ROSELYN HOUSE SCHOOL / THE RHISE SERVICE

SUBJECT ACCESS REQUEST POLICY

Introduction

Roselyn House School / The RHISE Service holds personal data (or information) about job applicants, employees, pupils and parents and other individuals for a variety of purposes.

Under Data Protection Law, individuals (known as ‘data subjects’) have a general right to find out whether Roselyn House School / The RHISE Service hold or process personal data about them, to access that data, and to be given supplementary information. This is known as the right of access, or the right to make a data subject access request (SAR). The purpose of the right is to enable the individual to be aware of, and verify, the lawfulness of the processing of personal data that Roselyn House School / The RHISE Service are undertaking.

This policy provides guidance for staff members on how data subject access requests should be handled, and for all individuals on how to make a SAR.  

Failure to comply with the right of access under the GDPR puts both staff and Roselyn House School / RHISE at potentially significant risk, and so the School takes compliance with this policy very seriously.

If you have any questions regarding this policy, please contact Rachel Smith (School Business Manager) or the School’s DPO whose details are as follows:  

Data Protection Officer: Judicium Consulting Limited

Address: 72 Cannon Street, London, EC4N 6AE

Email: dataservices@judicium.com

Web: www.judiciumeducation.co.uk

Telephone: 0203 326 9174

Lead Contact: Craig Stilwell

Definitions

• Data Subjects for the purpose of this policy include all living individuals about whom we hold personal data. This includes pupils, our workforce, and other individuals.  A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal information
• Personal Data means any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
• Processing is any activity that involves use of the data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring personal data to third parties

How to recognise a subject access request

A data subject access request is a request from an individual (or from someone acting with the authority of an individual, e.g. a solicitor or a parent making a request in relation to information relating to their child):

• for confirmation as to whether Roselyn House School / RHISE process personal data about him or her and, if so
• for access to that personal data
• and/or certain other supplementary information

A valid SAR can be both in writing (by letter, email, WhatsApp text) or verbally (e.g. during a telephone conversation). The request may refer to the GDPR and/or to ‘data protection’ and/or to ‘personal data’ but does not need to do so in order to be a valid request. For example, a letter which states ‘please provide me with a copy of all the information that you have about me’ will be a data subject access request and should be treated as such.

A data subject is generally only entitled to access their own personal data, and not to information relating to other people.

How to make a data subject access request

Whilst there is no requirement to do so, we encourage any individuals who wish to make such a request to use the form at Appendix A of the policy. This allows Roselyn House School / The RHISE Service to easily recognise that you wish to make a data subject access request.

What to do when you receive a data subject access request

All data subject access requests should be immediately directed to Rachel Smith (School Business Manager) who will contact the DPO for assistance if needed. There are limited timescales within which Roselyn House School / The RHISE Service must respond to a request and any delay could result in failing to meet those timescales, which could lead to enforcement action by the Information Commissioner’s Office (ICO) and/or legal action by the affected individual. So it is crucial to ensure that requests are passed to the relevant individual without delay and failure to do so may result in disciplinary action being taken.

Acknowledging the request

When receiving a SAR Roselyn House School / The RHISE Service shall acknowledge the request as soon as possible and inform the requester about the statutory deadline to respond to the request. In addition to acknowledging the request, Roselyn House School / The RHISE Service may ask for proof of ID if needed or clarification about the requested information. If it is not clear where the information shall be sent, Roselyn House School / The RHISE Service must clarify what address/email address to use when sending the requested information.

Verifying the identity of a requester or requesting clarification of the request

Before responding to a SAR, Roselyn House School / The RHISE Service will take reasonable steps to verify the identity of the person making the request. In the case of current employees, this will usually be straightforward. Roselyn House School / The RHISE Service is entitled to request additional information from a requester in order to verify whether the requester is in fact who they say they are. Where Roselyn House School / The RHISE Service has reasonable doubts as to the identity of the individual making the request, evidence of identity may be established by production of a passport, driving license, a recent utility bill with current address, birth/marriage certificate, credit card or a mortgage statement.

