|1.Introduction and purpose||2|
|2. Policy Statement||2|
|3. Scope of the Policy||2|
|4. Key Definitions||3|
|5. Roles and Responsibilities||4|
|6. How can an individual make a SAR?||5|
|7. Can individuals request personal information on behalf of another person||5|
|8. How long does the school have to respond?||5|
|10. What is the school procedure when it receives a request?||6|
|11. How do staff locate the information requested?||6|
|12. Can all the information found relating to the data subject be disclosed?||6|
|13. What is a double check?||7|
|14. How does the school respond to a SAR?||7|
|15.1. Appealing a decision to refuse disclosure of Information||8|
|15.2. Complaining to the Information Commissioners Office||8|
|16. Related documents||8|
|17. Review of the Policy||9|
1. Introduction and purpose
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (the Act) gives individuals rights of access to their personal records held by MTO Persian School (the School). Subject access is a fundamental right for individuals. But it is also an opportunity for the school to provide excellent customer service by responding to Subject Access Requests (SARs) efficiently and transparently and by maximising the quality of the personal information you hold. This Policy explains how the school will fulfil its obligations under the GDPR.
2. Policy Statement
The school regards the GDPR as an important mechanism in achieving an honest, safe and open relationship with its parents, students and employees.
Subject access is most often used by individuals who want to see a copy of the information the school holds about them. However, subject access goes further than this and an individual is entitled to be:
● Told whether any personal data is being processed;
● Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
● Given a copy of the personal data; and
● Given details of the source of the data (where this is available).
An individual can also request information about the reasoning behind any automated decisions taken about him or her, such as a computer-generated decision for benefit or a grant entitlement, or an assessment of performance at work.
The aim of this policy is to ensure that the school complies with its legal obligations under the GDPR and the Data Protection Act 2018 and also aims to ensure that the school has:
● robust processes in place for dealing with SARs, saving time and effort;
● increased levels of trust and confidence by being open with individuals about the personal information held;
● improved the transparency of activities in line with public policy requirements.
This policy should be read in conjunction with the Subject Access Request Procedure.
3. Scope of the Policy
This document outlines how an applicant can make a request for their personal information under the Act and how it will be processed.
This is not a legal document. It does not confer rights nor override any legal or statutory provisions which either require or prevent disclosure of personal information.
This document takes into account the key features of the Act and outlines how the school will take steps to ensure compliance in relation to requests for personal information.
Requests for access to the records of people who are deceased are not within scope of this Policy as the Act only applies to the data of living individuals. Such requests will be treated as requests for access to information under the Freedom of Information Act or as miscellaneous requests, depending on the nature of the data and the reason the data is being requested.
4. Key Definitions
|Subject Access Request or SAR||A request for access to data by a living person under the Act is known as a Subject Access Request or SAR. All records that contain the personal data of the subject will be made available, subject to certain exemptions.|
|Freedom of Information Request or FOI.||A request for access to data held is dealt with under the Freedom of Information Act 2000 and is known as a Freedom of Information Request or FOI. Requests for the data of deceased people may be processed under this
|Personal Data||Personal data means data which relates to a living individual who can be identified directly or indirectly from the data, particularly be reference to an identifier.
Personal data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal).
|Special Category Data||Certain personal data, special category data, is given special protections under the Act because misuse could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination. Special category data includes:
● a person’s racial or ethnic origin;
● political opinions;
● religious or similar beliefs;
● trade union membership;
● physical or mental health or condition or sexual life; ●
biometric or genetic data.
|Data Controller||● The organisation which determines the purposes and the manner in which, any personal data is processed is known as the data controller. The school is the data controller of all personal data used and held within each part of the school|
|Data Processors||● Organisations or individuals who process personal data on behalf of a data controller are known as data processors. Employees of data controllers are excluded from this definition|
|but it could include suppliers which handle personal data on our behalf.|
|Data Subject||● A living individual who is the subject of personal data is known as the data subject. This need not be a UK national or resident. Provided that the data controller is subject to the Act, rights with regards to personal data are available to every data subject, wherever his nationality or residence.|
|Third Party||● An individual who is not the subject of the data but may be connected to or affected by it is known as a third party.|
|Relevant Professional||● The practitioners who supply information held on Social Services records, and various other medical and educational records. A relevant professional will consider where disclosure is likely to cause serious physical or mental harm to the
applicant or any third party.
