IrelandA school shared my child's data without permission.
A school in Ireland must not share your child's personal data without a lawful basis — such as your explicit consent or another valid ground under the Data Protection Act 2018. Unauthorised sharing may be a breach of data protection law.
What the Law Says
Under Irish law, schools are 'data controllers' and must comply with strict rules when handling children’s personal data. The Data Protection Act 2018 gives effect to the EU General Data Protection Regulation (GDPR) in Ireland and sets out obligations for processing personal data lawfully, fairly, and transparently.
Section 29 of the Data Protection Act 2018 specifically addresses processing of personal data relating to children in the context of information society services. It confirms that where a child is under 16, consent must be given or authorised by a parent or guardian — unless a lower age (not below 13) is set by Irish law for specific services.
Even outside online services, any sharing of your child’s personal data — such as names, addresses, health details, or academic records — requires a lawful basis. This could be your consent, legal obligation, or another condition under Article 6 or 9 of the GDPR, as applied by the 2018 Act.
Schools must also comply with the principle of data minimisation: they can only share data that is necessary, relevant, and proportionate for a clearly stated purpose.
Statutory TextSection 29: Where personal data relating to a child is processed for the purposes of offering an information society service directly to a child, the processing shall be lawful only if the child is at least 16 years of age or, where the child is under that age, the processing is authorised by the holder of parental responsibility for the child.
— Data Protection Act 2018, s. 29 — Processing of personal data relating to children
What to Do
Contact the school in writing to ask what data was shared, with whom, why, and on what legal basis.
Request a copy of their data protection policy and records of processing activities.
If unsatisfied, make a formal complaint to the Data Protection Commission (DPC) at https://www.dataprotection.ie.
You can also ask the school to erase the data or restrict its use if the sharing was unlawful.
Keep copies of all correspondence — the DPC may require them if you escalate the matter.
Sources
Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.