Your Data Protection Rights
The General Data Protection Regulations provide you with legal rights over the personal data our school holds about you and your child. This guide will explain your rights and help you to use them.
You do not need to know details about which right applies in which case in order to make a request; it’s our responsibility to understand how to handle a request you make.
Your personal data rights are:
|Be Informed||Access||Rectify||Be Forgotten|
|Restrict||Portability||Object||Auto Decisions & Profiling|
We are committed to helping you to exercise your rights through:
- Keeping our guidance simple
- Making it readily available
- Responding to a request from you:
- In writing: by means of your choice wherever practical. If you email us, we’ll respond by email unless you ask us to do something different
- Verbally: if you wish, providing we have proof of ID
- Promptly: and no longer than a month after receiving it. If your request is particularly large and complicated, we are allowed to extend the deadline by up to 2 months. If we need to do this we’ll let you know within a month and explain why.
- In plain English: avoiding legal terms where possible, but explaining them where we need to use them
How will you know that a request about me has come from me?
We won’t change, delete or share any of your information without being satisfied that it is you who has asked for this (unless the law allows us to). Where we have doubts about a requestor’s identity, we will ask for proof of ID and won’t go ahead unless we’ve received this and are satisfied that you are identified.
Are you allowed to charge me for a request, or refuse it?
You should not have to pay us when you’re exercising your rights; however, the law does allow us to charge you a reasonable fee if your request is unreasonable or is a repeat of something we’ve already done for you. In these cases we may be allowed to refuse your request rather than charge. If we plan to charge or to refuse your request, we will let you know and explain why we believe the law lets us do this.
There are other reasons in the law which may mean we cannot do what you ask us to do with your personal data. We have explained these under each of your ‘Rights’ in this guide.
What if I’m not happy with your response to my request?
We’ll always do our best to do what you ask with the personal data we hold about you or your child, however, the law places a responsibility on the school to balance your rights against the rights of other people who may be affected and against the legal powers of other organisations. It may not always be the case that your rights are strongest in every situation. We’ll always explain our reasons and will gladly take another look at our decision if you want challenge it.
If you still feel that we haven’t done what we should then you have the right to complain to the Information Commissioner (ICO). Please see the ICO’s contact details at the end of this guide.
Limiting your Rights
The law allows for the UK Government to make certain decisions which could result in Data Protection rights being reduced to some extent. However, the law requires that any restrictions of this kind must still be in line with your basic human rights and must be what is expected of rules applying to a democratic country.
The Government may decide to limit the rights for reasons such as national security, preventing crime, investigating certain professional conduct cases etc. We have to take these decisions into account when considering requests from you to exercise your rights.
1. Your Right to be Informed
It is important that you know what happens to your personal data whilst we hold it. The law requires us to be honest and open with you about these details and we do this through publishing a number of Privacy Notices on our website; one covering each of the main uses we make of your data.
These Notices are available for you to read and understand so that you know what to expect us to do with your data; either before you share it with us, or where it is given to the school from another organisation that holds it.
We have taken care to explain the details on the Notices in simple language but we would be grateful for any feedback on this to help us with our commitment to review and improve the guidance we give you.
Here are the main things we need to tell you about what we do with your personal data:
- Who we are: School name, the name of our Data Protection Officer and their contact details.
- A description of the type of data we collect about you/ your child
- The reasons why we need this data
- An explanation of how the law allows us to hold and use your data
- Who we might share the data with (either because they provide a service on our behalf or they need it for their own purposes and the law allows this)
- Whether your data may be sent to or stored in a country that is outside the European Economic Area (EEA)
- When will we no longer need your data and how soon after this we’ll delete it
- Which of your rights you are able to use, including the right to withdraw your consent (if this is what allows us to hold your data)
- How to complain to the Information Commissioner’s Office (ICO)
- Where we got your data from (if you didn’t give it to us yourself)
- Whether we use your data to make automated-decisions or to do profiling
We will make sure the right Privacy Notice is available to you:
- At the time you share your data with us
- When it has been shared with us by another organisation:
- No later than a month
- The first time we contact you, or sooner
- Before or when we share it with someone else
See our Website for a list of published Privacy Notices
2. Your Right to Access your Information
The personal data we hold about you and your child is still yours. You have the right to ask us for access to the data to satisfy you that our use of your data is lawful. Unless the law prevents us from doing so, we must give you:
- Confirmation that we hold your data
- An explanation of what that data is
- Access to your information
- Confirmation of which Privacy Notice(s) explain why we have your data and what we do with it
When dealing with your request we will:
- Let you know what additional information we may need to identify you
- If a request has been made by someone on your behalf, ensure that they have your permission
- Confirm how you would like to receive your information
- Help you to make your wishes clearer if your request is not clear about the information you want.
