Data subjects' rights - how to apply

Under the General Data Protection Regulation (GDPR), you have a right to obtain a copy of any personal information relating to you.

To make an access request you should contact us at subjectaccessrequest@education.gov.ie or write to us at Information Access, Department of Education, Block 2, Marlborough Street, Dublin 2.

Please tell us exactly what information you are seeking to access. To assist you and to guide us, please complete and forward the Department’s Subject Access Request (SAR) application form below.

You may be asked to provide proof of identity as outlined below in order for us to process your request.

We will respond to your data access request within one month. Usually we will send you our response by email or by post.

Proof of identity

A copy of photographic identification, such as a passport or driver’s licence, and a copy of a recent utility bill or official letter, may be required. This is because we must be satisfied of your identity before releasing any personal information to you. You can e-mail or post copies of your photographic identification and utility bill to us. We will only be able to start processing your request once we receive this information.

Exceptions to your right of access

In some instances, your right to access your personal information is limited by the acts. For example:

• If the information is kept for the purpose of preventing, detecting or investigating criminal offences, where allowing the right of access would be likely to impede such activities.
• If the information would be subject to legal professional privilege in court.
• If the information consists of an opinion about you given in confidence by another person (subject to certain conditions).

Information about other people

The Department of Education does not have to comply with your access request if it would result in disclosing data about another person, unless that other person has consented to the disclosure. So, if we have a record that contains your personal data as well as another person’s data, unless we have permission from the other person, we may be limited in what data we can give you. We will give you as much of the information as we can, without identifying the other person.

Requests regarding children

At a basic level, when responding to SARs regarding children, staff of the Department do their best to ensure that:

• The rights of children are protected
• Personal data is only revealed to those who have a right to it (particularly where a child may have engaged in services involving confidentiality), and
• People making requests have confirmed their identity, where appropriate

In December 2021, the Data Protection Commission published ‘The Fundamentals for a Child-Oriented Approach to Data Processing (the Fundamentals)’ which aim to assist organisations that process children’s data, by clarifying the principles, arising from the high-level obligations under the GDPR, to which the DPC expects such organisations to adhere. The Fundamentals, available here, introduce child-specific data protection interpretative principles and recommended measures that will enhance the level of protection afforded to children against the data processing risks posed to them by their use of/access to services in both an online and offline world and it is recommended that business units become familiar with this guidance.

Based on guidance provided in the Fundamentals, the following is the general approach taken when SARs are received by the Department in relation to children’s data:

• Primary school children - parent/guardian can apply for and receive data
• Post-primary up to age 16 - parent/guardian, with child's consent, can apply for and receive data
• Age 17 and above - children should apply themselves

The Fundamentals guidance lists factors that should be taken into consideration in the assessment of whether a child should be capable of exercising their own data protection rights (p 35) and also sets out various factors that should be considered by an organisation in deciding whether it is in the best interests of the child that their parent(s)/ legal guardian(s) step into their shoes and exercise their data protection rights (p37-38).

A general point worth noting from the DPC guidance is that ‘it is an unavoidable feature of processing children’s personal data that the organisation doing so must be in a position to deal with the complexities arising in connection with the exercise of children’s rights as data subjects (including assessments of capacity). It is for an organisation to decide, in all of the circumstances of a given case, how it is most appropriate to respond to a request to exercise the data subject rights of a child (whether that request is made by the child themselves or by a parent/ guardian or third party/advocate as appropriate).’

Further information on your rights can be found on the Data Protection Commissioner’s website (www.dataprotection.ie). The website also includes contact information for the Data Protection Commissioner and explains how to submit a complaint, if you are not satisfied with our response to your request.