Leaving Certificate 2020

The information on this page was accurate as of 2pm on Wednesday 23rd September 2020 and will be updated if the situation changes.

If you just want to get to the information on how to make an access request, and a sample version of a Subject Access Request which you can use, click here.

What's This?

This is a very brief guide to some relevant data protection rights for Leaving Certificate 2020 students. It touches on the right of access, the right not to be subject to automated decision-making, and the rights of rectification and restriction.

These rights may be of some use to you in finding out more about your Leaving Certificate results.

It’s important to remember that these rights exist independent of any other mechanism which the Department of Education and Skills uses to communicate with you about your Leaving Certificate results.

If you have any questions you can send them to info@article8.ie and we’ll do our best to answer them!

Page Navigation

Definitions

For the avoidance of (any more) confusion we’re using the following terms with these meanings:

Calculated Grades: the machine-generated scores which are being calculated by the Department of Education and made available to students at 9am on Monday September 7th.

Estimated Grades: the grades and percentage marks which your teachers submitted to your school. These are being made available to students via the portal on Monday September 14th.

Class Rank Order: the grades and percentage marks which your teachers submitted to your school.
 
As the Department of Education and Skills has until very recently been modifying what will and will not be used to calculate the Calculated Grades and what will be happening when, screenshots of relevant documents as they appeared on the date noted are provided on this page in addition to links to these documents.
 

Current Status

Updates on what we know, in reverse chronological order.

Tuesday 22nd September

The Irish Times reports that all students will have access to their Class Rank Order from Monday 28th September.

A spokesman for the Department of Education said it had sought legal advice on the issue of making class rank orders available to students.

On foot of this, he said the department was now putting in place a system to allow students to gain access to their class rank information through the calculated grades student portal.

Source: ‘Leaving Cert students to get access to ‘highly sensitive’ class rankings from Monday’, Irish Times, 22nd September 2020

Wednesday 16th September

The Irish Times reports (emphasis ours)

However, the Data Protection Commission has confirmed that students are entitled to have this information if they submit a “subject access request” to the department.

Deputy commissioner Graham Doyle said: “We understand that the department will give effect to individuals right to access of their personal data on request”.

Source: ‘Leaving Cert: Record numbers seek rechecks of calculated grade results’, Irish Times, 16th September 2020

Monday 14th September

The Irish Times reports (emphasis ours)

“Students will not, however, have immediate access to their class ranking, which will show the position students were placed in order of achievement by their teachers.

The department’s plan had been to release this data on Monday alongside students’ estimated grades. However, it dropped this following lobbying by teachers’ unions who warned that this information was highly sensitive.

Sources have indicated that this information should be available at a later date following a formal data access or Freedom of Information request.”

Source: ‘Lawyers expect flurry of legal actions after release of teachers’ estimated grades’, Irish Times, 14th September 2020

Thursday 3rd September

The information page on the department’s website was updated to reflect the statement made the previous day about access to the Class Rank Order. The department’s position is that individuals can submit a request to see their percentage mark i.e. the Estimated Grade only. The language used here is interesting and suggests the department may intend to treat this as a Subject Access Request rather than as information which will be made available automatically as part of the 2020 Leaving Certificate process.

Source: ‘Leaving Certificate 2020: Your questions answered – September 2020’, gov.ie, Published 1st September 2020, Last updated 4th September 2020 | Screenshot taken 5th September 2020

Wednesday 2nd September

The Department of Education and Skills stated that students will not have access to their Class Rank Order.

“All Leaving Cert students had been due to be able to see this information online from September 14th, a week after receiving their calculated grades, in the interests of transparency over the grading process.

However, a department spokeswoman confirmed late last night that students will not now get access to their class ranking on this date.”

Source: ‘Leaving Cert students will not have access to ‘highly sensitive’ class ranking data’, Irish Times, 3rd September 2020

Tuesday 1st September

The Department of Education and Skills confirmed that ‘school profiling’ will not be used to generate the Calculated Grades. Besides this concession there was no concrete detail provided about the algorithm, however. Not publishing the algorithm until after the completion of the process is not especially transparent.

Source: ‘Leaving Certificate 2020: Your questions answered – September 2020’, gov.ie, Published 1st September 2020, Last updated 1st September 2020 | Screenshot taken 2nd September 2020

The Department of Education and Skills did not provide any updated data protection information. It merely stated that more information would be available on the department’s website “around the same time” as the Calculated Grades are issued.