- The information you receive is information you are entitled to under the law – having considered your rights against the rights of others whose information may be included within documents relating to you, and any other legal reason which may prevent us from sharing data.
- Let you know within a month at the latest about any expected delay, for example if your request is complex, about any fee that the law allows us to charge, or explain any reason we may have to refuse your request.
Please note: There is an additional “right of access” to your Child’s ‘Pupil Record’ – as defined in the Education (Pupil Information) (England) Regulations 2005. The timescale for responding to such requests is fifteen days from receipt of the request (excluding the summer holiday). This right is not affected by GDPR.
3. Your Right to have your Data ‘Rectified’
The school has a legal responsibility to make sure the data we hold about you and your child is accurate and complete. Where we are made aware that we may hold inaccurate or misleading data about you we must ‘rectify’ it (change it).
Where you may have moved to a new address, changed contact details or even changed a surname; these are simple changes to make. However, there may be more complex cases where you disagree with an opinion we have recorded about your child’s progress for example, and you may decide to ask us to change this. In some cases the law allows us to refuse to make changes to the personal data we hold and the professional opinion of a qualified teacher is an example where we may decline to fulfil a change request.
Any request to change your personal data will be fairly considered and if where having reviewed a contentious record we feel it is inaccurate then we will make changes.
If we do refuse to make changes we will always:
- Explain to you in writing the reasons why we are refusing your request
- Consider adding a statement of your opinion to the record to reflect that there has been a challenge to our professional judgement.
4. Your Right to be Forgotten
Right to erasure (‘right to be forgotten’)
The right to Erasure, known as the right to be forgotten, is where you can ask us to consider deleting information that we hold about you or your child.
We will already have explained to you through our Privacy Notices how long we intend to hold your personal data before we delete it, however you still have the right to challenge us to delete your data at any time.
You can expect your request for deleting your personal data to be successful if:
- It is no longer ‘necessary’ for us to keep the data for the purpose stated on the relevant Privacy Notice
- We’re holding and using the data based only on your consent, and you have decided to withdraw this consent
- We’re holding and using the data for our ‘legitimate interests’. You may decide to object to this, and we can’t give a reason for keeping it that outweighs your decision.
- We’re holding and using the data to allow us to market goods and services to you and you ask us to stop.
- We have been holding and using your data unlawfully
- Deleting is required by law
- We’re using data about your child to support a chargeable online service
The law has a number of reasons why we are allowed to refuse erasure requests, those that are most likely to apply to schools are where we’re holding or using your data:
- To comply with a legal requirement
- Where we are doing something in the public interest or acting within our role as a school
- To keep a historical record of the school’s activity for future generations
- Where we need it because it supports a legal case
When we agree to delete information about you, we will have procedures in place to let other organisations who we’ve shared your data with know, for example if we have contractors working on our behalf. Our decision to delete your data means that they should delete it also.
When we agree to delete information following your request, or routinely as part of our records management procedures, we will make sure that the data in whatever format is destroyed securely and cannot be reused, or it will be permanently changed so that it can no longer identify you or your child.
5. Your Right to Restrict the Processing of your Data
Should you have concerns about an aspect of what we do with your personal data, such as who we share it with or how we manage it, you have the right to ask us to stop doing it; so that we are still allowed to hold it, but we are ‘restricted’ in the ways we can use your data.
Aside from storing your data, we can only continue to use it when it is under a restriction if:
- We have your consent
- It is to be used for a legal claim or case
- It is needed to support someone else’s rights
- We believe the use is in the public interest.
When use of data is restricted, this may mean we consider doing the following:
- Removing your data from one database or system and storing it in another in order to separate it from data which is still in use
- ‘Lock’ or ‘Protect’ a record containing your data to prevent staff from accessing and using it.