If an individual is requesting a large amount of data Roselyn House School / The RHISE Service may ask the requester for more information for the purpose of clarifying the request, but the requester shall never be asked why the request has been made. Roselyn House School / The RHISE Service shall let the requestor know as soon as possible that more information is needed before responding to the request.

In both cases, the period of responding begins when the additional information has been received. If Roselyn House School / The RHISE Service do not receive this information, they will be unable to comply with the request.

Fee for responding to a SAR

Roselyn House School / The RHISE Service will usually deal with a SAR free of charge. Where a request is considered to be manifestly unfounded or excessive a fee to cover administrative costs may be requested. If a request is considered to be manifestly unfounded or unreasonable Roselyn House School / The RHISE Service will inform the requester why this is considered to be the case and that Roselyn House School / The RHISE Service will charge a fee for complying with the request.

A fee may also be requested in relation to repeat requests for copies of the same information.  In these circumstances a reasonable fee will be charged taking into account the administrative costs of providing the information.

If a fee is requested, the period of responding begins when the fee has been received.

Time Period for Responding to a SAR

Roselyn House School / The RHISE Service has one calendar month to respond to a SAR. This will run from either the day after the request has been received or from the day when any additional identification or other information requested is received, or payment of any required fee has been received.

In circumstances where Roselyn House School / The RHISE Service is in any reasonable doubt as to the identity of the requester, this period will not commence unless and until sufficient information has been provided by the requester as to their identity, and in the case of a third party requester, the written authorisation of the data subject has been received.

The period for response may be extended by a further two calendar months in relation to complex requests. What constitutes a complex request will depend on the particular nature of the request. The DPO must always be consulted in determining whether a request is sufficiently complex as to extend the response period.

Where a request is considered to be sufficiently complex as to require an extension of the period for response, Roselyn House School / The RHISE Service will need to notify the requester within one calendar month of receiving the request, together with reasons as to why this extension is considered necessary.

School closure periods

Requests received during or just before school closure periods will not be able to be responded to within the one calendar month response period. This is because Roselyn House School / The RHISE Service will be closed and no one will be on site to comply with the request emails during this period. As a result, it is unlikely that your request will be received during this time (and so the time period does not run until we receive the request). We may not be able to acknowledge your request during this time (i.e. until a time we receive the request) and the time period may not start until Roselyn House School / The RHISE Service re-opens. Roselyn House School / The RHISE Service will endeavor to comply with requests as soon as possible and will keep in communication with you as far as possible. If your request is urgent, please provide your request during term times and not during/close to closure periods.

Information to be provided in response to a request

The individual is entitled to receive access to the personal data we process about him or her and the following information:

• the purposes for which we process the data;
• the recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular where those recipients are in third countries or international organisations;
• where possible, the period for which it is envisaged the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the fact that the individual has the right:

• to request that the Company rectifies, erases or restricts the processing of his personal data; or
• to object to its processing;
• to lodge a complaint with the ICO;
• where the personal data has not been collected from the individual, any information available regarding the source of the data;
• any automated decision we have taken about him or her (see paragraph 9 below), together with meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for him or her.

The information should be provided in a way that is concise, transparent, easy to understand and easy to access using clear and plain language, with any technical terms, abbreviations or codes explained. The response shall be given in writing if the SAR was made in writing in a commonly-used electronic format.

The information that Roselyn House School / The RHISE Service are required to supply in response to a SAR must be supplied by reference to the data in question at the time the request was received. However, as Roselyn House School / The RHISE Service have one month in which to respond they are allowed to take into account any amendment or deletion made to the personal data between the time the request is received and the time the personal data is supplied if such amendment or deletion would have been made regardless of the receipt of the SAR.

Roselyn House School / The RHISE Service is therefore, allowed to carry out regular housekeeping activities even if this means deleting or amending personal data after the receipt of a SAR. Roselyn House School / The RHISE Service is not allowed to amend or delete data to avoid supplying the data.

How to locate information

The personal data Roselyn House School / The RHISE Service need to provide in response to a data subject access request may be located in several of the electronic and manual filing systems. This is why it is important to identify at the outset the type of information requested so that the search can be focused.

