Beaufort Primary School and Beaufort Nursery

Similar documents
Schools Subject Access Request Procedures

GENERAL COMPLAINT PROCEDURE for LOCAL AUTHORITY SCHOOLS. STAGE 1 - The First Contact: Dealing With Concerns and Complaints Informally

SUBJECT ACCESS REQUEST

General Complaint Procedure December 2012

DATA PROTECTION POLICY STATUTORY

Freedom of Information Policy

FREEDOM OF INFORMATION POLICY

Park View Primary School

Access to Personal Information Procedure

Data Protection Policy

North Yorkshire County Council. Subject Access Request Guidance and Procedure. Data Protection Act 1998

Subject Access Request Procedure

St. Paul s C of E Primary School

Data Protection Policy

Data protection. Guide to the Law Enforcement Provisions

closer look at Rights & remedies

THE PIGGOTT SCHOOL FREEDOM OF INFORMATION POLICY AND GUIDANCE

Clare County Council Data Access Requests Policy

Information Management Unit. Data Protection Policy for Schools BURNT TREE PRIMARY SCHOOL. Date Issued: September 30th 2015

Subject Access and Other Information Rights: Information Governance ( IG ) Policy

Data Protection Bill [HL]

Data Protection Policy. Revisions and Editions Log

Data Protection Policy

Great Leighs Primary School. Data Protection and Freedom of Information Policy. Adopted: April Review Date: April 2018.

Data Protection Bill [HL]

Data Protection Policy. Malta Gaming Authority

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

THE FREEDOM OF INFORMATION LAW, 2007 (LAW 10 OF 2007) THE FREEDOM OF INFORMATION (GENERAL) REGULATIONS, 2008

FREEDOM OF INFORMATION ACT 2000 POLICY

Data Protection. Standard Operating Procedure

Freedom of Information Policy

Data Protection Act 1998 Policy

Staff Data Protection Policy

Opinion on a notification for Prior Checking received from the Data Protection Officer of the European Ombudsman on verification of telephone bills

Data Protection Policy and Procedure

WINSLOW CE COMBINED SCHOOL

Data Protection Bill: Summary of government amendments for House of Commons Public Bill Committee tabled on 6 March 2018

CHURNET VIEW MIDDLE SCHOOL POLICY FOR FREEDOM OF INFORMATION ACT 2000

CCTV CODE OF PRACTICE

CCTV Code of Practice

How we use Personal Information

Merrydale Infant School Freedom of Information Act

PROCEDURE RIGHTS OF THE DATA SUBJECT PURSUANT TO THE ARTICLES 15 TO 23 OF THE REGULATION 679/2016

Ashton St. Peter s Church of England Voluntary Aided Primary School. Complaints Procedure Policy

NORTH TYNESIDE COUNCIL GOVERNOR SERVICES - LAW AND GOVERNANCE. Guidance for Governing Bodies COMPLAINT PROCEDURE

Individual Rights (Data Privacy) Policy

WHISTLE BLOWING POLICY

September RECRUITMENT, SELECTION AND DISCLOSURES POLICY AND PROCEDURES GENERAL

Safer School Recruitment Policy

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Dauntsey s School Recruitment Policy

SCHOOL POLICY Safeguarding, Disclosure and Barring Policy

Recruitment Policy. This document applies to all parts of The Pilgrims School, including the Early Years Foundations Stage

COMPLAINT POLICY. Version 4.0. Review by Chairs Committee: 19 th May 2014 Adopted by Governing Body: 2 nd June 2014 Next Full Review Due: Summer 2019

Freedom of Information

BERMUDA PUBLIC ACCESS TO INFORMATION REGULATIONS 2014 BR 79 / 2014

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

Statutory Policy No 7 DATA PROTECTION POLICY

Data Protection Policy

Freedom of Information Policy, Procedures and Requests

Whistle Blowing Policy

South West Essex Community Education Trust Whistleblowing Policy

Freedom of Information Procedure Manual

St Michael s Prep School Anti-bribery and corruption policy

Recruitment, Selection and Disclosures Policy

Information exempt from the subject access right (section 40(4) and

RECRUITMENT, SELECTION AND DISCLOSURES POLICY AND PROCEDURE

Combar/CLLS Guidance note on the Agreement for the Supply of Services by a Barrister in a Commercial Case

