Many people struggle to understand how to access information, whether it's their personal data, public authority policies, or school records. Misconceptions abound, with some attempting to use the Freedom of Information Act (FOIA) for personal data requests and others misapplying the Data Protection Act (DPA) to obtain third-party information.
Three key pieces of legislation govern data access in the UK:
The Data Protection Act 2018 (often referred to as GDPR) – Used for obtaining personal data about yourself.
The Freedom of Information Act 2000 – Used for accessing information from public bodies.
The Education (Pupil Information) (England) Regulations 2005 – Used for accessing school records if you hold parental responsibility.
Understanding the correct application of these laws can empower you to obtain the information you are entitled to.
The Data Protection Act (DPA 2018)
The DPA 2018 allows individuals to request their personal data from organisations, companies, or government bodies. However, it does not grant access to information about the organisation itself or other people’s data.
For example, if you are dealing with the Child Maintenance Service (CMS), you must direct your Subject Access Request (SAR) to the DWP Data Protection Team, as CMS is part of the Department for Work and Pensions (DWP). CMS will only provide information about you, not other parties in your case. Any third-party data will be redacted.
Similarly, if you have had dealings with social services, you can request your records, which can be crucial for obtaining meeting notes or defending yourself against accusations. However, accessing information about a child depends on their age. Some local authorities may refuse to disclose information about teenagers without the child’s consent, meaning you may need to obtain it directly from them.
Why This Matters
The DPA 2018 is not just about getting information—it’s also about ensuring accuracy. If incorrect data is held about you, it can lead to serious consequences.
For instance, I once obtained data from my local authority and found information that had been improperly shared by another body. While it was not negative, it should not have been in the council’s records. I requested its removal, but they refused. I then challenged the original body that had shared the data, which resulted in the council being ordered to delete it. Pursuing this further, I demonstrated a data breach, leading to an out-of-court settlement with the organisation responsible.
This highlights how requesting your data can expose errors, leading to correction and, in some cases, compensation.
The Freedom of Information Act (FOIA)
The FOIA applies to public bodies such as councils, government departments, and schools. It is used to request non-personal information, such as policies, procedures, and internal communications.
For example, I once wanted to know what was discussed between my county council and Ofsted after I filed a complaint. The council initially refused my request, claiming the emails contained personal data. However, when I submitted the same request to Ofsted, they provided the emails without issue.
I then challenged the council’s refusal by requesting an internal review, but they upheld their decision. I escalated the matter to the Information Commissioner’s Office (ICO), which ruled in my favour and ordered the council to release the information within 30 days. When they failed to comply, I reported them again, prompting the ICO to issue a legal warning for contempt of court. Only then did the council provide the requested data.
This case demonstrates the power of persistence and knowing your rights under FOIA.
FOIA and Schools
In another case involving my child’s school, I initially requested data under the DPA 2018, but the school refused, stating it was not personal data. I then submitted a FOIA request for the same information, and the school reversed its position, now claiming it was personal data and therefore could not be disclosed under FOIA.
This contradiction forced them to admit their mistake. Schools and other public bodies often misuse data protection laws to withhold information, so understanding the correct legislation can be crucial in challenging their decisions.
The Education (Pupil Information) (England) Regulations 2005
This law is often overlooked but is highly effective for parents seeking access to their child’s school records.
If you hold parental responsibility, you are entitled to receive information about your child’s education, including:
School reports
Detention records
Exclusion notices
In my case, my child’s school failed to provide reports and other vital updates. Their justification? They were informing the mother, and they claimed my child did not consent to share information with me. However, upon further questioning, it became clear that a third party had influenced the school’s decision.
This is a common issue, particularly in cases of parental alienation, where one parent deliberately restricts the other’s access to school information.
The Legal Battle
I knew that unlike the DPA 2018, a child cannot refuse parental access to education records under this law. The government’s own guidance states that schools must provide this data to parents who hold parental responsibility.
The school sought legal advice, spending ÂŁ4,800 to confirm whether they were obligated to provide the information. The legal verdict? They had no choice but to comply.
I only discovered the cost of their legal consultation due to an unrelated data breach, which a third party informed me about. To verify, I used the FOIA to request details of the school’s legal expenses. Sure enough, the figures matched exactly what I had been told.
Why This Law Matters
Unlike the DPA 2018 (which allows organisations one month to respond) or FOIA (which grants 20 working days), the Education (Pupil Information) Regulations require schools to provide records within 15 school days—a significantly faster timeframe.
If you’re struggling to get information from a school, citing this law can cut through delays and force compliance.
Conclusion
Knowing how to correctly apply these three pieces of legislation can make all the difference when seeking information:
DPA 2018 for personal data requests.
FOIA for non-personal public authority information.
Education Regulations 2005 for accessing school records.
Public bodies often resist disclosure, sometimes through ignorance and sometimes deliberately. Persistence, knowledge, and the right approach can help you obtain the information you need. If an organisation refuses your request, challenge them, escalate to the ICO, and use every legal tool available to enforce your rights.
How to Get Information from the Child Maintenance Service (CMS).