Global menu

Our global pages

Close

Education briefing - Publication of exam results: What to expect under Privacy and Information Law

  • United Kingdom
  • Coronavirus
  • Education - Coronavirus

12-08-2020

In the circumstances that education providers have found themselves in, personal data of students (and also staff) is being used in ways that were not previously anticipated and is attracting national attention. Indeed privacy concerns are even more to the forefront of individuals minds given some high profile security breaches in the sector.

Give the recent position following publication of results in Scotland, the process in England and Wales is going to lead to a significant increase in student engagement, enquiry and, in all likelihood, complaint. At this time it is therefore vitally important that education providers are aware of and prepared to comply with their obligations under the General Data Protection Regulation (“GDPR”) and, in the UK, the Data Protection Act 2018 (“DPA”) (collectively referred to as the “Data Protection Laws”) in not only ensuring that the processing of personal data in managing such appeals and complaints is transparent, fair and lawful (as well as secure, of course) but also in having sufficient processes and resources to identify, manage and deal with a likely wave of requests for personal data and information in the short term.

Preparing yourself: Looking at fair and lawful processing

Education providers must ensure that the way that they are processing personal data is transparent and fair by letting students (and, where necessary,) staff know how their personal data has been processed, for what purpose(s) and, importantly, who their personal data is shared with (for example: exam boards, universities, UCAS, parents/guardians). This is particularly important for any complaints and/or appeals process and can be done by updating current fair processing notices (also known as privacy notices) or issuing separate, layered, fair processing statements to ensure they cover all current and planned processing activities. Much of this information should have already been provided to students in existing notices, but now is a good time to check that these common areas of processing are covered off. These notices tell individuals what you can do with their data, institutions must ensure they stay within the boundaries of those notices (as amended), or should expect to be challenged.

In addition, the Data Protection Laws require that all processing of personal data is limited to what is necessary. That includes collection, sharing and deletion. When dealing with appeals and complaints be careful of large scale voluntary data disclosures to you, much of which you may not need. Similarly, when sharing data to further the complaint or appeal, be careful to keep that sharing on a need to know basis. Otherwise all your hard work in reaching the right outcome might be overshadowed by unlawful and unnecessary data sharing (which is technically a security breach).

Where complaints/appeals are received, care must be taken not to use personal data in any way that would be unexpected or unnecessary (each being a breach of the Data Protection Laws). All such processing must be undertaken within the identified lawful bases for processing (whether that be, for example, processing necessary for legitimate interests, for a public task or with consent) as set out in the notices referred to above.

Remember that it is often unexpected, rather than unlawful processing that leads to complaints in practice. Being transparent and clear with individuals is therefore crucial.

Requests for information and personal data

Clearly, given the gravitas of A level and GCSE results coupled with the circumstances in which this year’s results were calculated, it is to be expected that there may be an increase in individual rights requests. You may also expect additional requests for information on how those results were calculated, marking criteria, information on average grades and who made such decisions under the Freedom of Information Act 2000 (“FOIA”) from disgruntled students, their parents/guardians, journalists, politicians and members of the public.

These requests can often hide within complaints or other correspondence and can easily be missed. In neither of these cases does the law have to be mentioned for the request(s) to be valid. A description of the right being exercised is sufficient – “I want to know what information on be you have” or “I want you to delete me from your systems” are perfectly valid subject access and right to erasure requests respectively. Similarly, “I want to know what comments my assessor gave other individuals” is a perfectly valid FOIA request (even if likely to be widely exempt from disclosure in practice).

It is also important to keep in mind that requests made under the Data Protection Laws can be made over the phone and in person, not only in writing, so staff must be on guard to spot and be prepared to record and ensure such requests are sent to the right person/department for processing within the statutory timescales (detailed below). Having a procedure in place is key to handling these requests. Failure to do so could lead to complaints to the Information Commissioner’s Office and possible enforcement action taken.