Frequently Asked Questions for Municipalities LOCAL GOVERNMENT BODIES RECORDS

Data Protection Policy

Recruitment, selection and disclosure policy and procedure

MEMORANDUM OF UNDERSTANDING

Guide on Firearms Licensing Law

Disciplinary Policy and Procedure

Whistle Blowing Policy Date Implemented: June 2016 Review Date: June 2018

DATA PROTECTION AND FREEDOM OF INFORMATION POLICY

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

CODE OF PRACTICE FOR COMMUNITY- BASED CCTV SYSTEMS

2.16 Freedom of Information and Protection of Privacy Act

Decision 202/2011 Ms Geraldine Bell and Glasgow City Council

Application for a visa for a long stay in Belgium This application form is free

Requests for Personal Information from External Bodies

Freedom of Information Act 2000 Policy and Procedure

Disclosure and Barring Service Policy

Health Information Privacy Code 1994

RESTRICTED (when complete)

Closed Circuit Television Code of Practice

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

1/ The Ministerial Code A Proposal DRAFT. (Revised December 15, 2007) THE MINISTERIAL CODE A PROPOSAL BACKGROUND

Privacy Notice (GDPR) Licensing Firearms

Including all of the Pre-Prep Department and Early Years Foundation Stage. Recruitment Policy

Yr Adran Plant, Addysg, Dysgu Gydol Oes a Sgiliau Department for Children, Education, Lifelong Learning and Skills

Recruitment, Selection and Disclosures Policy and Procedure

Advice and Guidance on Managing Complaints against School Governors

How we use Personal Information

John Keble Church of England Primary School

CCTV POLICY. Document Type Corporate Policy. Unique Identifier HS-103

Freedom of Information Act 2000 (Section 50) Decision Notice

Tackling Extremism & Radicalisation Policy

Stivichall Primary School

Transcription:

Beaufort Primary School and Beaufort Nursery Subject Access Request Policy Governor committee responsible: Headteacher Review period: 2 years Date Adopted: May 2018 Next Review: May 2020 1. Introduction and Applicability 1.1. Individuals have the right under the Data Protection Act 1998, (to be superseded by the General Data Protection Regulation (GDPR) on 25th May 2018), subject to certain exemptions, to have access to their personal records that are held by Beaufort Primary School and Nursery (BPSN). This is known as a Subject Access Request (SAR). Requests may be received from pupils, parents, staff or any other individual who BPSN has had dealings with and holds data about that individual. This will include information held both electronically and manually and may also be in the form of photographs or audio recordings. 1.2. Anyone making such a request is entitled to be given a description of the information held, what it is used for, who might use it, who it may be passed on to, where the information was gathered from and information on the expected retention periods of the information held. Under GDPR individuals must also be provided with the right to request rectification or erasure of processing or raise an objection to the processing altogether. 1.3. The Data Protection Act 1998 (and GDPR) applies only to living persons but there are limited rights of access to personal data of deceased persons under the Access to Health Records Act 1990. 1.4. BPSN has developed this policy to guide staff in dealing with Subject Access Requests that may be received. 1.5. The aim of this policy is to inform staff on how to inform pupils, parents or staff on how to make a subject access request, how to recognise a subject access request and know what action to take on receipt. 1.6. This procedure sets out the processes to be followed when responding to a subject access request. This is based on the Information Commissioner s Office Subject Access Code of Practice. 2. Requests made about or on behalf of other individuals 2.1 General Third Party A third party, e.g. solicitor may make a valid SAR on behalf of an individual. However, where a request is made by a third party on behalf of another living individual, appropriate and adequate proof of that individuals consent or evidence of a legal right to act on behalf of that individual e.g. power of attorney must be provided by the third party.

If you think an individual may not understand what information would be disclosed to a third party who has made a SAR on their behalf, you may send the response directly to the individual rather than to the third party. The individual may then choose to share the information with the third party after having had a chance to review it. 2.2 Requests on Behalf of Children Even if a child is too young to understand the implications of subject access rights, information about them is still their personal information and does not belong to anyone else, such as a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them. Before responding to a SAR for information held about a child, it should be considered whether the child is mature enough to understand their rights. The Information Commissioner has indicated that in most cases it would be reasonable to assume that any child that is aged 12 years or more would have the capacity to make a subject access request and should therefore be consulted in respect of requests made on their behalf. When considering cases, the following should be taken into account: Where possible, the child s level of maturity and their ability to make decisions like this The nature of the personal data Any court orders relating to parental access or responsibility that may apply Any duty of confidence owed to the child or young person Any consequences of allowing those with parental responsibility access to the child s or young person s information. This is particularly important if there have been allegations of abuse or ill treatment Any detriment to the child or young person if individuals with parental responsibility cannot access this information Any views the child or young person has on whether their parents should have access to information about them 2.3 Requests in respect of Crime and Taxation e.g. from the Police or HMRC Requests for personal information may be made by the above authorities for the following purposes: The prevention or detection of crime The capture or prosecution of offenders The assessment or collection of tax or duty A formal documented request signed by a senior office from the relevant authority is required before proceeding with the request. This request must make it clear that one of the above purposes is being investigated and that not receiving the information would prejudice the investigation. These types of request must be considered by the Data Protection Officer (DPO). 2.4 Court Orders Any Court Order requiring the supply of personal information about an individual must be complied with. 3. Actions on receiving a Subject Access Request (SAR) In order for the BPSN to action a SAR the following must be received: The request must be made in writing preferably on the SAR Proforma, Appendix 1. This may be by letter or email. It is important to note that responses to SAR requests must be returned by a secure methodology. However, where the applicant is not able to make the

