What Counts as Personal Data in Exams under GDPR | DSAR Guide

The question whether exam material is Personal Data is legally consequential for any candidate or institution responding to a DSAR, because it determines whether Article 15 rights of access apply and, if they do, whether any statutory or common-law exemption blocks disclosure. The analysis is two-stage in practice: first, does the material “relate to” an identified or identifiable natural person so as to satisfy the GDPR definition of personal data; second, if it is personal data, does any statutory or regulatory exemption (for example in the UK the Data Protection Act 2018) remove or limit the right of access. The definition of personal data is found in Article 4 GDPR and has been codified and interpreted widely: the test is not merely whether the data contains a name or ID number but whether the information, by reason of its content, purpose or effect, is linked to an identifiable person. See Article 4 of the GDPR for that definitional test. The Court of Justice in Nowak (C-434/16) clarified that assessment of whether exam answers are personal data must look to content, purpose and effect — and that, on the facts, a candidate’s answers and some examiner comments could indeed fall within the scope of “personal data”. That EU jurisprudence is pivotal because it establishes that one must begin from a presumption that some elements of exam material may be personal data depending on context. At the same time, the UK legislature has crafted a specific statutory regime which limits the practical effect of that finding: the Data Protection Act 2018 contains provisions (the “exam scripts” exemption) which narrow the right of access to certain examination material where disclosure would prejudice confidentiality or assessment of others. The ICO — the UK regulator — has published clear guidance explaining how the two ideas (Nowak’s definition and the DPA exemption) fit together in practice; the ICO’s guidance is the operational roadmap for controllers such as Kaplan or universities. Practitioners therefore must treat the question as one of legal characterisation followed by statutory exception analysis: characterise, then test the exception. That approach explains why candidates may sometimes obtain their marked answers or examiner comments but cannot compel the release of the test paper, model answers, or marking schemes in most cases. It also explains why a DSAR asking for “my exam paper” commonly triggers a lawful refusal or a partial disclosure (for example, transcriptions of the candidate’s own answers or anonymised feedback) where the controller considers the exemption engaged. In short, the legal position is not a blunt “all or nothing” rule; it is an analytically twofold inquiry which starts with the GDPR definition of personal data (content/purpose/effect), applies the Nowak touchstone on context, and then turns to the UK statutory carve-outs embodied in the DPA and operationalised in ICO guidance. This procedural structure — characterisation first, exception second — is the framework I use below when I analyse what is and is not personal data in the exam context. Please note that where I refer to specific legal texts I provide links to the official sources in the authoritative list at the end of this post. GDPR+2Court of Justice of the European Union+2

Are you confident your exam data handling meets GDPR standards?
Whether you’re preparing for the SQE, managing university assessments, or advising on DSAR compliance, it’s essential to understand where personal data ends and confidential educational material begins.

 

Download Here

Our GDPR Compliance Pack includes:

Customisable DSAR Response Templates

Privacy Notice examples

and much more

Written by UK-privacy specialists, these templates help you stay compliant, transparent, and audit-ready — without over-disclosing exempt information.

 

1. Legal distinction: personal data (answers, marks, feedback) vs non-personal exam content (questions, marking schemes, model answers)