Source: ‘Leaving Certificate 2020: Your questions answered – September 2020’, gov.ie, Published 1st September 2020, Last updated 1st September 2020 | Screenshot taken 2nd September 2020

Data Protection In Two Minutes Or Less

You have a fundamental right to protection of your personal data. This right is in the Charter of Fundamental Rights of the European Union. The General Data Protection Regulation (GDPR) is the European law governing data protection and the Data Protection Act 2018 is the relevant Irish law.

Personal data is any information relating to a person from which they can be identified, directly or indirectly. The identifiable person is known as the data subject. In this case that’s you.

A data controller is the entity which decides on the purposes and means of the processing. In this case the data controllers are the Department of Education and Skills and possibly your school.

There are data protection principles in the GDPR. All personal data must be processed in accordance with these principles. Of particular interest here is the principle of “lawfulness, fairness and transparency”, the first of the principles.

Every data controller must be able to demonstrate they are processing personal data in compliance with the data protection principles, and the rest of the requirements of the GDPR. This is one of their obligations.

In data protection law data controllers have obligations and data subjects have rights.

Your Data Protection Rights

These particular rights are broader than what is shown below, apply in many different contexts and are not your only data protection rights. This is just a quick summary of the relevant rights and how we see them applying in this situation.

Right of Access

You have a right to “obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data … The controller shall provide a copy of the personal data undergoing processing.” (Article 15, GDPR)

Exercising your right of access is known as making a Subject Access Request i.e. in order to get access to your personal data you have to ask the data controller for it.

When you make a Subject Access Request the data controller has to provide you with not only access to a copy of the personal data you request but also considerable additional information. They have to tell you (as with the quote above, this list is taken directly from Article 15 of the GDPR)

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

“the right of an individual to access personal data held about them is not just about being provided with access to the data itself. Importantly it is also concerned with sufficient, meaningful information being given to the data subject so that they can understand, amongst other things, what personal data is processed about them, in what circumstances and for what purposes.”

Source: Data Protection Commission Case Study 6/2018 (1), ‘The importance of data controllers having appropriate mechanisms in place to respond to access requests and document compliance’, available in 2018 Annual Report, page 52

Right to Rectification

If any of the personal data a data controller holds about you is incorrect then you have a right to ask to have that personal data corrected. The data controller has an obligation to correct the personal data.

Right of Restriction

If you are contesting the accuracy of a piece of personal data which a data controller holds (i.e. exercising your right to rectification in this situation) then you have a right to ask for a restriction of processing of that data until the accuracy of the data in question is agreed upon.

Right to Object

As the department has stated in its data protection notice that the lawful basis it is relying on is Article 6.1(e), “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”, you have the right to object to processing. The definition of processing in data protection law includes deletion and destruction, so you can object to any proposed deletion of any of your personal data.

Right not to be subject to a decision based solely on automated processing

Unlike the three rights above, which have to be invoked by you i.e. you have to get in touch with the data controller and ask them to provide you with access to your personal data or to rectify it, this right as set out in Article 22 of the GDPR could be described as a ‘passive’ right.

The department maintains that the generation of the Calculated Grades does not involve solely automated processing, which is certainly debatable. If the controller can prove there is no decision making based solely on automated processing then this right does not apply.

Why You Might Want To Make A Subject Access Request

Here are a few reasons why you might want to make a Subject Access Request.

The Department of Education and Skills has indicated that it intends to delete the data which it received from schools, including the Estimated Grades and Class Rank Order after “the conclusion of the appeals process”. There is currently no indication of how this period will be determined.

If you make a Subject Access Request then the data controller cannot delete your personal data until the Subject Access Request has been responded to satisfactorily.

Once you have seen the personal data which is being processed you may want to request that it is rectified, and restrict processing while that is being done. If you don’t make a Subject Access Request you won’t get to see all of your personal data and may not know whether something needs to be rectified.

Students are entitled to know their position in the class rank order and the department’s current position is that this will not be made available. However, the data protection notice states this is a category of personal data which is being processed by the department.

The Irish Times story linked to above says “Martin Marjoram, president of the Teachers’ Union of Ireland, said the information was “extraordinarily sensitive” and members had a “clear understanding” it would only be revealed under an appeal process or data application request.” We’re assuming data application request means Subject Access Request in this context.

