Person going through documents with a pen

Data protection: rights and obligations

A broad outline of rights and responsibilities under data protection legislation.

What are the General Data Protection Regulations?

The General Data Protection Regulations (GDPR) came into force in May 2018. They set out rights of individuals (such as employees and students) and the obligations of employers and organisations (such as schools and local authorities) in relation to personal information.

The GDPR set out six principles that data controllers (such as schools, colleges, universities and local authorities) should follow when using personal information (e.g., collecting, storing, retrieving, disclosing or destroying this information).

The GDPR also provides for individuals' right of access to personal data held about them.

The Information Commissioner's Office (ICO) produces helpful guidance on data protection issues, including a code of practice for the workplace.

GDPR gives you the right (subject to some exceptions) to see most personal information held about you by your employer, businesses and organisations in the public and private sectors.

How do I make a request?

An organisation may refuse your subject access request if your data includes information about another individual. In deciding this, the organisation will have to balance your right to access your data against the other individual’s rights regarding their own information.

The organisation can also refuse your request if it is considered “manifestly unfounded or excessive”.

The organisation will need to tell you and justify its decision.

You can only access other people's personal information if you are acting on their behalf and if they have given their permission to the employer for the information to be disclosed to you. This means that your employer may not discuss your concerns with your spouse, partner, friend or trade union representative until you give permission.

Data must be processed lawfully under the GDPR. The ‘data subject’ can give consent to the processing of their data and that is a lawful basis. Consent must be given by a “clear and affirmative act”. This means that the individual must opt in to consent, rather than opt out. Consent can also be withdrawn at any time.

A data controller can rely on other lawful reasons for processing data.

Except in exceptional circumstances, such as a police investigation, the general rule is that you should be aware that personal data about you has been, or is going to be, shared with others, even if your consent to such sharing is not needed.

You may be entitled to make a data subject access request for copies of emails held about you. You have to be identifiable from the data and it must relate to you. This means, for example, that an email about your conduct or performance will almost certainly have to be provided.

Your employer can publish totals of sickness absence as long as individual employees are not identifiable.

There is no specific period given in the GDPR. It is left to the employer to set retention periods. As far as possible, standard retention times should be set out in a school/local authority/college policy.

There is no general exemption from the GDPR’s subject access rights in respect of interview notes about candidates. This means that when an individual makes a request for access to the notes, it should be granted in most cases.

You do not have an automatic right to see references provided in confidence. If your employer will not provide you with a copy, you may request one from the employer to whom the reference was sent. The supplying employer can refuse such a request as there is an exemption under the GDPR in relation to job references.

Yes, if the equipment being monitored belongs to the employer. The NEU believes employers should ensure their IT policies provide clear, unambiguous guidance about the monitoring of staff members’ emails. The union advises members to ensure that all communications sent during work hours from company devices are entirely professional.

It is a very serious offence for managers to engage in such practices. The union’s advice is not to use your employer’s networks to communicate with the union or with colleagues in a non-work capacity. If you do, because it is convenient to do so, contact the union as soon as possible if you have reason to believe that your messages are being opened and read covertly, and without good cause.

Publishing exam results constitutes processing personal information and so falls under the terms of the GDPR. Any educational institution wishing to publish exam results must therefore ensure they comply with the six principles under the GDPR:

  • lawfulness, fairness and transparency
  • purpose limitation
  • data minimisation
  • accuracy
  • storage limitation
  • integrity and confidentiality.

In particular, they must ensure publication is fair and lawful. Pupils and parents should be informed that publication will take place and should be given information about the format of the publishing.

Information relating to exam results held by educational institutions is likely to be personal data as defined under the GDPR and students have a right to access some of this data. Students do not have the right to see examination scripts or the information recorded in them although examiners' comments fall outside this exemption.

Many schools use biometric data, for example, using fingerprints as a means of accessing school dinners. Parents/carers must be notified of any biometric recognition system before it is put in place or their child first takes part in it. 

Pupils and parents/carers also have the right to choose not to use a biometric system, and an alternative means of accessing the service must be available. The information must only be used for the purpose for which it is collected. The same rules apply to members of staff if biometric data is collected from them.

There are many circumstances in which people may want to take photographs in schools, for example, by parents at sports days, plays and other school events. Staff may want to take photos for the school prospectus or website. Where photographs are for personal use, there

are no data protection implications and there is no reason to prevent parents from taking photographs in the situations above, provided they are for personal use.

Where photos are taken for official use (for school/college business), some of these photographs are personal data as defined under the GDPR, and must be processed lawfully, fairly and transparently. It is sensible to consult with pupils and/or guardians before taking such photos.

The media should also seek the consent of the school/college and pupils and/or their guardians before publishing photographs of pupils.

Yes. You should be careful where you store it to ensure members of your household and visitors to your home cannot access it. If you use devices or software outside of your employer’s premises, they must ensure you are secure. 

For further advice contact your NEU workplace rep or the NEU AdviceLine in England or NEU Cymru in Wales on 029 2049 1818

Two hands, one holding a pen

Data protection

Advice on what rights you have in relation to data about you, what data reps can use and the rules around capability and health information.

Back to top