The starting point is Article 4 GDPR: “personal data” is any information relating to an identified or identifiable natural person — an identifiable person being one who can be identified, directly or indirectly, by reference to identifiers or other information. That statutory text is intentionally capacious so as to capture non-obvious forms of identification such as online identifiers or metadata. Applying this definition in the exam context leads to a straightforward classification: material that is about the candidate (their answers, the marks awarded, personalised feedback or comments addressed to the candidate) will usually satisfy Article 4 and qualify as personal data because it “relates to” the candidate and affects their rights and opportunities. For example, a candidate’s typed answers, handwritten script, or recorded audio responses plainly are information produced by or about the candidate and thus are personal data of the candidate. Likewise, objective marks assigned to a candidate and written feedback explaining those marks are personal data: they link directly to the candidate and can influence subsequent employment, progression, or reputation. The Nowak decision confirms that such candidate-generated content can be personal data and instructs that the content/purpose/effect test should be used as the threshold analysis rather than a checklist approach; Nowak therefore supports treating answers and examiner comments as personal data where those items are linked to a candidate’s identity or evaluation. Nevertheless, just because some element of an exam file is personal data does not mean the entire file becomes disclosable: the right of access under Article 15 is subject to exemptions, and the UK’s DPA 2018 contains a specific exemption for examination scripts and marks which narrows access to the extent disclosure would prejudice confidentiality or the assessment of others. This is why controllers often separate the file into: (a) items that are personal data and not exempt (e.g., the candidate’s own submission and some feedback), and (b) items that are either not personal data or are exempted (e.g., exam questions, model answers, marking schemes). From an IP and confidentiality perspective, exam questions and marking schemes are frequently treated as proprietary, confidential materials which, even if they could be said to “relate” indirectly to candidates, are covered by statutory exemption or by separate intellectual property and contractual protections — the Copyright, Designs and Patents Act 1988 protects original question content and institutional rules protect confidentiality. Where a controller has legitimate reasons to protect question papers — for example because questions are reused or because disclosure would facilitate future cheating — the DPA exemption is commonly invoked to refuse release. Importantly, the ICO makes clear that controllers should consider whether portions of an assessment file are actually personal data of the requester and whether those parts fall within an exemption; controllers cannot hide behind a blanket refusal if there are clear elements of personal data that can be disclosed without prejudicing the examination process. In practice that means an applicant may receive scanned copies of their own answers and any non-sensitive feedback, but not the question paper or a full model answer set. This legal distinction (candidate data vs provider content) is functionally and legally significant because it identifies the data that triggers Article 15 and the data that is typically sheltered by statutory protection; compliant controllers must therefore conduct granular redaction and reasoned decision-making rather than blanket denials. Finally, lawyers advising candidates should stress that a successful DSAR will normally focus on clearly personal items (answers, marks, feedback) and avoid requests for the exam question paper itself, which faces an uphill statutory and public-interest defence. GDPR+2Court of Justice of the European Union+2

2. Borderline situations — anonymised statistics, metadata (timing, clicks), proctoring recordings, and other edge cases

Borderline situations are where disputes most often arise because the line between personal and non-personal data is porous and context dependent. Take anonymised statistical reports: if a university produces an aggregate grade distribution and removes identifiers, that dataset may cease to be personal data; however, anonymisation must be robust such that the natural person is no longer identifiable by reasonable means, taking into account all means reasonably likely to be used. The GDPR and ICO guidance emphasise that pseudonymisation or weak aggregation that still permits singling out is not sufficient to escape personal data status. Thus, a class level report giving only percentages and no identifiers will usually not be personal data, whereas a report with small cell counts or other indirect identifiers might still be personal data because re-identification is possible. Metadata is another grey area: timing information (how long a candidate spent on each question), click logs, IP addresses, and proctoring system logs may qualify as personal data because they are technical identifiers or can be linked back to the individual. Article 4 lists online identifiers and location data explicitly as examples of personal data, and the CJEU’s approach in Nowak — focusing on effect and purpose — supports the conclusion that metadata used to profile or assess a candidate will often be personal data. Proctoring video recordings pose acute privacy issues: such recordings include biometric or behavioural data, camera images and audio, and sometimes third-party data (for example, a family member appearing in the frame). These recordings are very likely to be personal data, and in many cases they will be special category data or sensitive for GDPR purposes if they reveal health-related information (for example, a visible disability or medication). Moreover, proctoring metadata used to infer cheating or to create behavioural profiles may be subject to automated decision-making rules, engaging Articles 22 and 15 of the GDPR (right to access and right not to be subject to solely automated decisions). Another borderline example is preparatory material or mock exams. The ICO has noted that students generally do not have a right to their own answers from mock exams if the mock is treated as an internal, non-assessed exercise; but if the mock is used in a way that affects progression or assessment, that content may acquire personal data status and thus attract access rights unless the DPA exemption applies. Similarly, the interaction between anonymisation and the exam scripts exemption is complicated: a controller might argue that anonymised marking schemes or exemplars are not personal data, yet the DPA exemption can still be relevant if disclosure of the anonymised exemplar would reveal the structure of future assessments or otherwise prejudice the process. Where metadata or borderline material is claimed, controllers must perform a fact-sensitive assessment: is the item an identifier or reasonably likely to be used to identify the candidate; does the item have the effect of evaluating or profiling the candidate; and does disclosure of the item risk prejudice to other candidates or the integrity of future assessments? The ICO guidance and the DPA wording require reasoned, documented decisions, and controllers should be prepared to explain redaction choices and the legal basis for any partial disclosure. In short, borderline material — anonymised statistics, timing and click metadata, proctoring video and logs, and internal mock exams — frequently contains legal complexity and should be approached on a case-by-case basis, with technical anonymisation assessed against re-identification risks and legal exemptions assessed against potential prejudice to the assessment process. ICO+1