Individual rights requests

Students, particularly those unhappy with their results, can submit requests in respect of their personal data under the Data Protection Laws to understand how their grade was reached. We would expect the majority of these requests to take the forms of data subject access requests for specific personal data about the students themselves, but there may also be requests for erasure or requests to correct inaccurate data. All requests have a one calendar month statutory time limit. However, there is an exception for requests for information pertaining to a student’s exam result(s) before the results are published.

Where a request is received prior to the results being published, the timeframe for responding is within five months of receiving the request or, if earlier, within 40 days of announcing the exam results. Requests received post-publication will be under the usual one month time limit. In such cases, there is the possibility of extending the deadline by a further two months if the request is considered to be “complex”, however, this is a relatively grey area and can be difficult to meet.

Data subject access requests

When responding to a request for a student’s personal data, an education provider should consider the following key issues as part of its processes:

Who is requesting the personal data?

As the students (in relation to requests concerning exam results) are over the age of 13, parents/guardians are unable to request this data on a student’s behalf without evidence of their consent. Care should be taken if requests for personal data are not sent directly from the student themselves.

• What is being requested?

What does the education provider hold? Is the request actually for the student’s personal data? Or is the request hidden within a complaint? Do you have enough information to really know what is being asked for or should you clarify this with the applicant?

Does this contain third party personal data (of other staff/students)?

In most circumstances, it is unlikely to be lawful to disclose personal data of third parties (particularly other students) under a data subject access request. Senior staff members or teachers making comments about that student may be disclosed where there is a lawful basis for doing so.

Will the “exam exemption” apply?

An exemption from disclosure to consider here is the “exam exemption”, which exempts information recorded by candidates during an exam.

The ICO has issued guidance on how this will work during the current pandemic. Students are entitled to information about their performance including (i) the teacher assessment, (ii) written comments about provisions grades and/or marks , (iii) records of past performance etc. However they do not have a right to ”any information you have recorded yourself. This means you can’t get copies of your answers from mock exams, assignments or assessments.”

Importantly, information recorded by others, including the student’s final mark and comments about them from examiners or minutes of any examination appeal panel hearings are not exempt, but students are not entitled to receive these until after results have been published and third party personal data may be redacted where appropriate.

Right to rectification

Students have the right to have their marks recorded accurately but the Data Protection Laws do not provide the right of challenge to the mark. Education providers must make sure that personal data of students is recorded accurately, requests can be made by students to rectify the data where inaccurate data is held although where this is inconsistent with evidence that the education provider has, this request can be refused.

Right to erasure

The right to erasure (sometimes referred to as the right to be forgotten) means that where there is no lawful reason to process personal data it must be deleted on request. So for personal data being processed under consent, or under a legitimate interests lawful basis, it may be that exercising this right would stop that processing. However, the right of erasure doesn’t apply to all personal data, only that processed for certain purposes. As a result, and as makes practical sense, you would not be expected to delete work, exam grades or assessments simply because such a request was made.

FOIA

Education providers are subject to FOIA and requests for information are a weekly occurrence for many. Often, within complaints we see requests for information that are often missed as the complaints process is dutifully followed. Also, during times of uncertainty we see increased interest from local and national media, as well as members of the public and parents.

We expect that there are likely to be requests under FOIA in relation to statistics concerning grades achieved in previous years, or marking criteria and/or standards applied. One approach that could be taken is to publish statements about the results publicly and the criteria used to reach them. Information publicly available or due for future publication are usually exempt from FOIA requests.

It is important to remember that all FOIA requests are to be treated as applicant-blind and assessed under the legislation on a case by case basis. Disclosure under FOIA is disclosure to the world at large so caution must be exercised in responding to these requests, particularly where information contains personal data.

All FOIA requests should be responded to within 20 working days for colleges and 20 school days for schools (and so will not start until school resumes after the end of the summer holidays). There are a number of exemptions that your information governance and compliance teams will be familiar with. These should be carefully considered to ensure disclosures are appropriate. Extensions are not possible for FOIA requests, although given the ICO’s more tolerant stance taken during the health crisis, we would not expect enforcement action in respect of reasonable delays in responding to requests.