Here are questions and answers we get asked most.
You have the right to get a copy of the information that is held about you. This is known as a subject access request.
This right of subject access means that you can make a request under the Data Protection Act to any organisation processing your personal data. The Act calls these organisations ‘data controllers’.
You can ask the organisation you think is holding, using or sharing the personal information you want, to supply you with copies of both paper and computer records and related information.
There are some ‘exemptions’ within the Act which may allow an organisation to refuse to comply with your subject access request in certain circumstances. Consider carefully what you are asking to see. Remember that these data may be sensitive such as indicators of [your or] your child’s history of in-care, adoption, or parents’ service personnel status.
Information about children may be released to a person with parental responsibility. However, the best interests of the child will always be considered.
Even if a child is very young, data about them is still their personal data and does not belong to anyone else. It is the child who has a right of access to the information held about them.
Before responding to a request for information held about a child, organisations should consider whether the child is mature enough to understand their rights. If the organisation is confident that the child can understand their rights, then it will respond to the child rather than the parent. What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.
Yes if you have carer or custodial rights for a child, for example. The Data Protection Act does not stop you making a request on someone else’s behalf.
In these cases, the organisation will need to satisfy itself that the third party making the request has the individual’s permission to act on their behalf. It is the third party’s responsibility to provide this evidence, which could be a written authority to make the request, or a power of attorney.
If a person does not have the mental capacity to manage their own affairs and you are their attorney, for example you have a Lasting Power of Attorney with authority to manage their property and affairs, you will have the right to access information about the person you represent to help you carry out your role. The same applies to a person appointed to make decisions about such matters:
In England and Wales, by the Court of Protection. In Scotland, by the Sheriff Court; and in Northern Ireland, by the High Court (Office of Care and Protection).
To make a subject access request, you may wish to use our suggested template by copying and pasting the text from the bottom of this page, into an email. This is NOT an official DfE request form, but has been drafted by us at defenddigitalme because the Department for Education do not offer one. As published on the DfE website, you can email requests to them via: email@example.com
You may also want to ask third parties what they hold, when they hold a copy of the National Pupil Database, such as the Fischer Family Trust for example. c/o Data Protection Team, Education Ltd, 1st Floor 79, Eastgate, Cowbridge, Vale of Glamorgan CF71 7AA.
However do not send any copies of identity documents and AFTER the NPD request team has confirmed that they will process your request. To date, they have refused requests from parents. We believe they should comply with Subject Access Rights under the Data Protection Act 1998.
Keep copies and proof of receipt.
It is best to send your request by email, and you should keep a copy of the request and all other correspondence. This will be important as evidence if you need to complain to the Information Commissioner’s Office that the organisation has not given you the information you think you are entitled to.
Yes. A request sent by email or fax is as valid as one sent in hard copy. You can also make a valid request by social media, for example via an organisation’s Facebook or Twitter account, although it may be impractical for the organisation to use this same method to supply information to you.
If you find it impossible or unreasonably difficult to make a request in writing, an organisation may have to make a reasonable adjustment for you under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland). This could mean, for example, that the organisation has to consider treating a verbal request for information as if it was a valid subject access request.
It’s free. Under the General Data Protection Regulation enforceable since May 2018, all regular requests are free of charge to Data Subjects – that means you and me, or the person the data is about, except in exceptional circumstances, which you can ask us for advice on.
The organisation has to reply within 40 days, starting from the day they receive both the fee and the information they need to identify you and the information you need. A credit reference agency must reply within seven days to a request for a credit file.
If an organisation reasonably needs more information to help them find your information or identify you, they have to ask you for the information they need. They can then wait until they have all the necessary information as well as the fee before dealing with your request.
If you have it, it will help to provide the school name, and if you know it, the code numbers for the school. If unsure, please follow these steps if you wish to find your URN, Local Authority Number or Establishment Number: Go to https://get-information-schools.service.gov.uk/
What is held in the fifty-plus DfE databases, including the National Pupil Database, is NOT the same as what is only held by your child’s school. Around 400 different items can be stored on any one individual in the National Pupil Database. Do not be put off by replies which tell you to ask a school for your child’s school record if you want to know what is held at national, not local level. You are entitled to be told if any personal information is held about you and if it is, to be given:
Yes. There are some narrow circumstances data can be withheld, for example where the information you have asked for contains information that relates to another person who is not under your care, or whose best interests might be harmed.
The law covers personal information that:
Under equality law an organisation has a duty to make sure that its services are accessible to all service users. You can request a response in a particular format that is accessible to you, such as Braille, large print, email or audio format.
If more than 40 calendar days have passed since you made your request, we advise you write to the organisation to remind them of your request and their obligations under the Data Protection Act.
After this, you can write to the Information Commissioner’s Office to complain and ask for support. Get in touch with us too. We are happy to discuss and support any questions before you make applications in confidence.
Yes but you can’t ask the Department for Education for exam scripts, as they are held by Exam Boards. In December 2017, the European Court of Justice (ECJ) ruled yes, because exam scripts are personal data. In the UK Data Protection Act 2018, the government created an exemption however for personal data recorded by a candidate in exam scripts. (Schedule 2 — Part 4 (25)— Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 15) [p176-77].
The ECJ had ruled Subject Access rights should be applied irrespective of national legislation, and the exemption appears to be restricted to some, not all rights. For example the right to rectification still applies, and yet it is almost impossible to enact without the right to access which underpins it in Recital 63. In summary, the new 2018 Data Protection Act and accessing personal data in exams, has certain restrictions which are yet to be tested.
Please note that where the term “data subject” is used it refers to the person about whom the information is being requested. A parent, or guardian, who has joint, or sole, parental responsibility can make a request on behalf of their child, though this is dependent upon the age and maturity of the child.
The Data Controller (the organisation) must respond promptly and within 40 calendar days of the latest of the following:
Before you start, are you asking for data about yourself? If yes, you are called ‘the Data Subject’. If not, you may need to have some reasonable discussion whether or not it is you, or the child, who should make the request.
if you are the Data Subject you will be asked to supply original proof of identity bearing your name i.e passport, driving licence (if applicable), birth certificate (or certified copy) or at least an official letter showing your current address such as from a utility company or Bank. DO NOT SEND THESE UNTIL ASKED TO DO SO.
If no, are you acting on behalf of the Data Subject? If they are your child under a reasonable age of capacity, you will be asked to provide evidence of the relationship. If they are of reasonable age and capacity, can they make it themselves, or can you make the request together, and with their written authority? If so, that authority must be enclosed and you must also produce evidence of your identity and that of the data subject (as above). DO NOT SEND THESE UNTIL ASKED TO DO SO.