 

 

3. What the ICO guidance and GDPR articles require in practice: operational steps for controllers and practical advice for candidates

The ICO guidance is the pragmatic bridge between abstract GDPR provisions and real world practice for controllers handling DSARs about exams; controllers should consult the ICO’s “A guide to subject access” and the ICO’s specific page on exam scripts exemption for sector-specific direction. In operational terms, controllers must first identify if the requested material is personal data under Article 4 (content/purpose/effect), then determine whether any statutory exemptions apply (for the UK, see the DPA 2018 exam scripts provisions), and finally decide whether to disclose, redact, or withhold, setting out reasons where withholding occurs. The ICO emphasises that controllers cannot use the exam scripts exemption as a blanket shield where discrete elements are personal data and non-exempt; they must carry out a granular review and produce a reasoned response to the requester explaining what was provided and what was withheld. From a compliance perspective, controllers should document the steps taken to identify personal data, the anonymisation techniques used, the legal basis for any redaction or refusal, and the public interest or prejudice assessments supporting the decision. Practically, this documentation is vital for defending decisions before the ICO or in litigation. For candidates, the practical takeaway is to draft DSARs narrowly: request registration data, copies of your own submitted answers, and any examiner feedback rather than broad requests for question papers or marking schemes. If a controller refuses in part, a candidate can ask for an internal review and then appeal to the ICO; the ICO will review whether the controller correctly applied the exemption and carried out a reasonable, documented assessment. The GDPR also creates procedural protections: if you request automated decision provisions or profiling data the controller must disclose the logic, significance and envisaged consequences of such processing subject to any applicable exemption, and controllers must consider whether any proctoring analytics involve automated decisions that affect the candidate. On the legislative side, controllers in the UK must apply the Data Protection Act 2018 Schedule 2 exemptions (exam scripts and exam marks) where appropriate, and they must use ICO guidance to frame their responses. The ICO’s educational guidance and the general subject access guidance both provide sample reasoning and procedural steps which are useful drafting tools; lawyers representing candidates can therefore cite ICO guidance and DPA text when challenging a refusal. Finally, because of the Nowak precedent, controllers should not reflexively deny that any exam material is personal data — rather, they must identify candidate-linked materials and release those unless a statutory exemption lawfully applies; this approach minimises ICO risk and reduces friction with candidates. Read together, the GDPR articles (Article 4 and Article 15), the DPA 2018 exam scripts provisions, and the ICO guidance set out a detailed operational playbook: characterise data, apply exemptions carefully and document decisions, provide responsive disclosure where appropriate, and advise candidates clearly about what they can reasonably expect to obtain via a DSAR. Legislation.gov.uk+3GDPR+3GDPR+3

Authoritative sources

1. CJEU — Nowak (C-434/16) — full text (CURIA)
https://curia.europa.eu/juris/liste.jsf?num=C-434%2F16

2. GDPR — Article 4 (Definitions) (official consolidated text at EUR-Lex / or convenient mirror)
https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng 

3. GDPR — Article 15 (Right of access)
https://gdpr-info.eu/art-15-gdpr/

4. Data Protection Act 2018 — Schedule 2 / Part 4 — Exam scripts and exam marks (legislation.gov.uk)
https://www.legislation.gov.uk/ukpga/2018/12/schedule/2/part/4

5. ICO – Exam script exemption guidance (for schools / organisations)
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/exemptions/exam-script-exemption-guidance-for-teachers-and-schools/

6. ICO – A guide to subject access (practical guidance for controllers)
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/subject-access-requests/a-guide-to-subject-access/

7. ICO – Data protection exemptions guide (education / exam context)
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/exemptions/a-guide-to-the-data-protection-exemptions/

8. General GDPR text
https://gdpr-info.eu/

 

 

