We are all well versed now on subject access requests (SARs) and how they are made but there is one area which has become immediately more prevalent since lockdown. With the impeding results season, schools are likely to receive requests from students and parents on how marks have been arrived at. Schools will have to exercise their rights to use exemptions where needed.
Exam results have of course been based on previous assessments, coursework and mock results due to the coronavirus (COVID-19) pandemic. As a result of this assessment and conclusion, there will be a lot of evidence recorded that shows how these grades have been decided. Schools need to be aware that this type of evidence, communication and record, falls right into the scope of GDPR and SARs. Therein lies a problem, could pupils really get to know their grades before they are released publicly?
In short, no, they couldn’t. There is plenty of time for them to submit a request and get the response within one calendar month, as per the SAR deadlines. The request would not likely be deemed excessive or malicious, but the Data Protection Act 2018 contains a number of exemptions and some are specifically for the education sector.
The Data Protection Act 2018, Schedule 2, Part 4, Paragraph 25 (3), sets out your obligations to comply with a SAR under Article 15, (GDPR), in that, if you do receive a request of the above nature, you have two time periods that are applicable.
- If the request is received prior to the results being released, you 5 months from when requested to release the information but not before the official release date
- You have 40 days from the date the results have been released to provide the response
Put simply, you do not have to provide the information before exam results have been released, but you are required in accordance with the legislation to explain which exemptions you have exercised. You are entitled to exercise these as a controller and withhold the information. It is important to remember that you are not refusing the request, just delaying it.
It may be the case that some requests do go straight to the exam board and they may refer requests back to the school, but the before release date guidance remains the same.
Make sure you speak to your data protection officer in relation to any request and also to prepare for this eventuality.
If you don’t have a DPO in place, our DPO service for schools provides an accredited GDPR practitioner, with education sector experience, who can work alongside the executive team on any data protection issues. We can also provide an extra level of project support for existing school members who are DPOs to address any concerns or issues. It provides the clarity of how leadership could improve compliance and provides on-site support to work on key projects. Alternatively, you may just need a bit of help with managing subject access requests or you would benefit from a data health check that looks at all data processes, identifies risks, proposes solutions and formulates an action plan to be followed. The Healthcheck can be carried out at any point to check ongoing processes.
Please do get in touch and we will be more than happy to talk you through our DPO service and what we can do to help you. Call 01924 827869 or go to https://www.fusionbusiness.org.uk/schools/dataprotectionanddpo/
Ben Cain, Data Protection Officer