Subject Access Request
Individuals have a right to make a ‘subject access request’ to gain access to personal information that the school holds about them. This includes:
- Confirmation that their personal data is being processed
- Access to a copy of the data
- The purposes of the data processing
- The categories of personal data concerned
- Who the data has been, or will be, shared with
- How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period
- The source of the data, if not the individual
- Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual
Subject access requests must be submitted in writing, either by letter, email or fax to the DPO. They should include:
- Name of individual
- Correspondence address
- Contact number and email address
- Details of the information requested
Children and Subject Access Requests
Personal data about a child belongs to that child, and not the child's parents or carers. For a parent or carer to make a subject access request with respect to their child, the child must either be unable to understand their rights and the implications of a subject access request or have given their consent.
Children below the age of 12 are generally not regarded to be mature enough to understand their rights and the implications of a subject access request. Therefore, most subject access requests from parents or carers of pupils at our school may be granted without the express permission of the pupil. This is not a rule and a pupil’s ability to understand their rights will always be judged on a case-by-case basis.
Responding to Subject Access Requests
When responding to requests, we:
- May ask the individual to provide 2 forms of identification
- May contact the individual via phone to confirm the request was made
- Will respond without delay and within 1 month of receipt of the request
- Will provide the information free of charge
- May tell the individual we will comply within 3 months of receipt of the request, where a request is complex or numerous. We will inform the individual of this within 1 month, and explain why the extension is necessary
We will not disclose the information if it:
- Might cause serious harm to the physical or mental health of the pupil or another individual
- Would reveal that the child is at risk of abuse, where the disclosure of that information would not be in the child’s best interests
- Is contained in adoption or parental order records
- Is given to a court in proceedings concerning the child
If the request is unfounded or excessive, we may refuse to act on it, or charge a reasonable fee that takes into account administrative costs.
A request will be deemed to be unfounded or excessive if it is repetitive or asks for further copies of the same information.
When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO.
The GDPR does not prevent a data subject from making a subject access request via a third party. Requests from third parties are dealt with as follows:
- In these cases, we need to be satisfied that the third party making the request is entitled to act on behalf of the data subject.
- It is the third party’s responsibility to provide evidence of this entitlement.
- This might be a written authority to make the request or it might be a more general power of attorney.
- If there is no evidence that the third party is authorised to act on behalf of the data subject, we are not required to respond to the SAR.
- However, if we are able to contact the data subject, we will respond to them directly to confirm whether they wish to make a SAR.
Full details of the process are in the Data Protection Policy under ‘Key Information’, ‘Policies’.