Find out what is stored in the National Pupil Database (NPD) about you or your child

Ask the Department for Education what they hold about you or your child, in named records stored since 2002. The Department should comply with Subject Access request process available under the Data Protection Act 2018 and GDPR Recitals 63 and Article 89. Exam results, ethnicity, and reasons for exclusion and much much more.

Under the General Data Protection Regulation enforceable from May 25, 2018, all requests are free of charge to Data Subjects – that means you and me, or the person the data is about. The Information Commissioner’s Office has more info here on Right to Access.

As published on the DfE website you can email requests to them via their contact form.

However, the DfE offers no template to make requests and the current method is through a three step contact form to which you can submit requests. However, the form they suggest you use, doesn’t offer the option of “subject access request”.

“If you want to see your personal data, you should make a ‘subject access request’. If you want more information about how we process your personal data, contact us using the question option on our contact form and select ‘other’.”

But there is no ‘other’ option when you select “question” option, there’s a long list of things and there is “something else”. We believe that is unsatisfactory and should be improved this year. There should be a route clearly marked route as to find out about the information we hold about you, or “Subject Access Request.”

But for now, you need to use the contact form method. Select “Question” and then the next option “Something else”. We provide text to help make the request.

How to Submit a Subject Access Request

We have therefore drafted a suggested template text we suggest you copy and paste from the bottom of this page into an email and edit for your own request. You can then use that text, in the body of their contact form. Make the request by only telling them who you are and what data you want, about yourself or your children, but do not send copies of any documents until you know they have responded and accepted to process your request, and clarified their official arrangements.

It’s difficult to imagine just how much information is collected  about children in schools. Or how that information is used, stored, and shared with others.

Every school day — and throughout our lives, from starting nursery to finishing secondary school — a huge amount of data is collected. Most without our knowledge or consent.

You can find out what’s in your records and fix the mistakes. It’s simple and quick.

Discover your past. Protect your future. Find out what they hold and where it has gone.

Make a Subject Access Request to the DfE today. Tell your friends and family.


Here are questions and answers we get asked most frequently.

1. Can I access my personal information?

You have the right to get a copy of the information that is held about you. This is known as a subject access request.

This right of subject access means that you can make a request under the Data Protection Act to any organisation processing your personal data. The Act calls these organisations ‘data controllers’.

You can ask the organisation you think is holding, using or sharing the personal information you want, to supply you with copies of both paper and computer records and related information.

There are some ‘exemptions’ within the Act which may allow an organisation to refuse to comply with your subject access request in certain circumstances. Consider carefully what you are asking to see. Remember that these data may be sensitive such as indicators of [your or] your child’s history of in-care, adoption, or parents’ service personnel status.

2. Can I access personal information about my child?

Information about children may be released to a person with parental responsibility. However, the best interests of the child will always be considered.

Even if a child is very young, data about them is still their personal data and does not belong to anyone else. It is the child who has a right of access to the information held about them.

Before responding to a request for information held about a child, organisations should consider whether the child is mature enough to understand their rights. If the organisation is confident that the child can understand their rights, then it will respond to the child rather than the parent. What matters is that the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.

Read more about subject access rights for children from the Information Commissioner’s Office.

3. Can I access personal information on someone else’s behalf?

Yes if you have carer or custodial rights for a child, for example. The Data Protection Act does not stop you making a request on someone else’s behalf.

In these cases, the organisation will need to satisfy itself that the third party making the request has the individual’s permission to act on their behalf. It is the third party’s responsibility to provide this evidence, which could be a written authority to make the request, or a power of attorney.

If a person does not have the mental capacity to manage their own affairs and you are their attorney, for example you have a Lasting Power of Attorney with authority to manage their property and affairs, you will have the right to access information about the person you represent to help you carry out your role. The same applies to a person appointed to make decisions about such matters:

In England and Wales, by the Court of Protection. In Scotland, by the Sheriff Court; and in Northern Ireland, by the High Court (Office of Care and Protection).

4. How do I make a request?

To make a subject access request, you may wish to use our suggested template by copying and pasting the text from the bottom of this page, into an email. This is NOT an official DfE request form, but has been drafted by us at defenddigitalme because the Department for Education do not offer one. As published on the DfE website, you can email requests to them via: NPD.Requests@education.gov.uk

You may also want to ask third parties what they hold, when they hold a copy of the National Pupil Database, such as the Fischer Family Trust for example. c/o Data Protection Team, Education Ltd, 1st Floor 79, Eastgate, Cowbridge, Vale of Glamorgan CF71 7AA.

However do not send any copies of identity documents and AFTER the NPD request team has confirmed that they will process your request. To date, they have refused requests from parents. We believe they should comply with Subject Access Rights under the Data Protection Act 1998.

Keep copies and proof of receipt.

It is best to send your request by email, and you should keep a copy of the request and all other correspondence. This will be important as evidence if you need to complain to the Information Commissioner’s Office that the organisation has not given you the information you think you are entitled to.

5. Do I have to make the request in writing?

Yes. A request sent by email or fax is as valid as one sent in hard copy. You can also make a valid request by social media, for example via an organisation’s Facebook or Twitter account, although it may be impractical for the organisation to use this same method to supply information to you.

