- Anti Bullying Policy
- Accessibility Plan
- Accessibility Plan Objectives 2019-2020
- Attendance Policy
- Behaviour Management
- Behaviour Policy
- Capability Policy
- Charging and Remissions Policy
- Child Protection including Safeguarding
- Addendum to Child Protection Policy - COVID19
- Code of Conduct Policy
- Complaints Procedure
- Data Protection Policy
- Dealing with Allegations of Abuse against Members of Staff and Volunteers
- Dorset Admissions Policy 2019-2020
- E Safety Policy
- Early Years Foundation Stage (EYFS) Policy
- Exclusion Policy and Procedures
- GDPR Regulations
- Guidance for schools on records made when there are safeguarding or child protection concerns
- Appendix 1 - Procedure for Access to Personal Information
- Fair Processing Notice
- First Aid
- Grievance Policy
- Health and Safety Policy
- Intimate Care Policy
- Instrument of Government of Community Schools
- Lettings Policy
- Looked After Children
- Mobile Technology
- Offsite Events and Adventurous Activities Policy
- Paying Governors Allowances
- Policy for supporting pupils with medical conditions and managing medicines
- Prevent Risk Assessment
- Private Fostering
- Protection of Biometric Information
- Recruitment and Selection Policy & Procedure
- School Information Report 2018 - 2019
- Social Networking
- Special Educational Needs & Disability (SEND) Policy
- Violence at Work
- Bereavement Policy 2020
- Term Dates
- Pupil Premium
- Disadvantaged Strategy 2019-2020
- Disadvantaged Strategy 2018-2019
- Disadvantaged Strategy 2017-2018
- Pupil Premium 2016-2017
- Pupil Premium 2015-2016
- Pupil Premium 2014-2015
- Pupil Premium 2013-2014
- Sports Premium
- Sports Premium Funding 2018-2019
- Sports Premium Funding 2017-2018
- Sports Premium Funding 2016-2017
- Sports Premium Funding 2015-2016
- Sports Premium Funding 2014-2015
- Emergency Closure
- Reading Support
- Accessibility Policy
- KS1 Phonics Support
- Year 2 SATS Support
Appendix 1 – Procedure for Access to Personal Information
Sturminster Marshall First School
Right of access to information
There are two distinct rights of access to personal information held by schools.
Under the GDPR and the Data Protection Act 2018 an individual (e.g. pupil, parent or member of staff) has a right to request access to their own personal information. In certain circumstances requests may be made by a parent on behalf of their child (see explanation below).
The Education (Pupil Information) (England) Regulations 2005 gives parents the right of access to curricular and educational records relating to their child.
Processing a request
Requests for personal information must be made in writing and addressed to the Headteacher. If the initial request does not clearly identify the information required, then clarification should be sought.
The identity of the requestor must be verified before the disclosure of any personal information, and checks should also be carried out regarding proof of relationship to the child.
Evidence of identity can be established by requesting production of the following (this list is not exhaustive):
- driving licence
- utility bills with the current address
- Birth / Marriage certificate
- Credit Card or Mortgage statement
- Parental Responsibility
Individuals are entitled to be told if we are processing their personal information, obtain a copy of that information and other supplementary information – see below.
In addition to a copy of their personal data, you also have to provide individuals with the following information:
- the purposes for processing their data;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards you provide if you transfer personal data to a third country or international organisation.
Much of this information will already be included in your privacy notice.
Information can be viewed at the school with a member of staff on hand to help and explain matters if requested or provided at a face to face handover.
The views of the applicant should be taken into account when considering the
method of delivery. If the applicant has asked for the information to be posted then special next day delivery or recorded delivery postal service must be used.
Information relating to children
Children have the same rights of access to their own personal information as adults, and the same rights of privacy. There is no minimum age in English law, however current practice accepts that, provided a child is mature enough to understand their rights, a child of, or over the age of 13 years shall be considered capable of giving consent. This does not rule out receipt of a valid request from a child of a younger age, as each request should be considered on its merits on an individual basis.
When a subject access request is received from a child it will need to be judged whether the child has the capacity to understand the implications of their request and of the information provided as a result of that request. If the child does understand then their request will be dealt with in the same way as that of an adult.
If a parent or legal guardian makes a request on behalf of a child age 13 and over the request will only be complied with when assurances are received that the child has authorised the request and that their consent was not obtained under duress or on the basis of misleading information. If the child does not understand, then a request from a parent or legal guardian for the child’s information will only be complied with when assurances are received that they are acting in the best interests of the child.
GDPR & DPA
The response time for compliance with a subject access request is one month following date of receipt. The timeframe does not begin until the school has received all the information necessary to comply with the request i.e. proof of identity.
You may be able to extend the timeframe by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
Requests for information from parents for access to information classed as being part of the education record must be responded to within 15 school days.
Under GDPR & DPA:
Should the information requested be personal information that does not include any information contained within educational records the school cannot make a charge, unless the request is manifestly unfounded or excessive. You may charge a “reasonable fee” for the administrative costs of complying with the request.
The School can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.
Under the Education Regulations
The school may make a charge if the information requested relates to the educational record, the amount charged will depend upon the number of pages provided. The fees work on a sliding scale basis as below.
There are some exemptions to the right to subject access that apply in certain circumstances or to certain types of personal information. This means all information must be reviewed prior to disclosure.
Included below are some of the exemptions that apply to a school, this is not an exhaustive list;
Third Party information: If the information held identifies other people, then it will sometimes be right to remove or edit that information so as not to reveal the identity of the third parties, unless the third parties have agreed to the disclosure. (This is less likely to apply to information identifying teachers or other professionals unless to disclose it would cause them serious harm.) Reasonable steps must be taken to obtain third party consent to disclosure. If the third parties cannot be located or do not respond it may still be reasonable to consider disclosure if the information is of importance to the data subject. The school must still adhere to the one month statutory timescale.
Where redaction (information edited/removed) has taken place then a full copy of the information provided should be retained in order to establish, if a complaint is made, what was redacted and why.
Information disclosed should be clear, meaning any codes or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped.
Information likely to cause serious harm or distress: Any information which may cause serious harm to the physical or mental
health or emotional condition of the pupil or another individual involved should not be disclosed, nor should information that would reveal that the child is at risk of abuse, or information relating to court proceedings.
Crime and Disorder: If the disclosure of the information is likely to hinder the prevention or detection of a crime, the prosecution or apprehension of offenders, or the assessment or collection of any tax or duty, the information should be withheld.
Legal professional privilege: If the information is general legal advice or advice which relates to anticipated or pending legal proceedings it is subject to ‘legal professional privilege’. The disclosure of any communication to or from a legal advisor to another person (including the data subject) should not take place unless this has first been discussed with the legal advisor concerned.
References: The right of access does not apply to references given (or to be given) in confidence.
Absence of or invalid consent to disclosure: If the data subject is considered incapable of giving valid consent to disclosure (i.e. they do not have the capacity to understand the nature/implications of the access request), or if it is suspected that the consent was obtained under duress by someone acting on their behalf, or based on misleading information, then access should be refused.
Complaints about the above procedures should be made to the Data Protection Officer (DPO) who will decide whether it is appropriate for the complaint to be dealt with in accordance with the school’s complaint procedure.
Complaints which are not appropriate to be dealt with through the school’s complaint procedure can be dealt with by the Information Commissioner. Contact details of both will be provided with the disclosure information.