Subject Access Procedure
If the school receive a subject access request from an individual, they will follow the procedure listed below.
- The school will contact the Data Protection Officer in the event of a subject access request and the Data Protection Officer will assist the school throughout the process.
- The school will first establish who the individual is making the request on behalf of. Is it access to their own personal data or is it on behalf of someone else?
- The school will then establish if the individual has a valid reason for accessing the data. ICO guidelines state that they are not entitled to the information just because they may be interested.
- If a valid reason is forthcoming, then the individual will be asked to make the request in writing. E-mail, fax and under certain circumstances social media are all acceptable for the subject access request to be a valid one.
- The school will not charge a fee for the subject access request under normal circumstances.
- The school are not required to respond to a verbal request. However, depending on the circumstances, it could be reasonable to do so, if the school are satisfied about the person’s identity.
- Should the individual requesting the data have a disability and they find it impossible or unreasonably difficult to make the request in writing, then the school will make reasonable adjustments under the equality act of 2010.
- Even if the subject access request does not mention that it is a subject access the school will treat it as such, if it is clear that the individual is asking for their own personal data (or on behalf of someone else).
- The subject access request will be treated as valid by the school regardless of who it has been sent to within the school.
- The school will then establish if the information requested falls within the definition of personal data.
- Once a valid subject access request has been received. The school will determine the nature of the request, and a decision will be made on what information can be provided if the subject access request relates to a child, and the time scales to adhere too. GDPR states 30 days for a response to a request.
- The school will provide the data as it was at the time of the request. Unless the routine use of the data has led to it being amended or even deleted. In this case the school would supply the information that it holds when the response is sent to the individual even if this is different to that held at the time of the request.
- However, the school will not amend or delete any data during a subject access request that it would not have otherwise done so.
- The school will provide the information to the individual in an ‘intelligible form’. This means that it will be provided in a way that is capable of being understood by the average person.
- The school may request more information about the subject access request if they are not satisfied that the person making the request is the individual to whom the personal data relates (or on behalf of), or the school may ask for information that the school reasonably needs to find the personal data covered by the request.
- If the subject access request is made on behalf of a child, then the school will consider whether the child is mature enough to understand their rights and if so the school will respond to the child not the parent. However, when considering borderline cases other factors will be taken into account.
- The school will not comply with a subject access request if by doing so would mean disclosing information about another individual who could be identified from the information provided. Unless, the other individual has given consent, or it is reasonable in the circumstances to comply with the request without the individual’s consent.