Scroll to content
School Logo

Highfields Primary School

Data Protection

Subject Access Requests (SAR)

Any individual, person with parental responsibility or young person with sufficient capacity has the right to ask what data the school holds about them and can make a Subject Access Request (SAR). 

 

A SAR can be made verbally or in writing.  A ‘Subject Access Request’ form (Appendix A) is included within this policy to support individuals with making their request. 

 

The Business Manager has been designated as the individual who will coordinate the response to a SAR.

 

The school is required to provide the individual with the data it holds on them within one calendar month.  The school can extend the time to respond by a further two months if the request is complex or they have received a number of requests from the individual. The individual must be contacted at the earliest opportunity, but at least within one month of the school receiving their request, and explain why the extension is necessary.

 

The response to the SAR will generally be provided in the same format that the request was submitted by the individual.

 

It is permissible to ask the individual who has made the request to be more specific about the information that they require in order to ensure that the information they are provided with meets their requirements rather than providing lots of information that may not be relevant to their query.

 

Evidence of the identity of the person making the request and their relationship to the pupil may be required prior to any disclosure of information.  This should be recorded on the SAR Log (Appendix B).

 

Exemptions to a SAR may include:

  • Third party data, for example information about other pupils or adults that are not the data subject or individual making the request
  • Data that could lead to a risk of harm to the data subject or individual making the request
  • Information that is not the personal data of the data subject or individual making the request
  • Management information
  • Records relating to a live investigation (e.g. an ongoing complaint, behaviour, grievance, disciplinary matter etc)
  • Education, Health, Social Work records
  • Examination marks and scripts
  • Safeguarding records
  • Special educational needs records
  • Parental records and reports
  • Legal advice and proceedings
  • Adoption and Court records and/or reports
  • Regulatory activity and official requests e.g. DfE statistical information
  • National security, Crime and taxation
  • Journalism, literature and art
  • Research history, and statistics
  • Confidential references

 

For full details of exemptions to SARs please visit the ICO website:    A guide to the data protection exemptions | ICO

 

 

Subject Access Request Form (SAR)

Data Protection

 

Privacy Notice (GDPR) 

Highfields Primary School respects you and your child's privacy when you use our services and is committed to complying with privacy legislation.

 

The information below is what is referred to as a 'Privacy Notice'. This explains how we use and protect you and your child's personal information.

 

Introduction

Highfields Primary School is the data controller for the use of personal data in this privacy notice.

As a school we collect a significant amount of information about our pupils.  This notice explains why we collect the information, how we use it, the type of information we collect and our lawful reasons to do so.

What type of data is collected?

The DfE and government requires us to collect a lot of data by law, so that they can monitor and support schools more widely, as well as checking on individual schools’ effectiveness.

 

The categories of pupil information that we process include:

 

  • Personal information – (such as name, unique pupil number, contact details and address)
  • Characteristics – (such as ethnicity, language, and free school meal eligibility)
  • Safeguarding information (such as court orders and professional involvement)
  • Special educational needs (including the needs and ranking)
  • Medical and administration (such as doctors information, child health, dental health, allergies, medication and dietary requirements)
  • Attendance information (such as sessions attended, number of absences, absence reasons and any previous schools attended)
  • Assessment and attainment information (such as key stage 1 and phonics results, post 16 courses enrolled for and any relevant results)
  • Behavioural information (such as exclusions and any relevant alternative provision put in place)
  • Photos and video recordings are also personal information

This list is not exhaustive, to access the current list of categories of information we process please see Data Mapping Document on website.

 

Why do we collect data?

We collect and use pupil data for the following purposes:

 

  • To support pupil learning
  • To monitor and report on pupil attainment progress
  • To provide appropriate pastoral care
  • To assess the quality of our services
  • To keep children safe (e.g. food allergies, emergency contact details)
  • To meet the statutory duties placed upon us for the Department of Education (DfE) data collections
  • To fulfil our statutory obligations to safeguard and protect children and vulnerable people
  • To enable targeted, personalised learning for pupils
  • To manage behaviour and effective discipline
  • To comply with our legal obligations to share data
  • To keep pupils, parents and carers informed about school events and school news

 

Our Legal Obligations

We must make sure that information we collect and use about pupils is in line with the UK General Data Protection Regulation (UK GDPR). This means that we must have a lawful reason to collect the data, and that if we share that with another organisation or individual, we must have a legal basis to do so.

The lawful basis for schools to collect information comes from a variety of sources, such as the Education Act 1996, Regulation 5 of The Education (Information About Individual Pupils) (England) Regulations 2013, Article 6 and Article 9 of the UK GDPR.

The Department for Education and Local Authorities require us to collect certain information and report back to them. This is called a ‘public task’ and is recognised in law as it is necessary to provide the information.

We also have obligations to collect data about children who are at risk of suffering harm, and to share that with other agencies who have a responsibility to safeguard children, such as the police and social care.

We also share information about pupils who may need or have an Education Health and Care Plan (or Statement of Special Educational Needs). Medical teams have access to some information about pupils, either by agreement or because the law says we must share that information, for example school nurses may visit the school.

Counselling services, careers services, occupational therapists are the type of people we will share information, so long as we have consent or are required by law to do so.

