The GDPR and school exams: What do schools need to know?

Every exam season, schools receive questions and complaints about the way they handle students’ personal data. What information are they allowed to share? What rules must they be aware of when processing or publishing exam results?

The introduction of the GDPR (General Data Protection Regulation) and its UK equivalent has raised the stakes. Schools that breach the Regulation’s rules could face significant fines and other enforcement action.

To help you understand how to navigate your requirements, we’ve compiled a list of some of the most common questions regarding data protection and exam results.

Are students, parents and guardians allowed to request exam information?

The GDPR’s right of access entitles students, parents and guardians to request copies of information about their exams, including relevant information about their results. Individuals can, for example, request:

• Teacher assessments and evidence;
• Written comments or emails about the student’s grade and/or performance; and
• Records of the student’s past performance, such as results from mock exams and assignments.

Under the GDPR, children’s personal data is subject to additional protections. In many circumstances – including the request for exam information – parents and guardians are entitled to exercise data subject rights on behalf of their child.

How can schools recognise a right of access request?

Individuals can exercise their right of access by submitting a DSAR (data subject access request). Although the term suggests that there is a formal process for exercising this right, that is not the case.

Requests don’t need to be submitted in any documented way. Individuals can, for instance, simply tell an employee of the school in person that they’d like to see a copy of the personal information the organisation is processing about them.

It’s therefore essential that schools understand which employees might reasonably expect to receive a request – whether in person, over the phone or in writing – and how they can escalate that request to the appropriate person.

Is there a deadline for completing access requests?

The GDPR states that DSARs must be completed within one month. There are certain exceptions for complex requests or ones that are manifestly unfounded or excessive. However, these are unlikely to apply in situations where the request relates to exam results.

The only exception that could apply relates to a specific exam script exemption, which states that schools do not have to respond to access requests until after exam results are published.

If a school receives a request before the official results are announced, it must respond within five months of the request or within 40 days of publishing the exam results (whichever is soonest).

Do we need to provide copies of completed exams?

No, because of another exam script exemption, which states that information recorded by students themselves is not protected by the right of access.

The exemption also applies to information that teachers use to award students’ grades in scenarios where the student is unable to sit an exam.

Can students and parents or guardians request information about grading?

Once the final results are published, students, parents and guardians are entitled to ask for information about how their grade was decided. As such, they can request copies of:

• Teacher assessments;
• Any relevant documents the teachers used to make their decision, such as previous mock exam results and assessments;
• The student’s performance records; and
• Email exchanges discussing the student’s provisional grades or teacher assessments.

As mentioned above, the school is not required to provide copies of the exams themselves or other information the student recorded themselves.

Can students use this data to challenge the marks?

The GDPR doesn’t give individuals the right to challenge an examiner’s decision, but it does give individuals protections to ensure that the result was recorded accurately.

If an individual believes that the grade is wrong, they can pursue this via the relevant appeal procedures.

Can the school share exam results with the media?

Exam results are often published, and it has become an accepted practice to herald a school’s achievements. Schools should make students, parents and guardians aware if the results are to be made public and how it will be done.

Schools will usually have a legitimate reason for publishing results, and therefore consent will not be required.

Take control of your school’s GDPR compliance

For more information on meeting your GDPR compliance take a look at GDPR.co.uk.

Our GDPR for Schools platform contains essential guidance on your compliance requirements and tools to help you manage your obligations.

From staff awareness training to data breach management and reporting, our platform helps you to stay in control of your compliance requirements.

Our tool was developed by data protection and cyber security experts with more than 15 years’ data privacy and cyber security experience, and now comes with a free two-week trial.