So if you want to find out where you were in your Class Rank Order then the only way to do so appears to be by submitting a Subject Access Request.

The department currently maintains there’s no algorithmic decision making involved in this process. This seems implausible given the nature of what the department calls “the national standardisation process.”
 
 
Like many other things involved in this year’s Leaving Certificate this position may change suddenly and without advance notice. Since a data controller is obliged to tell you in a response to a Subject Access Request about “the existence of automated decision-making” and “meaningful information about the logic involved” it would be good to get this in writing.

This is a right you have under Irish and European law. Rights exist to be exercised.

It is free to exercise this right.

The more information you have the better.

How To Make A Subject Access Request

A few things to know about Subject Access Requests

  • If your Subject Access Request is valid then the data controller has one month to respond.
  • You do not have to give a data controller a reason why you are making a Subject Access Request. It is a way for you to confirm that the personal data about you is accurate and is being processed lawfully.
  • The data controller cannot charge a fee unless your request is “manifestly unfounded or excessive”. In this case your request will be neither of those things.
  • The data controller can ask for “additional information necessary to confirm the identity of the data subject.” The data protection information page on the department’s website states it requires a “copy of photographic identification, such as a passport or driver’s licence, and a copy of a recent utility bill or official letter” in order to process a Subject Access Request. It is probably best to include both of these to expedite the request.
  • As noted above, the department may intend to classify your access to the Estimated Grades provided by your teachers as a Subject Access Request and contend that the only way in which a Subject Access Request can be made is via the Calculated Grades Student Portal. This is not the case. Nor do you have to use the form on the department’s website to make a valid Subject Access Request.

Common Issues with Subject Access Requests

When responding to Subject Access Requests data controllers frequently disagree with data subjects about what constitutes personal data. That will not be an issue in this case.

Firstly, the Department of Education and Skills has provided a list of the personal data it is processing in its data protection notice, last updated 28th August 2020.

Secondly, the minister has acknowledged that students are entitled to their personal data, although this is not a decision for the minister to make. Everyone is entitled to a copy of their personal data.

“Speaking during an Oireachtas committee meeting on Wednesday evening, prior to the department’s late-night announcement, Minister for Education Norma Foley said there had been an agreed process and students were entitled to their personal data.”

Source: ‘Leaving Cert students will not have access to ‘highly sensitive’ class ranking data’, Irish Times, 3rd September 2020

Data controllers sometimes refuse to release personal data if your personal data is mixed in with the personal data of other people. If a record contains the personal data of multiple people this is not a ground on which a data controller can entirely refuse to release any information from that record.

In the case of the Class Rank Order it should be possible for the department to release to you your position in the Class Rank Order without revealing the identity of any other individuals.

The department’s data protection page states the following

“To make an access request you should contact us at subjectaccessrequest@education.gov.ie or write to us at Information Access, Department of Education & Skills, Block 2, Marlborough Street, Dublin 1, D01 RC96.”

As noted in the sample Subject Access Request text below, while the department would like you to use their form, you don’t have to.

Sample Subject Access Request

If you want to make a Subject Access Request you can use some or all of the text below, modifying it as you see fit. Don’t forget to replace anything inside square brackets with your own details.

This request is for all the data the department has said it is processing in relation to the Leaving Certificate results. If you want to narrow down your request further then delete the items you don’t need to see a copy of from the list under the ‘Personal data to which this access request applies’ heading.

We can’t guarantee any particular results or outcomes but now you know how to make a Subject Access Request.

Dear [data controller],

This is a subject access request under the General Data Protection Regulation for personal data relating solely to the Leaving Certificate 2020. Please note that it is not legal to require data subjects to use an in-house form.{1}

1. Copies of my personal data

I would like to request, under the right of access (GDPR, Article 15):

  • a copy sent to me in electronic format of the personal data listed below. This to include any data derived about me, such as opinions, inferences, settings and preferences.{2}
  • Please note that any blanket refusal to provide data which appears in records which also contain the personal data of other data subjects is not an appropriate response.{3}{4}
 
Personal data to which this access request applies

This is the full list of categories of personal data which the document ‘Privacy Notice for Students Calculated Grades for Leaving Certificate 2020 in light of the postponement of the Leaving Certificate examinations’ (available at https://www.education.ie/en/The-Department/Data-Protection/gdpr/parents-children/privacy-notice-students-calculated-grades-leaving-certificate-2020.pdf) identifies as being processed by you.