5. Roles and Responsibilities
Adhering to the Data Protection Act 2018 is the responsibility of every member of staff acting for or on behalf of the school. Subject Access requests fall within the data protection statutory framework and the ability to identify and appropriately handle a request for information is considered to be part of every employee’s role.
The primary responsibility is to ensure that Subject Access Requests are in the first instance directed to the Data Protection Officer on firstname.lastname@example.org The team will log the request, acknowledge it and pass the case to the relevant school staff for response. It is important that requests are processed as soon as they are received to assist in meeting the statutory deadline.
|Miss Ghoncheh Dolatshahi
|Holds overall responsibility for compliance with the Act as the school’s
Data Protection Officer.
|Mrs Leila Mobayen
Data Protection Manager
|Has responsibility for the management of Subject Access Requests; this includes assisting the Data Protection Officer in dealing with complaints from the Information Commissioners Office, general compliance issues and data subject queries and concerns. Ensures that SARs are responded to in a timely manner and that only data that the data subject is entitled to access are sent out. Also responsible for
completing a double check of all SAR’s before they are securely
|Employees||All employees, including temporary staff, must understand their duty of care to ensure the confidentiality of all personal data. In addition, they must have an understanding of this policy and where to direct individuals enquiring about subject access requests.|
How can an individual make a SAR?
A valid SAR must always be made in writing. Most SAR requests are made by parents and members of staff via email or post. It is quite common that a request for personal data can be linked with a complaint, or a Freedom of Information request.
NOTE: No matter how a request is received there is no requirement for the requester to mention either the GDPR, the Data Protection Act or Subject Access for it to be a valid request. In some cases, the requester may even state the wrong legislation e.g. Freedom of Information Act, but the request will still be valid.
Either way, it is the responsibility of the staff member dealing with the request to appropriately recognise a request as one for personal data, i.e. information relating to the requester, and process it accordingly. Failing to recognise a SAR is not an excuse for non-response and the school will still fall foul of the Data Protection Act should a response not be provided in a prompt and appropriate manner.
Can individuals request personal information on behalf of another person?
GDPR allows for an individual to make a request on behalf of another person. This may be a solicitor acting on behalf of the individual, a parent making a request for their child’s information, a third party making the request for someone who has limited capacity, or indeed many other reasons.
However, whilst the Act allows us in certain circumstances to process a request in this way, there are a number of considerations and checks that need to be undertaken before you process a request which is made on behalf of another person. For example, a parent is not necessarily automatically entitled to information about their children. Further information with regards to SARs made on behalf of another person can be found in the Subject Access Procedure.
6. How long does the school have to respond?
The school has a maximum of one month starting from the day the request and identification (if required) is received. This is a statutory requirement which must be adhered to. In exceptional circumstances an extension can be agreed.
7. What charges apply?
The information will be provided free of charge.
However, a ‘reasonable fee’ may be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive or when the school is asked for further copies of the same information. The fee will be based on the administrative cost of providing the information.
8. What is the school procedure when it receives a request?
In practice, if someone wants to see a small part of their data (an exam result or written consent); the school will apply common sense. A formal SAR will not be required if the individual can prove their identity, the information is readily available there and then, and no other third party data will be unreasonably released. Such requests should be dealt with quickly, as business as usual and with little formality.
All other (“non-routine”) requests for personal data which are likely to take a reasonable amount of resource must be directed to the Data Protection Officer (DPO). Should a request be received by school staff, it is important that they alert the Data Protection Officer, the Data Protection Manager and the Headteacher straight away.
How do staff locate the information requested?
