Data Protection (GDPR)
Data Protection - GDPR
Below are links to our privacy notices which explain the purposes for which personal data is collected and used, who we share data with, how long it is kept, and the legal basis for processing.
Subject access requests.
Individuals have the right to access the personal data and supplementary information we hold about them. This allows them to be aware of and verify the lawfulness data processing. This right applies to everyone whose personal data our school holds, including staff, governors, volunteers, parents, carers and pupils.
Who deals with subject access requests?
The school’s Data Protection Officer will deal with all subject access requests received.
How we will respond to subject access requests
On receiving a request, our Data Protection Officer will contact the individual via phone to confirm the request was made. We will then verify the identity of the person making a request using ‘reasonable means’. Generally, this means we will ask for two forms of identification.
In most cases, we will provide the information within 1 month, and free of change. If the request is complex or numerous, we can comply within 3 months, but we will inform the individual of this within 1 month and explain why the extension is necessary.
If the request is made electronically, we will provide the information in a commonly used electronic format.
We recognise that school holidays are counted in the response time and if we receive a request in the school holidays, we will still respond within the same time frame.
‘Unfounded or excessive’ requests
If the request is unfounded or excessive, we will either:
- charge a reasonable fee for you to comply, based on the administrative cost of providing the information
- refuse to respond
- comply within 3 months, rather than the usual deadline of 1 month; however, we will always inform the individual of this and will explain why
- Usually, ‘unfounded or excessive’ means that the request is repetitive, or asks for further copies of the same information.
Refusing a request
- When we refuse a request, we will:
- respond within 1 month
- explain why we are refusing the request
- inform the individual that they have the right to complain to the Information Commissioner's Office
- inform the individual of their right to seek to enforce the right of access through a judicial remedy
All complaints, suspected breaches/incidents should be reported to the School Data Protection Officer (firstname.lastname@example.org) immediately.
This will enable us to investigate and respond to any data leakage incident involving personal data.