I am requesting a copy of each of these, for each subject where applicable.

  • Examination Number
  • Programme i.e. Leaving Certificate Established, Vocational or Applied.
  • PPSN
  • Department Pupil Identity Number (DPIN)
  • Year
  • School Roll Number
  • School Type
  • Surname
  • Forename
  • Gender
  • Date of Birth
  • Subject code
  • Module Code
  • Subject Irish indicator
  • Address
  • Eircode
  • Telephone Number
  • Email address
  • Subject
  • Subject Level
  • Class ID
  • Estimated Percentage Mark
  • Class Rank Order
  • Calculated Mark
  • Calculated Grade
  • Confirmation of conflict of interest and management (where applicable)

 

2. Information on controllers, processors, source and transfers

The identity of any and all joint controllers of my personal data.

Any third parties to whom data has been disclosed, named with contact details in accordance with Article 15(1)(c). Please note that the European Data Protection Board has stated that controllers should name precise recipients and not “categories” of recipients. If they do choose to name categories, they must justify why this is fair, and be specific, naming “the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.”{5}

If any data was not collected, observed or inferred from me directly, please provide precise information about the source of that data, including the name and contact email of the data controller(s) in question (“from which source the personal data originate”, Article 14(2)(f)/15(1)(g)).

 

3. Information on purposes and legal basis

Please list all processing purposes and the lawful basis for those purposes by category of personal data. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable.{6} A table may be the best way to display this information.

 

4. Information on automated decision-making

Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR) using any of the categories of personal data listed above. If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h))

 

5. Information on storage

Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d).

To help identify me, I have attached the following personal information:

  • Name: [your name]
  • Email: [your email]
  • Additional Information: [a copy of an identity document, examination number, school roll number if known]

In accordance with the law, I look forward to hearing from you within one month of receipt.

Regards,

[your name]

 

Footnotes

{1} Data Protection Commission, ‘Access and Portability’ (https://dataprotection.ie/en/organisations/know-your-obligations/access-and-portability): “The GDPR does not set out any particular method for making a valid access or portability request, therefore a request may be made by an individual in writing or verbally.”

{2} Note that opinions, inferences and the like are considered personal data. See Case C‑434/16 Peter Nowak v Data Protection Commissioner [2017] ECLI:EU:C:2017:994, 34.

{3} Data Protection Commission, ‘Access and Portability’ (https://dataprotection.ie/en/organisations/know-your-obligations/access-and-portability): “where a controller does have concerns about the impact of complying with a request, their response should not simply be a refusal to provide all information to the individual, but to endeavour to comply with the request insofar as possible whilst ensuring adequate protection for the rights and freedoms of others.”

{4} Data Protection Act 2018, Section 91(7): “Where information that a controller would otherwise be required to provide to a data subject pursuant to subsection (1) includes personal data relating to another individual that would reveal, or would be capable of revealing, the identity of the individual, the controller — … (b) shall provide the data subject with a summary of the personal data concerned that — (i) in so far as is possible, permits the data subject to exercise his or her rights under this Part, and (ii) does not reveal, or is not capable of revealing, the identity of the other individual.”

{5} Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), page 37.

{6} Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), page 35.

Dear [data controller],

This is a subject access request under the General Data Protection Regulation for personal data relating solely to the Leaving Certificate 2020. Please note that it is not legal to require data subjects to use an in-house form.{1}

1. Copies of my personal data

I would like to request, under the right of access (GDPR, Article 15):

a copy sent to me in electronic format of the personal data listed below. This to include any data derived about me, such as opinions, inferences, settings and preferences.{2}