request in writing it can be received verbally and a written record of the request made for the file Information must be provided free of charge unless the request is manifestly unfounded, excessive or repetitive. A fee will be charged when a request is received asking for further copies of the same information Proof of identity of the applicant and/or the applicant representative, and proof of right of access to another person s personal information Sufficient information to be able to locate the record or information requested Requests must be dealt with within one calendar month subject to the necessity to seek clarification or collect any fee payable. Under GDPR it is possible to extend this timescale by a further two months where the request is complex or there are numerous requests. If this is the case the BPSN will inform the individual within one month of the request and explain why the extension is necessary. 4. Procedure for Data Subject Access Requests 4.1 Receive Request The request is received from the Data Subject in writing on the BPSN SAR Proforma, Appendix 1, or in a formal letter/email. If it is received as a verbal request the BPSN SAR Proforma must be completed by the member of staff receiving the request. The request should be forwarded to the DPO. 4.2 Verify Request The request will be checked to verify that all information relevant for the request has been given. The applicant will need to provide two forms of identification. 4.3 Log Request The details of the request will be recorded in the subject access log and a letter of acknowledgement sent. 4.4 Process Request The details of the Data Subject will be retrieved into a format suitable for presenting to the applicant. This should include definitions of any codes/references where the explanation is not apparent. Any information sent to the Data Subject should not include any data about, or such that it would allow the Data Subject to identify any third party unless permission has been sought and received from that individual. Care must be taken to ensure that the identity of a third party is not disclosed by either blanking out their names/addresses/identification or providing the information in another format i.e. typed. The only exception to this rule is where other legislation forces you to release that information. Information held for the prevention and detection of a crime e.g. information being used for a case currently under investigation does not need to be disclosed. However, once the investigation has been completed, then the information must be released if a Data Subject requests access to their data. A copy of all the data retrieved must be taken for reference should the data be challenged by the Data Subject and shall become part of the subject access log. 4.5 Provide Data The information must be provided to the applicant within one month of receiving a valid request or within three months if the request is complex or a number of requests are received. 4.6 Close Request When all details have been passed to the applicant the subject access log must be updated accordingly.

4.7 Appeal Procedure If the applicant is not satisfied with the information provided they must contact the DPO who will consider the request and deal with it accordingly. 5. Details to be recorded The following details will be recorded in the subject access log. This will enable the progress of requests to be monitored. Name and address of Data Subject Two forms of identification used to verify request Name and address of applicant, if not the same as the Data Subject Date the request was received Date further information requested to complete the SAR, list information requested Date the request must be completed by Name of member of staff dealing with the request Date the letter of acknowledgement was sent Date request completed and information passed to applicant Comments Type of information requested Copy of the information provided to applicant Key terms Consent - Ensures the processing of personal data is fair and lawful. Data - Information which is processed or recorded manually. Data Subject Access - A request by a Data Subject to be provided with details of the personal data held about him/her. Data Subject - an individual who is the subject of personal data. Personal Data - data which relates to a living individual who can be identified from that data, or from the data and other information held by or likely to be held by the Data Controller. Process/processing - Just about every and any action taken in relation to personal data.

Appendix 1 To Aneesa Ali, Data Protection Officer for Beaufort Primary School and Beaufort Nursery [Your full address] [Phone number] [The date] Subject Access Request This is a request asking you to supply the information about me that I am entitled to under the General Data Protection Regulation (GDPR). This request is being made so I can be aware of the information you are processing about me, and verify the lawfulness of the processing. Here is the necessary information you will need to for my request to be processed: Name Relationship with the school Please select: Pupil / parent / employee / governor / volunteer / other (please specify): Correspondence address Contact number Email address Please provide me with: Insert details of the information you are requesting to enable us to locate the specific information. Please be as precise as possible, for example: Your personnel file Your child s medical records Your child s behaviour record, held by [insert class teacher] Emails between A and B from specific date to specific date If you need any more information from me please let me know as soon as possible. Please bear in mind that under the GDPR you cannot charge a free to provide this information, and in most cases, must supply me with the information within 1 month. Yours sincerely, Your name

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback