As president of the student council in my school, I have been asked by senior students why they cannot deal directly with issues relating to attendance or school exam reports because they are over 18 years of age. Our school says that due to GDPR, all data must be communicated to parents and guardians. Is this really the case?
Your query is very topical because, increasingly, the age profile of senior cycle students is getting older with more 18 and 19 year olds in school than ever before. I have raised your query with the Data Protection Commissioner (DPC) which says the law is quite clear.
The 1998 Education Act states that a school “shall use its available resources to ensure that parents of students, or in the case of a student who has reached the age of 18 years, the student, have access in the prescribed manner to records kept by that school relating to the progress of that student in his or her education”.
The DPC says that, in the area of education, the obtaining of consent is of paramount importance.
As a matter of constitutional and family law, a parent has rights and duties in relation to a child. Whether these rights supersede the rights of an 18 year old to exercise exclusive control over his or her data has yet to be considered by the courts.
The DPC is clear that “with regard to the dissemination of their data, a student aged from 12 up to and including 17 should give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian”. In the case of students under the age of 12, consent of a parent or guardian will suffice.
Data Protection Commissioner
Whether students over 18 can decide to exclusively receive any data generated by the school concerning themselves, the DPC indicates “in the area of education, schools may give a choice to a student that reaches age 18 or over whether they wish to directly receive updates on their progress, or wish to have their parents continue to receive updates for as long as they remain a student at that school”.
From my perspective that “may”, is in fact a “must” by any reasonable interpretation of the role of a school as a data controller under GDPR and/or the Education Act.
This issue is similar to the recent one before the High Court, regarding the rights of students to receive the results of the review of their scripts in September rather than October.
Many schools will continue to ignore their role as data controller in the cases of adult students taking the Leaving Cert, until someone takes the denial of such rights to exercise control of their own data to the High Court.
The costs involved in taking such a case would suggest that this will never happen, which is probably why many schools feel comfortable in ignoring the law on this matter.