Please note that any blanket refusal to provide data which appears in records which also contain the personal data of other data subjects is not an appropriate response.{3}{4} Personal data to which this access request applies This is the full list of categories of personal data which the document 'Privacy Notice for Students Calculated Grades for Leaving Certificate 2020 in light of the postponement of the Leaving Certificate examinations' (available at https://www.education.ie/en/The-Department/Data-Protection/gdpr/parents-children/privacy-notice-students-calculated-grades-leaving-certificate-2020.pdf) identifies as being processed by you. I am requesting a copy of each of these, for each subject where applicable. Examination Number Programme i.e. Leaving Certificate Established, Vocational or Applied. PPSN Department Pupil Identity Number (DPIN) Year School Roll Number School Type Surname Forename Gender Date of Birth Subject code Module Code Subject Irish indicator Address Eircode Telephone Number Email address Subject Subject Level Class ID Estimated Percentage Mark Class Rank Order Calculated Mark Calculated Grade Confirmation of conflict of interest and management (where applicable) 2. Information on controllers, processors, source and transfers The identity of any and all joint controllers of my personal data. Any third parties to whom data has been disclosed, named with contact details in accordance with Article 15(1)(c). Please note that the European Data Protection Board has stated that controllers should name precise recipients and not "categories" of recipients. If they do choose to name categories, they must justify why this is fair, and be specific, naming "the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients."{5} If any data was not collected, observed or inferred from me directly, please provide precise information about the source of that data, including the name and contact email of the data controller(s) in question ("from which source the personal data originate", Article 14(2)(f)/15(1)(g)). 3. Information on purposes and legal basis Please list all processing purposes and the lawful basis for those purposes by category of personal data. This list must be broken down by purpose, lawful basis aligned to purposes, and categories of data concerned aligned to purposes and lawful bases. Separate lists where these three factors do not correspond are not acceptable.{6} A table may be the best way to display this information. 4. Information on automated decision-making Please confirm whether or not you make any automated decisions (within the meaning of Article 22, GDPR) using any of the categories of personal data listed above. If the answer is yes, please provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me. (Article 15(1)(h)) 5. Information on storage Please confirm for how long each category of personal data is stored, or the criteria used to make this decision, in accordance with the storage limitation principle and Article 15(1)(d). To help identify me, I have attached the following personal information: Name: [your name] Email: [your email] Additional Information: [a copy of an identity document, examination number, school roll number if known] In accordance with the law, I look forward to hearing from you within one month of receipt. Regards, [your name]   Footnotes {1} Data Protection Commission, ‘Access and Portability’ (https://dataprotection.ie/en/organisations/know-your-obligations/access-and-portability): "The GDPR does not set out any particular method for making a valid access or portability request, therefore a request may be made by an individual in writing or verbally." {2} Note that opinions, inferences and the like are considered personal data. See Case C‑434/16 Peter Nowak v Data Protection Commissioner [2017] ECLI:EU:C:2017:994, 34. {3} Data Protection Commission, ‘Access and Portability’ (https://dataprotection.ie/en/organisations/know-your-obligations/access-and-portability): "where a controller does have concerns about the impact of complying with a request, their response should not simply be a refusal to provide all information to the individual, but to endeavour to comply with the request insofar as possible whilst ensuring adequate protection for the rights and freedoms of others." {4} Data Protection Act 2018, Section 91(7): "Where information that a controller would otherwise be required to provide to a data subject pursuant to subsection (1) includes personal data relating to another individual that would reveal, or would be capable of revealing, the identity of the individual, the controller — ... (b) shall provide the data subject with a summary of the personal data concerned that — (i) in so far as is possible, permits the data subject to exercise his or her rights under this Part, and (ii) does not reveal, or is not capable of revealing, the identity of the other individual." {5} Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), page 37. {6} Article 29 Working Party, ‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), page 35.

Where next?

Read more elsewhere

Guidance

‘The Right of Access’, Data Protection Commission of Ireland

‘The right of restriction (Article 18 of the GDPR)’, Data Protection Commission of Ireland

‘Your rights in relation to automated decision making, including profiling (Article 22 of the GDPR)’, Data Protection Commission of Ireland

The right to be informed (transparency) (Article 13 & 14 GDPR), Data Protection Commission of Ireland

‘Guidelines on Transparency under Regulation 2016/679’ (WP260 rev.01, 11 April 2018), Article 29 Working Party, now the European Data Protection Board

‘Can I be subject to automated individual decision-making, including profiling?’, European Commission

‘Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679’ (WP251 rev.01, 6 February 2018), Article 29 Working Party, now the European Data Protection Board

Legislation

Regulation (EU) 2016/679 (General Data Protection Regulation) [direct link to PDF]

Data Protection Act 2018 [irishstatutebook.ie]

Topics

Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)