If you find it impossible or unreasonably difficult to make a request in writing, an organisation may have to make a reasonable adjustment for you under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland). This could mean, for example, that the organisation has to consider treating a verbal request for information as if it was a valid subject access request.

6. What can I expect from the organisation?

The organisation has to reply within 40 days, starting from the day they receive both the fee and the information they need to identify you and the information you need. A credit reference agency must reply within seven days to a request for a credit file.

If an organisation reasonably needs more information to help them find your information or identify you, they have to ask you for the information they need. They can then wait until they have all the necessary information as well as the fee before dealing with your request.

7. What should the Department for Education send me?

What is held in the National Pupil Database is NOT the same as what is only held by your child’s school. Around 400 different items can be stored on any one individual in the National Pupil Database. Do not be put off by replies which tell you to ask a school for your child’s school record if you want to know what is held at national, not local level. You are entitled to be told if any personal information is held about you and if it is, to be given:

  • a copy of the information in permanent form;
  • an explanation of any technical or complicated terms;
  • any information the organisation has about where they got your information from;
  • a description of the information, the purposes for processing the information and who the organisation is sharing the information with; and
  • the logic involved in any automated decisions (if you have specifically asked for this).

8. Can the organisation withhold any information?

Yes. There are some circumstances where the information you have asked for contains information that relates to another person. Unless the other person gives their permission, or it is reasonable in all the circumstances to provide the information without permission, the organisation is entitled to withhold this information.

The law covers personal information that:

  • is held, or going to be held on computer;
  • is in, or going to be in, a manual filing system that is highly structured so that information about you can be easily retrieved;
  • is in most health, educational, social service or housing records; or
  • is other information held by a public authority

9. What can I expect if I have rights under the Equality Act 2010 (or Disability Discrimination Act 1995 in Northern Ireland)?

Under equality law an organisation has a duty to make sure that its services are accessible to all service users. You can request a response in a particular format that is accessible to you, such as Braille, large print, email or audio format.

10. What can I do if the organisation does not respond?

If more than 40 calendar days have passed since you made your request, we advise you write to the organisation to remind them of your request and their obligations under the Data Protection Act. We recommend you send any correspondence by recorded delivery.

After this, you can write to the Information Commissioner’s Office to complain and ask for support. Get in touch with us too. We are happy to discuss and support any questions before you make applications in confidence.

11. can I ask for my own Personal data in Exam Scripts like this?

In December 2017, the European Court of Justice (ECJ) ruled yes, because exam scripts are personal data. In the UK Data Protection Act 2018, the government created an exemption however for personal data recorded by a candidate in exam scripts. (Schedule 2 — Part 4 (25)— Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 15) [p176-77].

The ECJ had ruled Subject Access rights should be applied irrespective of national legislation, and the exemption appears to be restricted to some, not all rights. For example the right to rectification still applies, and yet it is almost impossible to enact without the right to access which underpins it in Recital 63. In summary, the new 2018 Data Protection Act and accessing personal data in exams, has certain restrictions which are yet to be tested.

More Information

The information is only a guide and further information about the Data Protection Act 1998 can be obtained from the Information Commissioner’s Office website.

For the public: See ICO https://ico.org.uk/for-the-public/personal-information/  who also have a helpline
For organisations: https://ico.org.uk/media/for-organisations/documents/1065/subject-access-code-of-practice.pdf

Suggested Subject Access Request

Please note that where the term “data subject” is used it refers to the person about whom the information is being requested. A parent, or guardian, who has joint, or sole, parental responsibility can make a request on behalf of their child, though this is dependent upon the age and maturity of the child.

The Data Controller (the organisation) must respond promptly and within 40 calendar days of the latest of the following:

  • On receipt of the request
  • On receipt of satisfactory proof of identity.

Before you start, are you asking for data about yourself? If yes, you are called ‘the Data Subject’. (Please state)

if you are the Data Subject you will be asked to supply original proof of identity bearing  your name i.e passport, driving licence (if applicable), birth certificate (or certified copy) or at least an official letter showing your current address such as from a utility company or Bank.  DO NOT SEND THESE UNTIL ASKED TO DO SO.

If no, are you acting on behalf of the Data Subject with their written authority? If so, that authority must be enclosed and you must also produce evidence of your identity and that  of the data subject (as above). DO NOT SEND THESE UNTIL ASKED TO DO SO.

Provide the following information.

1.        Details of the Data Subject (who the data request is about, if different from your own, give both)

Full name ……………………………………………………………………………………….

Address ……………………………………………………………………………………………………


DOB (if Data Subject) ………………

2.    Describe your relationship with the Data Subject that leads you to make this request for information on their behalf. (i.e. Parent / Guardian)


3.   Please give details of the information you require to see. These may include for example but not only:

  • a copy of all personal data held
  • a copy of all data associated with the relevant Unique Pupil Number(s) or other learner numbers
  • the details of its source
  • the reasons why the organisation is holding it
  • who the organisation has disclosed it to in the past
  • to know if the information has been used in any automated decision making.