Posts

If you’ve ever opened your inbox and seen a message from a parent asking for “all the information you hold on my child,” your first thought was probably:

“Subject Access Request!”

But hold on — not every request for pupil information automatically falls under the UK GDPR. Sometimes, it’s actually a request under education regulations, depending on what’s being asked — and the type of school you are.

Understanding the difference is key. Not only does it help you respond lawfully and efficiently, but it also helps manage expectations and avoid unnecessary workload.

There are two main legal routes parents (or pupils themselves) might use to request access to information:

  1. Subject Access Request (SAR) – under the UK GDPR / Data Protection Act 2018

This allows an individual, including a pupil depending on their age and capacity, to request their own personal data.

  1. Request for the Educational Record – under the Education (Pupil Information) (England) Regulations 2005

This allows parents to request a copy of their child’s educational record, but only if the child attends a maintained school.

Let’s look at each in a little more detail.

Subject Access Requests (SARs) – GDPR territory

This is all about personal data.

Anyone can ask for a copy of the data you hold about them, including pupils (depending on their age and maturity), staff, or parents asking for their own data.

When it comes to parents asking for their child’s data, you’ll need to check whether the child is old enough and mature enough to understand what’s being asked. If they are, they should normally be the one making the request or at least give permission for the parent to do it on their behalf.

If they’re younger or not able to understand, the parent can usually make the request.

What does a SAR cover?

Any personal data you hold about that person. That might include:

  • Behaviour notes
  • Emails mentioning the pupil
  • Health or SEN info
  • Safeguarding logs (with care!)
  • CCTV footage (if the pupil is clearly visible)

When it comes to Subject Access Requests, any type of school may receive a request, including maintained, academies, free schools, and independents and you have 1 calendar month to respond.

Request for the Educational Record – Pupil Regulations

This one is specifically for parents of children at maintained schools (i.e. those run by local authorities). It gives them the right to see their child’s educational record, which is basically anything to do with their progress, learning, and life in school.

What counts as an educational record?

Think stuff like:

  • School reports
  • Attendance records
  • SEN plans
  • Notes from parent-teacher meetings
  • Behaviour points
  • Targets or interventions

It doesn’t include:

  • Child protection files
  • Teacher’s personal notes
  • Information that could seriously harm the child or someone else

Under these regulations, you have 15 school days to respond. You can also apply a charge to cover printing or postage, though most schools just send it electronically for free these days.

For academies and free schools, the right to the educational record doesn’t apply. But many still choose to share records in a similar way, just to be helpful and consistent. It is the same deal with Independent schools, there is no right to the educational record. Parents need to go down the SAR route if they want information about their child, and only if the child isn’t old enough to make the request themselves.

While SARs and education record requests are different, there’s a bit of crossover. Some information might be shared under both, and that’s OK. The key is understanding which law applies and making sure you’re not accidentally oversharing or withholding something you shouldn’t.

When in doubt, take a breath, talk to your DPO, and go from there.

Sentry matches the requirements of the ICO

It’s now less than four months until enforcement of the GDPR begins. You’d imagine that every now knows about the regulation even if they’re not totally clear about the impact.

On Tuesday of this week (24th January), the Department for Digital, Culture, Media and Sport released some preliminary results from Cyber Security Breaches Survey.
With less than four months to go until enforcement begins, significant numbers of businesses and charities had not heard of the GDPR. This included 20% of businesses and 25% of charities with more than 250 employees.

The highest levels of awareness were in the finance and insurance, information and communications and education sectors (79%, 67% and 52%). Still meaning that almost half of the organisations in the education sector were still not aware of the regulation. If you remember the game show Family Fortunes, the cross is showing and the ‘Eh-Uhh’ noise is blaring.

Of those who were aware of the GDPR only about a quarter have taken action. Like lots of us with Christmas shopping it looks like there will be a last-minute rush. Of course, just like joining the last-minute rush – you may not get what you want.

The fact that you’re reading this post, plainly means that you’re in the group that’s aware of the GDPR, but you may be wondering what you need to do next.

If you haven’t done it start with an audit of the personal data you are holding. It’s worth remembering that the scope of what counts as personal data is pretty broad. As well as personal data in IT systems, paperwork in any form of filing system may well hold personal data as well.

You may well find that a name and address, for example, is held in 5 different places and be from more than one source. It may take a long time, but once you understand where personal data is located and how it’s held, many of the other requirements for compliance start to fall into place.

If you don’t want to get trampled in the mad last minute rush it’s time to get going.