The Court of Justice of the European Union (the “COJEU”) has ruled that the definition of “personal data” encompasses a handwritten examination script for the purposes of the Data Protection Directive (the “Directive”). This follows a referral for preliminary ruling to the COJEU from the Irish Supreme Court in the case of Peter Nowak v Data Protection Commissioner (C-434/16).
Mr Nowak, a trainee accountant, attempted without success to pass a required examination set by the Institute of Chartered Accountants of Ireland. He made a data access request under Section 4 of the Data Protection Acts 1988 and 2003 but his request to access his examination script was declined on the grounds that the script did not constitute “personal data”. In an action against the Irish Data Protection Commissioner, the Irish Supreme Court has sought guidance from the COJEU on whether exam scripts do in fact qualify as personal data.
Prior to the COJEU ruling on questions, an opinion is issued for the benefit of the Court by one of its Advocates General. After due consideration, Advocate General Kokott (the “AG”) opined that a handwritten examination script capable of being ascribed to an examination candidate, and not just the examination result, does come with the definition of personal data. The AG viewed the examination script as a documentary record of the candidate’s participation and performance in the examination and viewed the candidate’s solutions not merely as a reproduction of information that the candidate has learnt but rather evidence of how the candidate thinks and works. The AG went on to say that no distinction should be drawn between a multiple choice procedure and a script that consists of a candidates own composed answers. Furthermore, an examination script that references the candidate’s identification number rather than his or her name has no bearing on the classification of the script containing personal data.
Amongst the rights given to data subjects in respect of personal data is the right to have errors or inaccuracies corrected. In this instance, this gave rise to the question of whether the candidate could seek to correct errors in the script and thereby change it! The AG held that the examination script’s purpose is to determine the performance of the candidate based on his or her skill or knowledge at the time of the examination as well as his or her errors. Therefore, the errors contained in the solutions provided by the candidate do not themselves constitute inaccuracies for the purposes of the Directive. By way of an example of an inaccuracy in an exam script which a candidate would be permitted to correct, the AG gave referred to an incorrect script having been ascribed to the candidate or parts of the script having been lost and thus an incomplete examination performance having been recorded.
The question was also raised as to whether the examiner’s corrections made on the examination script constitute personal data of that candidate. The AG held that because of the link between the examination script and the corrections, the corrections being inseparable from the script and of little informative value without it, the examiner’s corrections do also constitute the candidate’s personal data. Importantly, the AG added that the corrections at the same time are also the personal data of the examiner.
The COJEU is not required to follow an Advocate General’s opinion but frequently does. This opinion serves as a further reminder of the broad sweep of data protection legislation, an issue which will take on added importance following the entry into force of the General Data Protection Regulation on May 25, 2018.