- Taking published data down from a website.
- Labelling the data to ensure that users are aware of the restriction
You can expect your request for restricting the use of your personal data to be successful if:
- You want our use of your data to stop whilst its accuracy is being reviewed
- The data had been used unlawfully and you opt for a restriction rather than request us to delete (erase) your data
- We don’t believe it is necessary for us to keep your data any longer, but you wish us to keep it for a potential legal case
- You have raised an ‘objection’ and we need time to consider whether your rights outweigh our potential claim that we have a legitimate need to keep using your data
As with other rights, the law allows us to refuse a request in certain circumstances. In this case we can refuse (or charge a reasonable fee) if we believe the request is unfounded or excessive. In such cases we will contact you and explain our decision, and let you know how to complain.
When we decide to lift any restriction on the use of your data, we must let you know about this in advance. We must let you know how this affects any related requests under your rights to ‘rectify’ and to ‘object’, and also let you know how to complain.
6. Your Right to Data Portability
The right to Data Portability gives you the means of asking an organisation to give your personal data to another organisation on your behalf, or back to you for you to give to another organisation – making your data ‘portable’, i.e. easily usable by another supplier of services to you.
The law allows this right to apply in a very narrow set of circumstances which make it highly unlikely that it would apply to any data held by the school, but in brief the right applies when data you have provided:
- Is being held and used by us under your consent or supporting a contract, AND
- The use of the data is being carried by an automated process (i.e. staff are not involved in physically doing something with the data).
If this right did apply to your data, we would need to provide it in a format that was commonly in use, allowing the majority of software products to read and use the data in an automated way.
7. Your Right to Object to Data Processing
The law provides you with the right to ‘object’ to us holding and using your personal data but only in certain circumstances. Our Privacy Notices will let you know the ‘legal condition’ we are relying on to hold and use your data and they will also explain when you have the right to ‘object’. If we are relying on one of the following, then the right is available to you:
- Legitimate interests, or
- Performance of a task in the public interest/ exercising our official authority (including profiling), or
- Scientific or Historical research and statistics
In order to exercise your right you must have an objection which is specific to your particular situation. You can’t therefore object to our general practices, you must be able to argue that there is something we are doing with your personal data that impacts you specifically.
If this does apply, then we must stop doing what is causing you concern unless we can do one of the following:
- Show you that there are legitimate grounds for our actions and that these outweigh your rights
- Show that our actions with your personal data are necessary to support evidence for a legal case or claim
If we hold your data for direct marketing purposes then we must stop doing so when we receive your objection. We would have no grounds to challenge your decision.
8. Rights over Automated decision-making & Profiling
What do these terms mean?
This is making decisions about you or your child using your personal data through an automated process, i.e. a computer calculation with no human involvement.
Using personal data to make decisions about categorising you or your child based on any number of characteristics.
Where we do this we have to let you know about it on our Privacy Notices. These will explain the process we go through and what the potential consequences are of the decisions made.
The law only allows us to do this kind of activity where decisions are made completely without the need of human help and the outcome of the decision can have a significant impact on an individual in the following circumstances:
- If we were evaluating you or your child as part of entering into a contract (i.e. to see whether someone meets the criteria to be eligible for a contractual service)
- If the law specifically allows it
- You have given us your recorded consent
And we can only use sensitive personal data if:
- We have your recorded consent, or
- We can claim that what we’re doing is important in the public interest
If what we’re doing isn’t completely automated and the decisions are not significant, then we don’t need to rely on these reasons, but we still need to let you know what we’re doing and explain how the law allows us to do it.
The law says that this type of activity has the potential for error that may have consequences, or has concerns that decisions are made in ways that aren’t transparent and are potentially unfair. You therefore have the right to:
- Challenge us over decisions we make in this way
- Demand that a member of staff undertakes the process rather than a computer
- Make us aware of your opinions to support decision making
We must make sure that the systems we use to make such decisions are working as they should in order to avoid errors and to ensure we are fair, and we must take reasonable steps to keep your data secure within this process.
Any system we use to carry out this type of process will have been risk assessed and will have been approved by our Data Protection Officer as complying with the law.