Well-structured file plans and standard file naming conventions within schools are in place to assist in locating information easily. The school cannot use poor file management / knowledge of systems as a reason for being unable to respond to a SAR effectively. Requests for information are not
limited to “live” files. SARs cover all information held by the school regardless of the format it is in or where it is stored, closed or archived. Unfortunately, there is no outright exemption or time threshold with regards to the amount of time it may take members of staff to locate SAR information.
Further information with regards to resource intensive or complex SARs can be found in the Subject Access Procedure. Staff should refer to the Data Retention Policy to identify how many years’ data is available.
Can the school provide all information found relating to the data subject?
The school must consider whether it is possible to comply with the SAR without revealing information that relates to and identifies a third-party individual or any other exempt information.
Examples of third-party information that cannot be shared routinely without specialist consideration are:
- Safeguarding concerns which may contain information about multiple children including siblings and estranged
- Files containing legally privileged
- Files containing advice from relevant professionals such as doctors, police or probation services.
- Employee files containing information identifying managers or colleagues who have contributed to (or are discussed in) that
Special consideration should be given to sharing this type of information. More information can be found in the Subject Access Procedure.
Subject to the above, the school will make available the following information:
- Personal and other details found in the pupil/staff main file and Safeguarding or SEND file if appropriate.
- Reports of any internal investigations such as disciplinary or bullying allegations where the allegation is
- A print-out of all information held on the school’s data
- A print-out of all information held on Live
What is a double check?
Before a SAR is sent out to the data subject, Senior Management are required to carry out a double check. This is done to ensure that all third-party data has been removed appropriately and that any documents have been redacted appropriately.
Third party data sent out in error to the wrong person constitutes a data breach under the Data Protection Act 2018 and can have very serious consequences for the school (see section 5 above).
The Data Protection Manager or Headteacher will be responsible for completing a double check of the information to be provided to the data subject. For further guidance on the double check please refer to the Subject Access Request Procedure.
How does the school provide data in response to a SAR?
Once all of the information has been collated (duplicates and third party information has been removed or redacted and a double check has been carried out) the information will be provided either in paper copy, electronically or during a meeting with the Data Subject and sent securely.
The school is required to provide the copies in a format requested by the data subject. For further information on how to respond securely to a SAR please refer to the Subject Access Request Procedure.
9. What is the procedure if the requester is not satisfied?
The school will provide a right of complaint to all applicants in the event they are dissatisfied with the handling of their request. If an applicant is unhappy with the service, they have received they should firstly contact the Data Protection Officer.
If the applicant is dissatisfied with the content of the information, they have received they should also make a complaint in writing to the Headteacher. If an applicant remains dissatisfied with the outcome of their Stage 1 complaint, the school will seek advice from Herts for Learning GDPR team.
The Data Protection Officer will make an independent assessment of the case. If the applicant remains dissatisfied, they may ask the Information Commissioners’ Office to carry out an independent investigation.
Appealing a decision to refuse disclosure of Information
If the school refuses to disclose information in response to a subject access request, the school should offer the applicant an opportunity to appeal the initial decision. If the applicant believes that an error has been made in the response to their SAR, they are able to appeal the school’s decision by seeking an internal review. This should be directed to the Data Protection Officer.
Once an appeal has been received the complainant will receive an acknowledgment receipt and the request and response to it will be reconsidered. The applicant will be notified of the outcomes of the internal review as soon as possible. All internal reviews will be concluded within 20 working days.
If an applicant’s appeal is successful, they will receive the information they requested as soon as possible. If the appeal is unsuccessful, the school will provide a detailed explanation of the findings and supply further information on how to take the matter further.
Complaining to the Information Commissioners’ Office
If an applicant is not satisfied with the outcomes of the school’s decisions, they have the right to submit a complaint to the Information Commissioners’ Office. The Information Commissioners’ Office will make an initial assessment of the case before carrying out an investigation.