We must keep up to date information about parents and carers for emergency contacts.

 

Collecting pupil information

We collect pupil information via  registration forms, data collection sheets sent out at the start of each school year, during the school day e.g. for accidents, attendance matters and behavioural issues and Common Transfer File (CTF) or secure file transfer from previous school.

 Pupil data is essential for the schools’ operational use.  Whilst the majority of pupil information you provide to us is mandatory, some of it is requested on a voluntary basis. In order to comply with data protection legislation, we will inform you at the point of collection, whether you are required to provide certain pupil information to us or if you have a choice in this.

 

Storing pupil data

We hold pupil data securely for the set amount of time shown in our data retention schedule.  For more information on our data retention schedule and how we keep your data safe, please visit https://www.highfields-essex.co.uk/data-protection for our Records Management policy and Retention schedule.

 

Who we share pupil information with

We routinely share pupil information with:

 

  • schools that the pupils attend after leaving us
  • our local authority
  • the Department for Education (DfE)
  • Virgin Health Care (School Nurse)
  • social care e.g. Essex Child and Family and Wellbeing Service
  • statutory assessment services
  • our local school partnership
  • Vaccination UK/NHS
  • Ofsted

 

Why we regularly share pupil information

We do not share information about our pupils with anyone without consent unless the law and our policies allow us to do so. We share pupils’ data with the Department for Education (DfE) on a statutory basis. This data sharing underpins school funding and educational attainment policy and monitoring.

Department for Education (DfE)

The Department for Education (DfE) collects personal data from educational settings and local authorities via various statutory data collections.

We are required to share information about our pupils with our local authority (LA) and the Department for Education (DfE) as part of the school census return under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.

All data is transferred securely and held by the Department for Education (DfE) under a combination of software and hardware controls, which meet the current government security policy framework.

For more information, please see ‘How Government Uses Your Data’ section of this privacy notice.

For privacy information on the data the Department for Education collects and uses, please see: https://www.gov.uk/government/publications/privacy-information-early-years-foundation-stage-to-key-stage-3

and

https://www.gov.uk/government/publications/privacy-information-key-stage-4-and-5-and-adult-education

 

 

Requesting access to your personal data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record, contact School Business Manager (Data Protection Lead) via office@highfields.essex.sch.uk.

You also have the following rights:

  • the right to be informed about the collection and use of your personal data – this is called ’right to be informed’.
  • the right to ask us for copies of your personal information we have about you – this is called ’right of access’, this is also known as a subject access request (SAR), data subject access request or right of access request.
  • the right to ask us to change any information you think is not accurate or complete – this is called ‘right to rectification’.
  • the right to ask us to delete your personal information – this is called ‘right to erasure’
  • the right to ask us to stop using your information – this is called ‘right to restriction of processing’.
  • the ‘right to object to processing’ of your information, in certain circumstances
  • rights in relation to automated decision making and profiling.
  • the right to withdraw consent at any time (where relevant).
  • the right to complain to the Information Commissioner if you feel we have not used your information in the right way.

 

There are legitimate reasons why we may refuse your information rights request, which depends on why we are processing it. For example, some rights will not apply:

  • right to erasure does not apply when the lawful basis for processing is legal obligation or public task.
  • right to portability does not apply when the lawful basis for processing is legal obligation, vital interests, public task or legitimate interests.
  • right to object does not apply when the lawful basis for processing is contract, legal obligation or vital interests. And if the lawful basis is consent, you don’t haven’t the right to object, but you have the right to withdraw consent.

 

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance or directly to the Information Commissioner’s Office at https://ico.org.uk/concerns/.

 

For further information on how to request access to personal information held centrally by Department for Education (DfE), please see the ‘How Government uses your data’ section of this notice.

 

Withdrawal of consent and the right to lodge a complaint

 

Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting office@highfields.essex.sch.uk

 

Last updated

We may need to update this privacy notice periodically, so we recommend that you revisit this information from time to time. This version was last updated on 5 May 2025.

 

 

Contact

If you would like to discuss anything in this privacy notice, please contact:

School Business Manager (Data Protection Lead) via office@highfields.essex.sch.uk

 

Policies

Staff Privacy Notice

Governors Privacy Notice

Top

Cookies

Unfortunately not the ones with chocolate chips.

Our cookies ensure you get the best experience on our website.

Please make your choice!

Cookies

Some cookies are necessary in order to make this website function correctly. These are set by default and whilst you can block or delete them by changing your browser settings, some functionality such as being able to log in to the website will not work if you do this. The necessary cookies set on this website are as follows:

Website CMS

A 'sessionid' token is required for logging in to the website and a 'crfstoken' token is used to prevent cross site request forgery.
An 'alertDismissed' token is used to prevent certain alerts from re-appearing if they have been dismissed.
An 'awsUploads' object is used to facilitate file uploads.

Matomo

We use Matomo cookies to improve the website performance by capturing information such as browser and device types. The data from this cookie is anonymised.

reCaptcha

Cookies are used to help distinguish between humans and bots on contact forms on this website.

Cookie notice

A cookie is used to store your cookie preferences for this website.

Cookies that are not necessary to make the website work, but which enable additional functionality, can also be set. By default these cookies are disabled, but you can choose to enable them below: