Subject Access Requests (SAR)
Any individual, person with parental responsibility or young person with sufficient capacity has the right to ask what data the school/academy holds about them and can make a Subject Access Request (SAR).
Please complete a SAR request form and email it to email@example.com for the attention of Mrs. Louise Riddlestone.
The school is required to provide the individual with the data it holds on them within one calendar month. The school can extend the time to respond by a further two months if the request is complex or they have received a number of requests from the individual. The individual must be contacted within one month of the school receiving their request and explain why the extension is necessary.
The response to the SAR will be provided in an electronic form.
It is permissible to ask the individual who has made the request to be more specific about the information that they require in order to ensure that the information they are provided with meets their requirements rather than providing lots of information that may not be relevant to their query.
Evidence of the identity of the person making the request and their relationship to the pupil must be gained prior to any disclosure of information. This should be recorded on the SAR Log (Appendix B).
Exemptions to a SAR may include:
Education, Health, Social Work records
Examination marks and scripts
Special educational needs
Parental records and reports
Legal advice and proceedings
Adoption and Court records and/or reports
Regulatory activity and official requests e.g. DfE statistical information
National security, Crime and taxation
Journalism, literature and art
Research history, and statistics
For full details of exemptions to a SAR please visit the ICO website: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/exemptions/
Subject Access Request Form (SAR)
Privacy Notice (GDPR) 2018
Highfields Primary School respects you and your child's privacy when you use our services and is committed to complying with privacy legislation.
The information below is what is referred to as a 'Privacy Notice'. This explains how we use and protect you and your child's personal information.
We, Highfields Primary School, are the Data Controller for the purposes of data protection law. We have a Data Protection Officer whose role it is to ensure that any personal information processed by us is processed fairly and lawfully (respecting your rights and ensuring we follow the law). If you have any concerns or questions regarding how we look after your personal information, please contact SBM Services Ltd, via Mrs. Louise Riddlestone at firstname.lastname@example.org
1. The categories of pupil & parent / legal guardian / carer information that we collect, hold and share include but are not limited to:
Identifying information (such as name, unique pupil number and address, parents national insurance number).
Contact details and preference (contact telephone numbers, email addresses, addresses)
Characteristics (such as ethnicity, religion, language, nationality, country of birth and free school meal eligibility)
Attendance information (such as sessions attended, number of absences and absence reasons)
Assessment information (such as data scores, tracking, and internal and external testing)
Relevant medical information (such as NHS information, health checks, physical and mental health care, immunisation program and allergies)
Special educational needs information (such as Education and Health Care Plans, applications for support, care or support plans)
Photographs (for internal safeguarding & security purposes, school newsletters, educational, media and promotional purposes).
We may also hold data about pupils and parents that we have received from other organisations, including other schools, local authorities and the Department for Education.
2. Why we collect and use this information
We use this personal data for one or more of the following purposes:
Support our pupils’ learning
Monitor and report on their progress
Provide appropriate pastoral care
Assess the quality of our services
Meet our safeguarding and pupil welfare duties
Administer admissions waiting lists
Inform you about events and other things happening in the school
Comply with the law regarding data sharing
This information will include contact details, national curriculum assessment results, attendance information, any exclusion information, where pupils go after they leave us and personal characteristics such as their ethnic group, any special educational needs they may have as well as relevant medical information.
3. The legal reasons for processing personal information
Our lawful basis for collecting and processing pupil information is defined under Article 6 of the GDPR. Generally we collect and use personal information in the following circumstances:
Where you, or your legal representative have given consent
Where it is necessary to perform our statutory duties
Where it is necessary to protect someone or assist in an emergency
Where it is required by the law
Where it is necessary for employment purposes
Where you have made your data publicly available
Where it is necessary to establish, exercise or defend a legal claim
Where it is in the substantial public interest
Where it is necessary to protect public health
Where it is necessary for archiving public interest material, research, or statistical purposes
4. Collecting pupil and parent / legal guardian / carer information
Whilst the majority of information you provide to us is mandatory, some of it is provided on a voluntary basis. We will inform you whether you are required to provide certain pupil or personal information to us or if you have a choice in this. We will not give information about our pupils or you to anyone without your consent unless the law and our policies allow us to do so. Where we have obtained consent to use pupils’ or your personal data, this consent can be withdrawn at any time. We will make this clear when we ask for consent, and explain how consent can be withdrawn. If you wish to withdraw your consent, please contact Mrs. Louise Riddlestone at email@example.com
5. Storing pupil data
We hold pupil and parent / legal guardian / carer data whilst the child remains at Highfields Primary School . The file will follow the pupil when he / she leaves Highfields Primary School. However where there is a legal obligation to retain the information beyond that period, it will be retained in line with our retention policy. We have data protection policies and procedures in place, including strong organisational and technical measures,which are regularly reviewed.
6. Who we share pupil and parent / legal guardian / carer information with
Highfields Primary School will only share pupil information where there is a legitimate and lawful basis for its use.
Our local authority – to meet our legal obligations to share certain information with it, such as safeguarding concerns and exclusions
The Department for Education
The pupil’s family and representatives
Educators and examining bodies
Suppliers and service providers – to enable them to provide the service we have contracted them for
Central and local government
Health and social welfare organisations
Professional advisers and consultants
Police forces, courts, tribunals
Schools that the pupils attend after leaving us
7. Why we share pupil and parent / legal guardian / carer information
We do not share information about our pupils or you with anyone in the list in section 6 above without consent unless the law and our policies allow us to do so. Our policies will only allow us to share information without consent where it is in the interest of the pupil and / or the quality of the education pupils at our school receive, to do so.
We are required, by law, to pass certain information about our pupils to our local authority (LA) and the Department for Education (DfE). This data underpins school funding and educational attainment policy and monitoring.
The DfE may also share pupil level personal data that we supply to them, with third parties. This will only take place where legislation allows it to do so and it is in compliance with the Data Protection Act 1998.
Decisions on whether the DfE releases this personal data to third parties are subject to a robust approval process and are based on a detailed assessment of who is requesting the data, the purpose for which it is required, the level and sensitivity of data requested and the arrangements in place to store and handle the data. To be granted access to pupil level data, requestors must comply with strict terms and conditions covering the confidentiality and handling of data, security arrangements and retention and use of the data.
For more information on how this sharing process works, please visit: https://www.gov.uk/guidance/national-pupil-database-apply-for-a-data-extract
8. Data collection requirements
To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) go to https://www.gov.uk/education/data-collection-and-censuses-for-schools.
For information on which third party organisations (and for which project) pupil level data has been provided to, please visit: https://www.gov.uk/government/publications/national-pupil-database-requests-received
If you need more information about how our local authority and/or DfE collect and use your information, please visit:
Essex Local Authority website https://www.essex.gov.uk/privacy-notices/Pages/Default.aspx
The DfE website at https://www.gov.uk/data-protection-how-we-collect-and-share-research-data
9. Your privacy rights
The law provides you with a number of rights to control the processing of your or your child's personal information.
Accessing the information we hold about you and your child
You have the right to ask for all the information we have about you or your child. When we receive a request from you in writing, we must normally give you access to everything we have recorded about you or your child. However, we will not let you see any parts of you or your child's record which contain:
• Confidential information about other people; or
• Data an information professional thinks will cause serious harm to your or someone else’s physical or mental wellbeing; or
• If we think that the prevention or detection of crime may be adversely affected by disclosing data to you.
This applies to paper and electronic records. If you ask us, we will also let others see your record (except if one of the points above applies). If you cannot ask for your records in writing, we will make sure there are other ways you can apply.
If you have any queries regarding access to your information please contact Mrs. Louise Riddlestone at firstname.lastname@example.org
Changing information you believe to be inaccurate
You should let us know if you disagree with something written on you or your child's file. We may not always be able to change or remove the information; however, we will correct factual inaccuracies and may include your comments in the records. Please use the contact details above to report inaccurate information.
Asking for you or your child's information to be deleted (right to be forgotten)
In some circumstances you can request the erasure of the personal information used by the organisation, for example:
• Where the personal information is no longer needed for the purpose for which it was collected.
• Where you have withdrawn your consent to the use of you or your child's information (where there is no other legal basis for the processing).
• Where there is no legal basis for the use of you or your child's information.
• Where erasure is a legal obligation.
Where personal information has been shared with others, we shall make every reasonable effort to ensure those using you or your child's personal information comply with your request for erasure.
Please note that the right to erasure does not extend to using you or your child's personal information where:
• It is required by law.
• It is used for exercising the right of freedom of expression.
• It is in the public interest in the area of public health.
• It is for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where it would seriously affect the achievement of the objectives of the processing.
• It is necessary for the establishment, defence or exercise of legal claims.
Restricting what you or your child's information is used for
You have the right to ask us to restrict the use of you or your child's personal data where one of the following applies:
• You have identified inaccurate information, and have notified us of this.
• Where using you or your child's information is unlawful, and you wish us to restrict rather than erase the information.
• Where you have objected to us using the information, and the legal reason for us using you or your child's information has not yet been provided to you.
When information is restricted it cannot be used other than to securely store the data, and with your consent, to handle legal claims, protect others, or where it is for important public interests of the UK.
Where restriction of use has been granted, we will inform you before the use of you or your child's personal information is resumed.
You have the right to request that we stop using you or your child's personal information for some services. However, if this request is approved this may cause delays or prevent us delivering a service to you or your child. Where possible we will seek to comply with your request, but we may need to hold or use information in connection with one or more of our legal functions.
10. How do we protect personal information?
We will do what we can to make sure we hold personal records (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them. Our security includes:
• Encryption allows information to be hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or cypher. The hidden information is said to be encrypted.
• Pseudonymisation allows us to hide parts of your personal information from view so only we can see it. This means that someone outside of Essex County Council could work on you or your child's information for us without ever knowing whose it was.
• Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
• Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong.
11. How long do we keep your personal information?
For each reason why we use your personal information there is often a legal reason for why we need to keep it for a period of time. We try to capture all of these and detail them in what’s called a ‘retention schedule’. This schedule lists for each service how long your information may be kept for.
12. Advice and complaints
We take any complaints about our collection and use of personal information very seriously. If you think that our collection or use of personal information is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
For advice or to make a complaint, please contact our Data Protection Officer SBM Services Ltd, via Mrs L Riddlestone, email@example.com
For independent advice about data protection, privacy and data sharing issues, contact the Information Commissioner's Office at:
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Or visit ico.org.uk or email firstname.lastname@example.org