FAQ: Understanding What Constitutes “Personal Data” in Exams under UK GDPR

1. What does “personal data” mean under the UK GDPR in the context of examinations?

“Personal data” is defined in Article 4(1) of the UK GDPR as any information relating to an identified or identifiable natural person (‘data subject’). In the context of examinations, this definition extends to exam answers, assessor comments, grading decisions, and feedback that can be linked—directly or indirectly—to a specific candidate. For instance, even if a candidate’s name is replaced with an identification number, the exam board or educational body (such as Kaplan, the SRA’s SQE assessment provider) can still identify the individual through internal records, making the data personal. According to the ICO’s official guidance on “What is personal data” (ICO, 2023), information qualifies as personal data when it enables identification by reference to additional information reasonably available to the controller.
Conversely, materials that cannot be linked to an identifiable person, such as model answers or anonymised marking schemes, fall outside this scope. The CJEU in Nowak v Data Protection Commissioner (Case C-434/16, 2017) clarified that written exam answers are indeed personal data, as they reflect the candidate’s intellectual effort and therefore relate to them personally. Thus, in UK law, the GDPR definition is interpreted broadly to cover all candidate-attributable material, regardless of medium or form.

2. Are exam answers always considered personal data?

Yes, exam answers are considered personal data, as established in Nowak v Data Protection Commissioner (2017). The CJEU reasoned that answers provided in a professional or academic exam reveal aspects of a candidate’s personality, skill, reasoning, and understanding — all of which are expressions of an identifiable individual. Under UK GDPR principles, even if the answers are not directly linked to the candidate’s name, the examination body can re-identify the person through administrative records. The ICO’s interpretation of this ruling affirms that any data recording an individual’s intellectual activity, when identifiable, constitutes personal data.
However, this does not mean candidates have unrestricted access to their exam answers. The Data Protection Act 2018 Schedule 2, paragraph 25(2) specifically exempts exam scripts from the right of access under a Data Subject Access Request (DSAR). This means that while exam answers are personal data, controllers such as Kaplan or the SRA are legally entitled to refuse access to them to protect exam integrity. The distinction is therefore between “data that qualifies as personal data” and “data that is accessible under DSAR rights.”

3. Is feedback from examiners considered personal data?

Yes — examiner feedback, comments, and scoring notes constitute personal data under Article 4(1) of the UK GDPR, provided they are attributable to a candidate. The ICO explicitly recognises examiner remarks and grading notes as “data relating to an identifiable individual.” This position derives both from Nowak (2017) and from Recital 26 of the GDPR, which confirms that data can be personal even if indirect identifiers (like exam numbers) are used. Feedback represents an examiner’s assessment of a candidate’s performance, linking their intellectual work to subjective evaluation. Thus, feedback inherently “relates” to that candidate.
Nevertheless, the exam scripts exemption under the DPA 2018 also covers feedback insofar as it forms part of the examination process. Institutions may lawfully restrict access until results are formally issued. Only after a reasonable period may candidates access the feedback under Article 15(3) UK GDPR, which grants a right to obtain copies of personal data undergoing processing. This nuanced treatment balances data rights with the fairness and security of examination procedures.

4. Do marking schemes or model answers count as personal data?

No. Marking schemes, model answers, and standardised grading rubrics are not personal data under the UK GDPR. They do not relate to an identifiable individual, nor can they be used to identify one. These materials reflect the institution’s intellectual property and exam design methodology, not the characteristics or identity of candidates. The ICO’s guidance (2023) distinguishes between information about how an exam is structured or assessed and data that relates to a person. Even if a candidate could infer grading standards from a marking scheme, this does not transform the document into personal data.
However, complications can arise when a marking scheme includes illustrative examples drawn from actual student responses. In such cases, if those examples are traceable to real individuals, redaction is required under Article 5(1)(a) (lawfulness and fairness) and Article 32 (security of processing). The examination body must also consider whether such material could indirectly re-identify a candidate based on contextual details.

5. Are anonymised or aggregated exam statistics personal data?

Generally not, provided the anonymisation is robust. Under Recital 26 UK GDPR, data that has been rendered anonymous so that individuals are no longer identifiable is no longer personal data. Exam boards and regulators often release statistical reports on candidate performance, pass rates, and cohort comparisons. These aggregated reports are not considered personal data because they do not relate to specific candidates. However, if the dataset is small enough that an individual’s results could be deduced (for example, when only one candidate sat the exam at a specific location), then the data may still be pseudonymised, not fully anonymised.
The ICO’s guidance on anonymisation, pseudonymisation and privacy-enhancing technologies (2022) clarifies that re-identification risk must be “reasonably likely.” Therefore, institutions must assess not only the data itself but also the context in which it is published. Where anonymisation cannot be fully achieved, the safer approach is to apply strict access control and data minimisation measures.

6. Does metadata generated during online exams (such as timing, clicks, or log files) count as personal data?

Yes, metadata generated during online examinations—such as timestamps, login activity, IP addresses, mouse clicks, or time spent on specific questions—qualifies as personal data under the UK GDPR, provided it relates to an identifiable individual. According to Article 4(1), any information that “relates to” an individual, whether directly or indirectly, is personal data. In online assessments, the system records behavioural data that can easily be linked to a candidate’s unique identifier or account profile. Such metadata, when combined with registration or authentication information, can reveal specific attributes of a candidate’s behaviour or performance.
The ICO’s guidance on “What is Personal Data?” (2023) explicitly includes “online identifiers” (Recital 30 UK GDPR) such as IP addresses and device IDs as personal data when they can be connected to a named or identifiable person. Therefore, proctoring software that logs facial images, geolocation data, typing patterns, or system interactions is processing personal data and must comply with principles of lawfulness, transparency, and minimisation under Article 5(1).
However, purely technical data used for system diagnostics that cannot be linked to an individual (for example, aggregated uptime metrics) would not qualify. When such metadata is retained for auditing, fraud prevention, or exam integrity purposes, controllers must ensure a lawful basis under Article 6(1)(f) (legitimate interests) or Article 6(1)(c) (legal obligation).

7. Can audio or video recordings of online invigilation be classified as personal data?

Absolutely. Audio and video recordings captured during online invigilation sessions, such as those used by Kaplan for remote SQE exams, are unequivocally personal data because they contain visual and audio identifiers of the candidate. Under Article 4(1) UK GDPR, biometric identifiers such as facial features, voice, and behavioural traits fall within the definition of personal data when they enable or confirm identification. The ICO’s guidance on video surveillance (2023) affirms that CCTV or webcam footage of identifiable persons constitutes personal data, regardless of whether it is stored or merely viewed in real time.
Moreover, such recordings may constitute special category data under Article 9(1) when biometric processing is used for identification or fraud prevention. Proctoring systems that use facial recognition, keystroke biometrics, or gaze-tracking technologies must therefore demonstrate compliance with Article 9(2)(g) (substantial public interest) or Article 9(2)(a) (explicit consent). Institutions must also ensure compliance with Article 13 transparency requirements by providing clear privacy notices that specify the scope, purpose, and retention period for such recordings.
Failure to do so can attract ICO enforcement, as seen in IC-113215-D2H5 (2021), where excessive retention of surveillance footage by an educational institution was found disproportionate.

8. Are examiner identities and notes considered personal data of the examiner or the candidate?

Examiner identities and their evaluative notes are a dual-category issue. They constitute personal data of the examiner under Article 4(1) because they identify that individual and reflect their professional activity. However, where examiner notes directly concern a candidate’s performance, those notes also constitute the candidate’s personal data. The Nowak judgment (C-434/16) clarified that an examiner’s comments written on an exam script are “information relating to” the candidate, as they evaluate that person’s abilities.
The ICO’s guidance on employment and professional data (2023) mirrors this approach: if data “relates to two individuals simultaneously,” it is personal data of both. Therefore, any disclosure under DSARs must balance both parties’ privacy rights under Article 15(4) and Recital 63. The controller must redact examiner identifiers where disclosure would adversely affect the examiner’s rights or freedom of expression. This balancing approach aligns with Article 23(1)(i), allowing limitations on data rights to protect others’ rights and freedoms.

9. Are exam questions ever considered personal data?

No, exam questions are not personal data under the UK GDPR because they do not “relate to” an identifiable natural person. They are intellectual property belonging to the examining body and apply equally to all candidates. The ICO’s guidance (2023) clarifies that general information or materials used in standardised settings are not personal data unless they contain identifiers. Even if an individual could recall specific questions, the questions themselves do not convey information “about” that individual.
The only exception arises where a question directly refers to or incorporates data about a candidate (e.g., a viva or oral assessment tailored to the individual’s prior answers). Even then, it would be the examiner’s notes or responses, not the question template, that constitute personal data. In Nowak, the CJEU distinguished between a question (non-personal) and the written answer (personal). Thus, Kaplan and similar exam bodies are legally justified in withholding exam questions under DSARs.

