A friend loves posing “fun” scenarios to me to see how I might react to them. Often I simply smile and ask for another coffee. Sometimes they really get under my skin and make me think. This one is one of those.
A person seeks a copy of an exam script in respect of a professional examination using a Subject Access Request. They have an email address you can only get if you are a member of their profession, which their professional body communicates with them through. They have an exam number, which they provide in their application. The body has the individual’s home address on file and communicates with them by post and by email in respect of the Access Request. The organisation seeks photo ID and refuses to commence processing the SAR until they receive that photo ID. The individual submits a second request to confirm what photo ID is held on file against which their identity is being verified. The organisation seeks photo ID and refuses to commence processing the SAR until (and Kafka himself is impressed at this one) they receive that photo ID. The organisation has argued that the exam script constitutes “sensitive data”.
The Nowak case established that exam scripts are personal data. Since then, education establishments have had to juggle with the right of access to exam scripts and students who might want to have access to a copy of their script to see where they had gained or lost marks in a given exam. (I won’t dwell on the fact that, as a matter of natural justice and good procedure, students have had a right of access to review exam their scripts in Irish State Exams for many years and, in many respects, Nowak just makes the rest of the world catch up).
So, given that exam scripts are personal data, how does the access right under GDPR play out in this context. Bear in mind, Nowak was a case that centred on access rights and other data subject rights, so we are not straying too far from the core here and the real question is what are the procedural and process considerations that need to be borne in mind when addressing a Subject Access Request in respect of exam results. The core references we will rely on here are:
- The Irish DPC FAQ Guidance on Data Subject Access Requests
- Article 15 of GDPR and Article 12 of GDPR
Validity of a Request
The DPC’s guidance is pretty clear in respect of what constitutes a valid request.
There are no other formal requirements for an access request to be valid, other than that the request is sufficiently clear to act upon, and that the identity of the requester is sufficiently clear.
In the scenario presented, the individual can provide their exam number, a professional membership registration number, specifics of the exam they sat, and they are being corresponded with through an email address and postal address that are on file for the individual. In this case, there are at least two identifiers that make the identity of the individual sufficiently clear, particularly in the context of the specific data item being sought.
The question of a photo ID is raised (twice). The DPC guidance is clear that the request for photo id as part of a Subject Access Request handling process should only be considered where it is necessary and proportionate. Is it necessary to request a photo ID in this context? Also, we should differentiate between a need to have the photo ID to be sufficiently clear as to the identity of the requester and any requirement in respect of ensuring that the information is being disclosed to the right person. If the request is clear (and in this case, the name, exam number, and other identifiers would suggest it is), the photo ID should really be (at most) a security check at the point of disclosure, not a validation at the commencement of a SAR response.
This would be similar to the DPC case study from number of years ago where O2 were found by the DPC to have failed in respect of a subject access request response as they declined to start processing it until they had received the €6.35 fee that was then payable. In that case, the DPC found that, as the fee was discretionary, the clock started when a valid request was received (i.e. one where “the identity of the requester is sufficiently clear”).
Furthermore, the DPC’s guidance highlights the importance of the clarity of the request in determining whether a request for photo ID to verify identity and validate the request is appropriate. If there is “no real doubt” as to the identity of the requester (i.e. they have given you an exam number, a professional membership number, are corresponding from an email address that is on file for them and which the organisaton has previously communicated to, and from a postal address that is on file as well) then it is likely that delaying a response to a SAR on that basis would be unjustified.
The positive duty in the GDPR
One thing that is often overlooked when people think about SARs is that they are one right amongst many which are bound together in the modalities for the exercise of rights set out in Article 12. Article 12(2) is a key provision here as it requires a Data Controller to “facilitate the exercise of data subject rights”. That means that they can’t create any unnecessary barriers to the execution of a right. In the scenario presented, the Controller is insisting on the provision of a photo ID as a condition precedent of complying with the right, despite their ability to identify the data subject from the exam identifiers and professional membership identifier (not to mention the email address) provided. So, when determining the procedural aspects of a Subject Access Request process, Controllers should always err on the side of disclosing data, or at least moving the process along for the Data Subject rather than creating a barrier.
In this case, deciding not to commence processing pending the receipt of photo ID could constitute such a barrier as it is, in effect, a block to the exercise of the rights. What a prudent Controller would do, once they were sufficiently clear as to the identity of the requester, would be to start compiling the requested data and have it ready to disclose. This would also contribute to the validation of any reason or rationale for requesting additional information to verify the requesters identity. The photo ID could be used as a security check before handing over hard copy data to a person, but when the response requires sending data to a recognised and registered email address which has a history of corresponding with the organisation, it would require some documented analysis to demonstrate how a photo ID would be a necessary or proportionate security control, and there would need to be a clear threshold of doubt as to the identity of the requester to justify such a request.
This brings us to the question of the “senstive nature” of data in the context of an exam script. Outside of a few obvious circumstances (e.g. special consideration given in respect of illness or disability), an exam script is unlikely to contain personal data that falls within the definition of special category data under Article 9 of the GDPR. Where it does, it is data that the data subject has made public and is aware of themselves. For example, if I was to write an essay expressing a particular political or philosophical belief, that might constitute special category data. However, the marks associated with that essay, and any comments made by examiners, would not. Any remarks relating to the beliefs of the examiner that were not my beliefs could be easily redacted.
Yes, exam scripts may contain data that a person might be sensitive about. But that doesn’t mean that they merit the higher standard of protection that is given to special category data. It means that the controls around the disclosure of that data need to be defined in a way that ensure appropriate, necessary, and proportionate processing and disclosure. Arguably, the most sensitive thing about an exam script is whether you passed or failed. The root cause of your success or failure is often very valuable information for an individual’s personal and professional development.
The DPC’s guidance on SARs is clear in this respect as they qualify their use of the phrase “sensitive nature” with the modifier “particularly“. The particularly sensitive part of any exam is the sting when you don’t get the grade. The DPC makes plain that it may be appropriate to seek additional information where data is of a “sensitive nature” or if there is a real doubt as to the identity of the requester. Note the caveats: “may” not “must”, so it’s an optional/discretionary request, and real doubt not a ‘vague sense of #DontWantTo’.
My answer to my friend is that, in this case, the organisation is making a number of significant mistakes in their handling of the SAR, not least because there is a natural justice element here given the nature of the exams. The data is personal data. The data is not of a particularly sensitive nature – the individual knows they have failed, they just want to know how and why. There is no grounds to withhold the information under the Data Protection Act 2018. And there is no basis to delay the processing of the request as there is no obvious reason why there would be any real doubt as to the identity of the requester – they are providing the exam number, they are corresponding from a known address etc.
The organisation is in breach of Article 12(2) as they are failing to facilitate the exercise of the right of access and are creating blocking impediments asking for unnecessary and arguably disproportionate information. And, if they have gone over their 30 days, they are in breach of Article 12 in respect of the time allowed to comply with an Article 15 request.
If they are handing over a copy of the exam script, checking ID at that point would be a prudent security control under Article 32/ Article 5. But unless they have a real doubt that JohnQPunter@ProfessionalPersonas.org is the same John Q Punter who has registered with them using that email address and who they sent an exam number to at that email address and who has now sent that exam number back on an SAR from that email address, asking for it as a precondition to complying with a request is likely unnecessary and disproportionate.
In summary: The Data Protection Commission would have a field day with this one if it went forward as a complaint. As a matter of good practice and natural justice, any professional body with an examination system that can have an impact on career progression should give members access to their exam scripts if they have failed.
After all, it’s good enough for the Junior Cert.