The Information Commissioners’ Office has written guidance notes for applicants on how to complain to the Information Commissioners’ Office and published it on their website, www.ico.gov.uk
10. Other information Related documents
- Data Breach Policy
- Data Protection Policy
- Privacy notice
- Data Retention Policy
- Online Security Policy
Review of the Policy
This policy will be reviewed as a minimum every 2 years to ensure that the school meets statutory requirements and any codes of practice made under the Act.
School Subject Access Request (SAR) Procedure
Request for information
All Subject Access Requests for data held by the school should be sent to email@example.com / firstname.lastname@example.org
All requests will be acknowledged in writing with the request for a completed Subject Access Request Form (see appendix B) and documentation proving identity.
The identity of the requestor must be established before the disclosure of any information, and checks should also be carried out regarding proof of relationship to the pupil. Evidence of identity can be established by requesting production of three documents, one of which must be photo id and one must confirm the current home address.
- driving licence
- Birth / Marriage certificate
- utility bill less than 3 months’ old
- credit card or bank statement less than 3 months’ old
Who can request access?
Any individual has the right of access to information held about them. However, with pupils this is dependent upon their capacity to understand (normally age 12 or above) and the nature of the request. The Headteacher should discuss the request with the child and take their views into account when making a decision. A child with competency to understand can refuse to consent to the request for their records. Where the child is not deemed to be competent, an individual with parental responsibility or guardian shall make the decision on behalf of the child.
It is important to recognise that children are entitled to privacy and that there may be a duty of confidentiality owed to them which must be adhered to. Before discussing with a parent that their daughter has made a SAR the school will ask the pupil whether they object to their parents becoming aware of this request and will abide by the pupil’s wishes unless there is an overriding public interest reason why that should not be the case. Before proceeding with informing a parent in these circumstances, the advice of the Data Protection Officer should be sought.
The school will endeavour to acknowledge the receipt of a SAR within 2 working days with the exception of SARs received in the school holidays. The response time for providing information following a SAR, once officially received, is 30 calendar days. However, the 30 calendar days will not commence until after proof of identity and clarification of information sought. The school will respond promptly to a SAR and will inform the person requesting the information if any delays are foreseen.
Data which should not be disclosed
The General Data Protection Regulation (GDPR) allows exemptions as to the provision of some information; therefore, all information will be reviewed prior to disclosure. The following points must be considered:
- Third party information is that which has been provided by another person, this may be another pupil, parent, member of the family. The school must consider whether the information held was given in circumstances where an expectation of confidentiality has arisen. The school must also consider whether or not the information is already known to the pupil or parent concerned. If information is in the public domain, and/or the school is satisfied that the information is already known then it may be
- Information provided by the police, Local Authority, health care professional or another school may also have been provided to the school in the expectation that it will be held confidentially. Where the information is a health record made by a health care professional the consent of that professional must be sought before it may be
- Any information which, it is believed may cause serious harm to the physical or mental health or emotional condition of the pupil or another should not be disclosed, nor should information that would reveal that the child is at risk of abuse, or information relating to court
- There is no right to access for information kept individually by teachers or other staff in notebooks or teacher mark books. These include such records generated and held electronically.
- Information provided must not include data relating to other individuals so some documents will require redaction of names. Where redaction (information blacked out/removed) has taken place then a full copy of the information provided should be retained in order to establish, if a complaint is made, what was redacted and
If there are concerns over the disclosure of information then additional advice should be sought
from the schools’ Data Protection Officer.
How the data should be provided
Information disclosed should be clear, thus any codes or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped. If necessary, information can be provided at the school with a member of staff on hand to help and explain matters if requested, or provided at face to face handover.
The views of the applicant should be taken into account when considering the method of delivery. If postal systems have to be used, then registered/recorded mail must be used. If electronic delivery is preferred the files must be password protected. Should the information be handed in paper format directly to the individual then it will be important to see id to confirm their identity.
Logging a SAR and tracking progress
The Data Protection Manager will keep a log of the date of receipt of a request, the date of proof of id and will ensure data is provided within the 30 day period. The date data is sent will be recorded, as will the date and progress of any appeals or further correspondence.