10. Does performance ranking or percentile data qualify as personal data?

Yes. Performance rankings, percentiles, or standardised scores are personal data when they relate to a specific, identifiable candidate. Although statistical in form, these metrics reveal a candidate’s relative standing among peers and are thus linked to individual achievement. The ICO’s anonymisation guidance (2022) confirms that “any data from which an individual’s performance can reasonably be inferred” remains personal data unless effectively anonymised.
However, aggregated percentile data across a cohort—without identifiers or small sample disclosure risk—is not personal data. For individual candidates, percentile ranking may also form part of automated decision-making under Article 22(1) if used to determine progression or eligibility. Controllers must therefore ensure transparency under Article 13(2)(f), explaining how ranking metrics affect decisions.

11. Do exam registration details and candidate numbers qualify as personal data?

Yes — exam registration details, including candidate numbers, are unequivocally personal data within the meaning of Article 4(1) UK GDPR. Such identifiers, even when used in place of names, are directly linked to a unique candidate record maintained by the examination body. The ICO’s 2023 guidance on “What is Personal Data” explicitly includes identifiers such as identification numbers or online handles that can be matched to an individual through additional information. In practice, Kaplan and the SRA retain internal databases mapping candidate numbers to personal profiles, rendering these identifiers pseudonymous, not anonymous.
Under Recital 26 UK GDPR, pseudonymised data remains personal if re-identification is reasonably possible. This means that even if an examiner cannot identify the candidate from the script alone, the controller (Kaplan or the SRA) can do so by referencing registration systems. Therefore, exam registration details, including candidate numbers, exam centre IDs, and booking references, all fall under GDPR protection. These must be handled in accordance with the Article 5(1)(a) principles of lawfulness, fairness, and transparency, and stored only as long as necessary under Article 5(1)(e) (storage limitation).
Furthermore, candidate registration data typically includes names, addresses, email addresses, and qualification details. Such data are subject to access rights under Article 15 and correction under Article 16, but processing is often necessary under Article 6(1)(b) (contract performance) or Article 6(1)(c) (legal obligation).

12. How does pseudonymisation affect whether exam data remains personal?

Pseudonymisation reduces identification risk but does not remove data from GDPR scope. Under Article 4(5) UK GDPR, pseudonymisation means processing personal data in such a manner that it can no longer be attributed to a specific data subject without additional information. This typically involves replacing candidate names with numbers or codes. However, Recital 26 clarifies that pseudonymised data remains personal if the controller retains the “key” enabling re-identification. In examinations, controllers always hold registration logs linking exam codes to individuals, making pseudonymised exam data still personal.
The ICO’s anonymisation guidance (2022) stresses that pseudonymisation is a valuable security measure under Article 32, but it does not transform personal data into anonymous information. Therefore, exam answers stored under a candidate number still fall under the UK GDPR’s definition of personal data. The significance lies in risk reduction rather than legal exemption — pseudonymised data offers stronger compliance posture, but full GDPR duties (such as access rights and data minimisation) continue to apply.
Where multiple controllers share pseudonymised data (e.g., Kaplan and the SRA), the “reasonably likely” re-identification test governs whether it remains personal. If either controller can re-identify the candidate, the data stays within scope.

13. Are handwritten exam scripts treated differently from digital ones under the UK GDPR?

No — the UK GDPR applies uniformly to both handwritten and digital exam scripts. The format of the data does not affect whether it qualifies as personal data; what matters is the relationship between the information and the identifiable individual. Under Article 2(1) UK GDPR, any processing of personal data by automated means, or as part of a filing system, falls within the regulation’s scope. Handwritten scripts held in structured files under candidate identifiers are therefore covered.
The Nowak judgment (C-434/16) confirmed that handwritten exam answers are personal data because they record the candidate’s intellectual expression. Whether scanned, stored, or marked on paper is irrelevant — the key factor is identifiability. The ICO’s guidance (2023) reinforces this: even non-digital material becomes personal data if it forms part of an organised filing system relating to individuals.
Controllers processing handwritten exams must still comply with the data protection principles, including ensuring secure storage (Article 32) and limiting retention. Digitisation (e.g., scanning) does not change legal classification but increases security and portability obligations under Article 5(1)(f) (integrity and confidentiality).

