Right of access under the GDPR
You have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing by submitting a subject access request (SAR).
If you have parental authority and the child is under 12 years of age, you can also request copies of their personal data.
How long does it take?
Under education regulations in all regions, the organisation must comply with a written request within 15 school days, this does not include school holidays. The parent’s right is only to access their child’s educational record, whereas a SAR also enables access to the personal data a school processes that does not fall into the definition of an educational record.
The two rights also have different time limits for compliance. You must respond to a parent’s right of access to their child’s educational records within 15 school days, whereas you must comply with a SAR within one month.
What does it cost?
The organisation must allow those with parental authority to view the educational record free of charge.
If a parent makes a request for a copy of the educational record, this must also be provided within 15 school days. The organisation can charge a fee for the copy, however, the fee must not exceed the cost of supply.
The cost depends on the number of pages provided. For example, 1 to 19 pages will cost £1.20; 29 pages will cost £2, and so on, up to a maximum of 500+ pages which will cost £50.
When can we refuse to comply with a request?
Where an exemption applies, you may refuse to provide all or some of the requested information, depending on the circumstances. You can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive. Our detailed guidance explains the factors you should consider in determining whether a request is manifestly unfounded or excessive.
If you refuse to comply with a request, you must inform the individual of:
- the reasons why;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through the courts.
What is education data?
The DPA 2018 defines ‘education data’ as:
- personal data which consists of information that forms part of an educational record; and
- is not data concerning health.
The definition of ‘educational record’ in the DPA 2018 differs between England and Wales, Scotland and Northern Ireland. Broadly speaking, however, the expression has a wide meaning and includes most information about current and past pupils that is processed by or on behalf of a school. The definition applies to nearly all schools including maintained schools, independent schools and academies.
However, information a teacher keeps solely for their own use does not form part of the educational record. It is likely that most of the personal information a school holds about a particular pupil forms part of the pupil’s educational record. However it is possible that some of the information could fall outside the educational record, eg information a parent of another child provides about the pupil is not part of the educational record.