Sturminster Marshall First School

Grow, Achieve, Inspire, Nurture. SMFS where learning is an adventure.

Appendix 1 – Procedure for Access to Personal Information

Sturminster Marshall First School

Right of access to information

There are two distinct rights of access to personal information held by schools.

Under the GDPR and the Data Protection Act 2018 an individual (e.g. pupil, parent or member of staff) has a right to request access to their own personal information.  In certain circumstances requests may be made by a parent on behalf of their child (see explanation below).

The Education (Pupil Information) (England) Regulations 2005 gives parents the right of access to curricular and educational records relating to their child.

Processing a request

Requests for personal information must be made in writing and addressed to the Headteacher. If the initial request does not clearly identify the information required, then clarification should be sought.

The identity of the requestor must be verified before the disclosure of any personal information, and checks should also be carried out regarding proof of relationship to the child.

Evidence of identity can be established by requesting production of the following (this list is not exhaustive):

  • passport
  • driving licence
  • utility bills with the current address
  • Birth / Marriage certificate
  • P45/P60
  • Credit Card or Mortgage statement
  • Parental Responsibility

Individuals are entitled to be told if we are processing their personal information, obtain a copy of that information and other supplementary information – see below.

In addition to a copy of their personal data, you also have to provide individuals with the following information:

  • the purposes for processing their data;
  • the categories of personal data concerned;
  • the recipients or categories of recipient you disclose the personal data to;
  • your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
  • the existence of their right to request rectification, erasure or restriction or to object to such processing;
  • the right to lodge a complaint with the ICO or another supervisory authority;
  • information about the source of the data, where it was not obtained directly from the individual;
  • the existence of automated decision-making (including profiling); and
  • the safeguards you provide if you transfer personal data to a third country or international organisation.

Much of this information will already be included in your privacy notice.

Information can be viewed at the school with a member of staff on hand to help and explain matters if requested or provided at a face to face handover.

The views of the applicant should be taken into account when considering the

method of delivery. If the applicant has asked for the information to be posted then special next day delivery or recorded delivery postal service must be used.

Information relating to children

Children have the same rights of access to their own personal information as adults, and the same rights of privacy. There is no minimum age in English law, however current practice accepts that, provided a child is mature enough to understand their rights, a child of, or over the age of 13 years shall be considered capable of giving consent.  This does not rule out receipt of a valid request from a child of a younger age, as each request should be considered on its merits on an individual basis.

When a subject access request is received from a child it will need to be judged whether the child has the capacity to understand the implications of their request and of the information provided as a result of that request. If the child does understand then their request will be dealt with in the same way as that of an adult.

If a parent or legal guardian makes a request on behalf of a child age 13 and over the request will only be complied with when assurances are received that the child has authorised the request and that their consent was not obtained under duress or on the basis of misleading information. If the child does not understand, then a request from a parent or legal guardian for the child’s information will only be complied with when assurances are received that they are acting in the best interests of the child.

Response time

GDPR & DPA

The response time for compliance with a subject access request is one month following date of receipt. The timeframe does not begin until the school has received all the information necessary to comply with the request i.e. proof of identity.

You may be able to extend the timeframe by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Education Regulations

Requests for information from parents for access to information classed as being part of the education record must be responded to within 15 school days.

Charges

Under GDPR & DPA:

Should the information requested be personal information that does not include any information contained within educational records the school cannot make a charge, unless the request is manifestly unfounded or excessive.  You may charge a “reasonable fee” for the administrative costs of complying with the request.

The School can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.

Under the Education Regulations

The school may make a charge if the information requested relates to the educational record, the amount charged will depend upon the number of pages provided.  The fees work on a sliding scale basis as below.

 

Number

of pages

Maximum

fee

1-19

£1

20-29

£2

30-39

£3

40-49

£4

50-59

£5

60-69

£6

70-79

£7

80-89

£8

90-99

£9

100-149

£10

150-199

£15

200-249

£20

250-299

£25

300-349

£30

350-399

£35

400-449

£40

450-499

£45

500+

£50

Exemptions

There are some exemptions to the right to subject access that apply in certain circumstances or to certain types of personal information.  This means all information must be reviewed prior to disclosure.

Included below are some of the exemptions that apply to a school, this is not an exhaustive list;

Third Party information: If the information held identifies other people, then it will sometimes be right to remove or edit that information so as not to reveal the identity of the third parties, unless the third parties have agreed to the disclosure. (This is less likely to apply to information identifying teachers or other professionals unless to disclose it would cause them serious harm.) Reasonable steps must be taken to obtain third party consent to disclosure. If the third parties cannot be located or do not respond it may still be reasonable to consider disclosure if the information is of importance to the data subject.  The school must still adhere to the one month statutory timescale.

Where redaction (information edited/removed) has taken place then a full copy of the information provided should be retained in order to establish, if a complaint is made, what was redacted and why.

Information disclosed should be clear, meaning any codes or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped.

Information likely to cause serious harm or distress: Any information which may cause serious harm to the physical or mental

health or emotional condition of the pupil or another individual involved should not be disclosed, nor should information that would reveal that the child is at risk of abuse, or information relating to court proceedings.

Crime and Disorder: If the disclosure of the information is likely to hinder the prevention or detection of a crime, the prosecution or apprehension of offenders, or the assessment or collection of any tax or duty, the information should be withheld.

Legal professional privilege: If the information is general legal advice or advice which relates to anticipated or pending legal proceedings it is subject to ‘legal professional privilege’. The disclosure of any communication to or from a legal advisor to another person (including the data subject) should not take place unless this has first been discussed with the legal advisor concerned.

References: The right of access does not apply to references given (or to be given) in confidence. 

Absence of or invalid consent to disclosure: If the data subject is considered incapable of giving valid consent to disclosure (i.e. they do not have the capacity to understand the nature/implications of the access request), or if it is suspected that the consent was obtained under duress by someone acting on their behalf, or based on misleading information, then access should be refused.

Complaints

Complaints about the above procedures should be made to the Data Protection Officer (DPO) who will decide whether it is appropriate for the complaint to be dealt with in accordance with the school’s complaint procedure. 

Complaints which are not appropriate to be dealt with through the school’s complaint procedure can be dealt with by the Information Commissioner. Contact details of both will be provided with the disclosure information.