14. Can examiners or institutions rely on legitimate interests for processing candidate data?

Yes, but only under specific conditions. Article 6(1)(f) UK GDPR permits processing when necessary for the controller’s “legitimate interests,” provided such interests are not overridden by the candidate’s rights and freedoms. For examination bodies like Kaplan or universities, legitimate interests may include ensuring exam integrity, preventing cheating, or conducting performance analytics. However, the three-part test from the ICO’s Lawful Basis for Processing guidance (2023) must be met: (1) a legitimate purpose; (2) necessity of processing; and (3) balancing of interests.
The ICO also notes that educational institutions often rely on Article 6(1)(b) (contract) or Article 6(1)(c) (legal obligation) for exam processing. Legitimate interests are more suitable for ancillary processing such as system monitoring, metadata tracking, or statistical evaluation. Controllers must perform a Legitimate Interests Assessment (LIA) documenting these justifications and provide them in privacy notices under Article 13(1)(d).
Where personal data of third parties (e.g., invigilators) are processed concurrently, the balancing test must account for both. Overreliance on legitimate interests without transparency risks noncompliance and enforcement under Article 83(5).

15. What key principles should exam bodies follow when handling candidates’ personal data?

Examination bodies must adhere to the seven core principles in Article 5(1) UK GDPR:
(1) Lawfulness, fairness, and transparency – data must be processed with a lawful basis and communicated clearly to candidates through privacy notices.
(2) Purpose limitation – personal data may be used only for purposes compatible with the exam’s administration and certification.
(3) Data minimisation – collect only what is necessary, e.g., no excessive biometric data or unrelated personal information.
(4) Accuracy – ensure candidate information and grades are correct and update records promptly when errors occur.
(5) Storage limitation – retain personal data no longer than needed for results verification or legal retention obligations.
(6) Integrity and confidentiality – maintain security via encryption, controlled access, and pseudonymisation of identifiers.
(7) Accountability – demonstrate compliance by documenting procedures and conducting Data Protection Impact Assessments (Article 35) for high-risk processing such as remote proctoring.
Failure to comply may result in regulatory sanctions under Article 83(5), reputational damage, and possible compensation claims under Article 82.

Why Defining “Personal Data” in Exams Truly Matters

Understanding what qualifies as personal data in examinations is far more than an academic exercise — it’s a compliance cornerstone for universities, professional bodies, and training providers. The SQE, university assessments, and online testing systems all generate vast quantities of candidate data, from written scripts and performance metrics to metadata about timing, clicks, or even proctoring footage. Each dataset tells part of a candidate’s story — and under the UK GDPR, that story belongs to them.

The Information Commissioner’s Office (ICO) has repeatedly emphasised that personal data is defined broadly to include “any information relating to an identified or identifiable individual.” This means that even exam identifiers, pseudonymised records, or statistical datasets may fall within the law’s protection if re-identification is possible. Many education providers still underestimate this scope, resulting in DSAR refusals that breach Article 15 rights, or failures to respond transparently about the use of exam data analytics.

From a compliance perspective, institutions must tread carefully between academic confidentiality and data subject rights. The Nowak case (C-434/16) set a decisive precedent: an exam script expresses a candidate’s intellectual effort and therefore qualifies as personal data. This judgment reshaped how educational data is handled — not as institutional property, but as personal information subject to access, rectification, and protection.

For exam boards and training providers, the lesson is simple yet profound: adopt a privacy-by-design approach. That means embedding data protection into every stage of assessment development — from question creation and candidate registration to results publication and statistical reporting. Maintaining lawful bases for processing, conducting Data Protection Impact Assessments (DPIAs), and training staff on DSAR handling are essential compliance tools.

LexDex Solutions helps academic institutions, professional training providers, and education technology firms navigate this complex intersection between GDPR and education law. Whether you’re reviewing your privacy notices, handling DSARs from exam candidates, or mapping your lawful bases for exam-related processing — compliance is not just about avoiding penalties, but ensuring fairness, transparency, and accountability in how you assess human potential.

Strengthen Your GDPR Compliance Today

Are you unsure whether your exam data handling practices meet GDPR standards?
Do you need a robust, ready-to-use DSAR Response Template for Exam Candidates or an Exam Data Protection Policy Pack?

Download our expert-developed templates at LexDex Solutions

 

crafted by data privacy professionals and aligned with the latest ICO and UK GDPR guidance.

Our resources are designed for:

Universities, exam boards, and professional bodies (including SQE providers)

Education technology companies processing exam metadata

Law firms advising clients on DSARs and data protection in education

Empower your compliance strategy with clarity, confidence, and precision — because in data protection, knowing what counts as personal data is half the battle won.