The General Data Protection Regulations provide you with legal rights over the personal data our school holds about you and your child. This guide will explain your rights and help you to use them.
You do not need to know details about which right applies in which case in order to make a request; it’s our responsibility to understand how to handle a request you make.
Your personal data rights are:
We are committed to helping you to exercise your rights through:
We won’t change, delete or share any of your information without being satisfied that it is you who has asked for this (unless the law allows us to). Where we have doubts about a requestor’s identity, we will ask for proof of ID and won’t go ahead unless we’ve received this and are satisfied that you are identified.
You should not have to pay us when you’re exercising your rights; however, the law does allow us to charge you a reasonable fee if your request is unreasonable or is a repeat of something we’ve already done for you. In these cases we may be allowed to refuse your request rather than charge. If we plan to charge or to refuse your request, we will let you know and explain why we believe the law lets us do this.
There are other reasons in the law which may mean we cannot do what you ask us to do with your personal data. We have explained these under each of your ‘Rights’ in this guide.
We’ll always do our best to do what you ask with the personal data we hold about you or your child, however, the law places a responsibility on the school to balance your rights against the rights of other people who may be affected and against the legal powers of other organisations. It may not always be the case that your rights are strongest in every situation. We’ll always explain our reasons and will gladly take another look at our decision if you want challenge it.
If you still feel that we haven’t done what we should then you have the right to complain to the Information Commissioner (ICO). Please see the ICO’s contact details at the end of this guide.
The law allows for the UK Government to make certain decisions which could result in Data Protection rights being reduced to some extent. However, the law requires that any restrictions of this kind must still be in line with your basic human rights and must be what is expected of rules applying to a democratic country.
The Government may decide to limit the rights for reasons such as national security, preventing crime, investigating certain professional conduct cases etc. We have to take these decisions into account when considering requests from you to exercise your rights.
It is important that you know what happens to your personal data whilst we hold it. The law requires us to be honest and open with you about these details and we do this through publishing a number of Privacy Notices on our website; one covering each of the main uses we make of your data.
These Notices are available for you to read and understand so that you know what to expect us to do with your data; either before you share it with us, or where it is given to the school from another organisation that holds it.
We have taken care to explain the details on the Notices in simple language but we would be grateful for any feedback on this to help us with our commitment to review and improve the guidance we give you.
Here are the main things we need to tell you about what we do with your personal data:
See our Website for a list of published Privacy Notices
The personal data we hold about you and your child is still yours. You have the right to ask us for access to the data to satisfy you that our use of your data is lawful. Unless the law prevents us from doing so, we must give you:
When dealing with your request we will:
Please note: There is an additional “right of access” to your Child’s ‘Pupil Record’ – as defined in the Education (Pupil Information) (England) Regulations 2005. The timescale for responding to such requests is fifteen days from receipt of the request (excluding the summer holiday). This right is not affected by GDPR.
The school has a legal responsibility to make sure the data we hold about you and your child is accurate and complete. Where we are made aware that we may hold inaccurate or misleading data about you we must ‘rectify’ it (change it).
Where you may have moved to a new address, changed contact details or even changed a surname; these are simple changes to make. However, there may be more complex cases where you disagree with an opinion we have recorded about your child’s progress for example, and you may decide to ask us to change this. In some cases the law allows us to refuse to make changes to the personal data we hold and the professional opinion of a qualified teacher is an example where we may decline to fulfil a change request.
Any request to change your personal data will be fairly considered and if where having reviewed a contentious record we feel it is inaccurate then we will make changes.
If we do refuse to make changes we will always:
Right to erasure (‘right to be forgotten’)
The right to Erasure, known as the right to be forgotten, is where you can ask us to consider deleting information that we hold about you or your child.
We will already have explained to you through our Privacy Notices how long we intend to hold your personal data before we delete it, however you still have the right to challenge us to delete your data at any time.
You can expect your request for deleting your personal data to be successful if:
The law has a number of reasons why we are allowed to refuse erasure requests, those that are most likely to apply to schools are where we’re holding or using your data:
When we agree to delete information about you, we will have procedures in place to let other organisations who we’ve shared your data with know, for example if we have contractors working on our behalf. Our decision to delete your data means that they should delete it also.
When we agree to delete information following your request, or routinely as part of our records management procedures, we will make sure that the data in whatever format is destroyed securely and cannot be reused, or it will be permanently changed so that it can no longer identify you or your child.
Should you have concerns about an aspect of what we do with your personal data, such as who we share it with or how we manage it, you have the right to ask us to stop doing it; so that we are still allowed to hold it, but we are ‘restricted’ in the ways we can use your data.
Aside from storing your data, we can only continue to use it when it is under a restriction if:
When use of data is restricted, this may mean we consider doing the following:
You can expect your request for restricting the use of your personal data to be successful if:
As with other rights, the law allows us to refuse a request in certain circumstances. In this case we can refuse (or charge a reasonable fee) if we believe the request is unfounded or excessive. In such cases we will contact you and explain our decision, and let you know how to complain.
When we decide to lift any restriction on the use of your data, we must let you know about this in advance. We must let you know how this affects any related requests under your rights to ‘rectify’ and to ‘object’, and also let you know how to complain.
The right to Data Portability gives you the means of asking an organisation to give your personal data to another organisation on your behalf, or back to you for you to give to another organisation – making your data ‘portable’, i.e. easily usable by another supplier of services to you.
The law allows this right to apply in a very narrow set of circumstances which make it highly unlikely that it would apply to any data held by the school, but in brief the right applies when data you have provided:
If this right did apply to your data, we would need to provide it in a format that was commonly in use, allowing the majority of software products to read and use the data in an automated way.
The law provides you with the right to ‘object’ to us holding and using your personal data but only in certain circumstances. Our Privacy Notices will let you know the ‘legal condition’ we are relying on to hold and use your data and they will also explain when you have the right to ‘object’. If we are relying on one of the following, then the right is available to you:
In order to exercise your right you must have an objection which is specific to your particular situation. You can’t therefore object to our general practices, you must be able to argue that there is something we are doing with your personal data that impacts you specifically.
If this does apply, then we must stop doing what is causing you concern unless we can do one of the following:
If we hold your data for direct marketing purposes then we must stop doing so when we receive your objection. We would have no grounds to challenge your decision.
This is making decisions about you or your child using your personal data through an automated process, i.e. a computer calculation with no human involvement.
Using personal data to make decisions about categorising you or your child based on any number of characteristics.
Where we do this we have to let you know about it on our Privacy Notices. These will explain the process we go through and what the potential consequences are of the decisions made.
The law only allows us to do this kind of activity where decisions are made completely without the need of human help and the outcome of the decision can have a significant impact on an individual in the following circumstances:
And we can only use sensitive personal data if:
If what we’re doing isn’t completely automated and the decisions are not significant, then we don’t need to rely on these reasons, but we still need to let you know what we’re doing and explain how the law allows us to do it.
The law says that this type of activity has the potential for error that may have consequences, or has concerns that decisions are made in ways that aren’t transparent and are potentially unfair. You therefore have the right to:
We must make sure that the systems we use to make such decisions are working as they should in order to avoid errors and to ensure we are fair, and we must take reasonable steps to keep your data secure within this process.
Any system we use to carry out this type of process will have been risk assessed and will have been approved by our Data Protection Officer as complying with the law.