are not required to undertake unreasonable or excessive searches when responding to DSARs. However, colleges must give individuals a clearer route to complain if they believe their rights have not been met. Against that backdrop, the process works best when colleges communicate limitations clearly and consistently. Colleges must ensure all parties understand that data protection law exists to empower and protect the learner. Rights requests are not a substitute for appeals or complaints procedures.