New ICO Guidance on Subject Access Requests and Education DataPosted in : Quarterly Education Law Updates on 26 November 2020
Paul Upson is an Associate Director at education law specialists, Napier Solicitors. In this Quarterly Education Law Update, he looks at recent guidance issued by the Information Commissioner’s Office (ICO) in relation to subject access requests.
Under the Data Protection Act 2018 (DPA 2018) individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request (SAR).
On 21 October 2020, the ICO issued new guidance in relation to SARs. The guidance can be found here.
When the new guidance was issued, the ICO noted that more and more people are waking up to the power of their personal data and are exercising their rights. It is important that organisations (including schools) know how to deal with SARs effectively and efficiently.
Schools will receive SARs from various sources, including from employees and pupils. Staff in schools who have specific responsibility for data protection issues will likely find a lot of the new ICO guidance useful. However, this article focuses on the section in the guidance regarding education data.
What is Education Data?
The DPA 2018 says that ‘education data’ is personal data which consists of information that forms part of an educational record (and which is not data concerning health). The DPA 2018 sets out the definition of ‘educational record’ as it applies in Northern Ireland. The definition is wide. It includes information which relates to an individual who is (or has been) a pupil at the school – where such information:
- has been processed by (or on behalf of) the Board of Governors or a teacher at a school in Northern Ireland; and
- has originated from (or was supplied by or on behalf of) a teacher at the school; an employee of the Education Authority; an employee of the Council for Catholic Maintained Schools (other than a teacher at the school); the pupil to whom the record relates; or a parent.
The DPA 2018 makes it clear that information which is processed by a teacher solely for the teacher’s own use does not fall within the definition of ‘educational record’. The new ICO guidance states that it is likely that most of the personal information that a school holds about a particular pupil will form part of the pupil’s educational record. However, it does give one example of information that could fall outside the educational record – information a parent of another child provides about a particular pupil.
How Can Individuals Access Education Data?
The new ICO guidance recognises that there are two avenues for obtaining information from a school about a pupil:
- The pupil’s right of access under Article 15 of the GDPR.
- The parent’s right to access to their child’s ‘educational record’.
The guidance focuses on the pupil’s right of access under the GDPR. That said, it does flag up two relevant points about the different avenues for obtaining information. Firstly, it says that the information a school may have to provide can differ depending on which right applies. The parent’s right is only to access their child’s educational record; whereas a SAR may also enable access to personal data that does not fall into the definition of an educational record. Secondly, it recognises that the two rights have different time limits for compliance. A school must respond to a parent’s right of access to their child’s educational records within 15 school days; whereas the school must comply with a SAR within one month (save where an extension applies – see below).
How Long Does A School Have To Comply With A SAR Received During School Holidays?
The new ICO guidance makes it clear that there are no special rules which allow a school to extend the time period for dealing with a SAR because it has been received during school holidays. If a school receives a SAR when it is closed, the normal time periods for a response still apply.
If a school receives a SAR, it must respond without undue delay and at the latest within one month of receipt of the request – or, where applicable, within one month of receipt of:
- any information requested to confirm the requester’s identity;
- the payment of any relevant fee.
There is scope to extend the time for a response by a further two months if the request is complex; or if the school has received a number of requests from the individual in question. Where such an extension arises, the school should calculate the date for response as three months from the original start date (i.e. the day that the school received the request, fee or other requested information).
If a school decides that it is necessary to extend the time limit by two months, it must let the individual know within one month of receiving their request and must explain why the extension is being applied.
Is Education Data Ever Exempt From Subject Access?
The new ICO guidance makes it clear that the exemptions and restrictions that apply to other types of personal data also apply to education data. The guidance includes a specific section on the relevant exemptions.
The guidance also make it clear that if an educational record contains personal data relating to someone other than the person who made the request (such as a family member) the school must consider the rules about third-party data before disclosing it. Although, the guidance makes the point that a school should not normally withhold information that identifies a teacher (i.e. the rules about third-party data would not normally permit a school to withhold information because it identifies a teacher).
The guidance addresses two specific exemptions which it says are of particular relevance in relation to education data. The first relates to education data that is processed by a court. A school will be exempt from providing education data in response to a SAR if the education data is supplied in a report or given as evidence to a court in the course of proceedings; provided certain specific statutory rules apply to those proceedings that allow the withholding of the data from the individual it relates to.
The second relates to circumstances where the release of the education data could cause serious harm. In most circumstances, a school will be exempt from providing education data in response to a SAR to the extent that complying with the request would be likely to cause serious harm to the physical or mental health of any individual. This is known as the “serious harm test” for education data.
It is important that SARs are handled appropriately; not least because an individual has the right to make a complaint to the ICO about a failure comply with the relevant rules. The new ICO guidance provides useful clarification for all organisations on how to deal with SARs, including where a school received a request for education data.
The main content of this article was provided by Paul Upson from Napier Solicitors. Paul’s contact telephone number is 028 9024 4602 or email firstname.lastname@example.org.
 The definition of parent is as set out in Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986.
 GDPR refers to the the General Data Protection Regulation.
 See Education (Pupil Records) Regulations (Northern Ireland) 1998
 See the section in the guidance on ‘Can we ask for ID?’
 There are no special rules which allow a school to charge fees if it is complying with a SAR for education data. For more information about when an organisation can charge a fee, see the section in the guidance on ‘Can we charge a fee?’
 See the section in the guidance on ‘What other exemptions are there?’
 See the section in the guidance on ‘What should we do if the request involves information about other individuals?’.
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.