School Discussed My Private Data with Parents: Your UK Rights

by

Sean Curran
in

If you are stuck in such a situation, here is what to do.

A young adult, let’s call him Leo, aged 22, found himself in a distressing situation with his former school, Northgate Comprehensive in a town called Silverwood. For his ongoing neurodiversity assessment, Leo required access to his student records. Over several months, he made multiple formal requests to the school via email and phone calls, exercising his right of access to his personal data. Despite his persistent efforts, the school administration completely ignored his communications.

Frustrated by the lack of response and the delay impacting his medical diagnosis, Leo posted on the school’s public social media page. He stated that the school was failing its duty of care to former students and was unlawfully ignoring his data access request for months. This action finally prompted a response, but not in the way Leo expected. The school administration called Leo’s parents, not him. In this call, they discussed the contents of his social media post and, more alarmingly, disclosed sensitive details from his private emails concerning his request for his records. This act constituted a serious breach of Leo’s data privacy, as he is an adult, and the school had no legal basis to discuss his personal data with his parents without his explicit consent.

Advice in such cases

The school’s actions involve two distinct failures: firstly, the failure to comply with a Subject Access Request (SAR), and secondly, a data breach by disclosing personal information to an unauthorised third party. In this situation, it is crucial to act methodically. Document every interaction, including dates of ignored emails, a screenshot of the social media post, and a detailed record of the conversation the school had with your parents. You should immediately send a formal complaint to the school’s designated Data Protection Officer (DPO) and its Board of Governors, outlining both the failure to respond to the SAR and the subsequent data breach. You should also report the matter to the Information Commissioner’s Office (ICO).

Consult with Lawyer: The very basic and important step to start is talk to Lawyer / advocate. You should not hesitate in paying his consultation fee i.e. might be in range of 100 GBP to 400 GBP depends case to case. He is helping you in this situation of come out. He is expert in the domain and can help you explain the procedure which you might have never explored.

Applicable Sections of Law

This case is governed by UK data protection law, primarily the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). Key provisions include:

  • UK GDPR Article 15 (Right of access by the data subject): This grants you the right to obtain a copy of your personal data from an organisation. This is the right Leo was exercising.
  • UK GDPR Article 12 (Transparent information, communication and modalities): This obligates organisations to respond to a SAR without undue delay and at the latest within one month of receipt of the request.
  • UK GDPR Article 5 (Principles relating to processing of personal data): The school breached the principle of ‘integrity and confidentiality’ by disclosing Leo’s data to his parents without consent.
  • UK GDPR Article 82 (Right to compensation and liability): This gives an individual the right to claim compensation for material or non-material damage (such as distress) resulting from an infringement of the UK GDPR.

If you are the complainant

As the complainant, your first step is to formalise your grievance. Draft a letter of complaint to the school’s headteacher and Data Protection Officer. Clearly state the facts, the laws you believe they have breached (failure to respond to a SAR and the data breach), and what you want as a resolution (e.g., an immediate copy of your data, an apology, and an explanation of how they will prevent this from happening again). Concurrently, you can file a complaint with the ICO, which is the UK’s independent body set up to uphold information rights.

If you are the victim

As the victim of a data breach, it’s important to recognise the violation of your privacy. As an adult, your personal data is yours alone. An organisation cannot and should not involve your parents or any other third party without your express permission. The distress and anxiety caused by such a breach are recognised under law as ‘non-material damage’. It is important to keep a record of how this incident has affected you emotionally, as it can be relevant if you decide to pursue a claim for compensation.

How the police behave in such cases

This is a civil matter, not a criminal one. The police would not typically get involved in a data breach of this nature. The appropriate regulatory authority to handle such complaints is the Information Commissioner’s Office (ICO). The police would only become involved if the case included a specific criminal offence under the Data Protection Act 2018, such as someone knowingly or recklessly obtaining and disclosing personal data without the controller’s consent for financial gain, which is not the situation here.

FAQs people normally have

  • Can a school legally ignore my request for my student records? No. Under the UK GDPR, they must respond to a Subject Access Request within one calendar month.
  • Is it legal for my old school to talk to my parents about me now that I’m an adult? Absolutely not. Once you turn 18, you are the sole data subject. Disclosing your personal data to your parents without your consent is a data breach.
  • Can I receive compensation for the school’s actions? Yes. Under Article 82 of the UK GDPR, you are entitled to seek compensation for the distress (non-material damage) caused by the data breach and the failure to comply with your rights.
  • What will the ICO do? The ICO will investigate your complaint. They can issue warnings, reprimands, and enforcement notices to the school. In serious cases, they have the power to issue significant fines.

What evidence is required?

To build a strong case, you will need to gather clear evidence. This includes:

  • Copies of the original emails and records of phone calls for your Subject Access Request, showing the dates they were sent.
  • A screenshot of the social media post you made.
  • A detailed written account from your parents about the phone call they received from the school, including the date, time, who they spoke to, and what was said.
  • Any written correspondence received from the school after the incident.
  • A personal journal or notes detailing the emotional distress and anxiety the incident has caused you.

How long will the investigation take?

The timeline can vary. The school should conduct its own internal investigation relatively quickly. An investigation by the Information Commissioner’s Office (ICO) can take several months, depending on their current caseload and the complexity of the breach. If you choose to pursue a civil claim for compensation in court, this process can also be lengthy, potentially taking many months to over a year to resolve.

Advocate Sudhir Rao, Supreme Court of India

Rate this post