Depending on the type of information requested, Roselyn House School / The RHISE Service may need to search all or some of the following:

• electronic systems, e.g. databases, networked and non-networked computers, servers, customer records, human resources system, email data, back up data, CCTV;
• manual filing systems in which personal data is accessible according to specific criteria, e.g. chronologically ordered sets of manual records containing personal data;
• data systems held externally by our data processors e.g. Accountants for external payroll service;
• occupational health records held
• pensions data held by Appletree Finance
• data held by Peninsula (Health and Safety and Employment Law Specialist

Roselyn House School / The RHISE Service should search these systems using the individual's name, employee number or other personal identifier as a search determinant.

Requests made by third parties

Roselyn House School / The RHISE Service need to be satisfied that the third party making the request is entitled to act on behalf of the individual, but it is the third party’s responsibility to provide evidence of this entitlement. This might be a written authority to make the request or it might be a more general power of attorney. Roselyn House School / The RHISE Service may also require proof of identity in certain circumstances.

If Roselyn House School / The RHISE Service is in any doubt or has any concerns as to providing the personal data of the data subject to the third party, then it should provide the information requested directly to the data subject.  It is then a matter for the data subject to decide whether to share this information with any third party. 

Requests made on behalf of children

Even if a child is too young to understand the implications of subject access rights, it is still the right of the child, rather than of anyone else such as a parent or guardian, to have access to the child’s personal data. Before responding to a SAR for information held about a child, Roselyn House School / The RHISE Service should consider whether the child is mature enough to understand their rights. If Roselyn House School / The RHISE Service is confident that the child can understand their rights, then they should usually respond directly to the child or seek their consent before releasing their information.

It shall be assessed if the child is able to understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so. When considering borderline cases, it should be taken into account, among other things:

•         the child’s level of maturity and their ability to make decisions like this;

•         the nature of the personal data;

•         any court orders relating to parental access or responsibility that may apply;

•         any duty of confidence owed to the child or young person;

•         any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment;

•         any detriment to the child or young person if individuals with parental responsibility cannot access this information; and

•         any views the child or young person has on whether their parents should have access to information about them.

Generally, a person aged 12 years or over is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown.  In relation to a child 12 years of age or older, then provided that Roselyn House School / The RHISE Service is confident that they understand their rights, and there is no reason to believe that the child does not have the capacity to make a request on their own behalf, Roselyn House School / The RHISE Service will require the written authorisation of the child before responding to the requester, or provide the personal data directly to the child.

Roselyn House School / The RHISE Service may also refuse to provide information to parents if there are consequences of allowing access to the child’s information – for example if it is likely to cause detriment to the child.

Protection of third parties -exemptions to the right of subject access

There are circumstances where information can be withheld pursuant to a SAR.  These specific exemptions and requests should be considered on a case by case basis.

Roselyn House School / The RHISE Service will consider whether it is possible to redact information so that this does not identify those third parties. If their data cannot be redacted (for example, after redaction it is still obvious who the data relates to) then Roselyn House School / The RHISE Service do not have to disclose personal data to the extent that doing so would involve disclosing information relating to another individual (including information identifying the other individual as the source of information) who can be identified from the information unless:

•    the other individual has consented to the disclosure; or

•    it is reasonable to comply with the request without that individual’s consent.

In determining whether it is reasonable to disclose the information without the individuals consent, all of the relevant circumstances will be taken into account, including:

•    the type of information that they would disclose;

•    any duty of confidentiality they owe to the other individual;

•    any steps taken to seek consent from the other individual;

•    whether the other individual is capable of giving consent; and

•    any express refusal of consent by the other individual.

It needs to be decided whether it is appropriate to disclose the information in each case. This decision will involve balancing the data subject’s right of access against the other individual’s rights. If the other person consents to the school disclosing the information about them, then it would be unreasonable not to do so. However, if there is no such consent, the school must decide whether to disclose the information anyway. If there are any concerns in this regard then the DPO should be consulted.

Other exemptions to the right of subject access

In certain circumstances Roselyn House School / The RHISE Service may be exempt from providing some or all of the personal data requested. These exemptions are described below and should only be applied on a case-by-case basis after a careful consideration of all the facts.

Crime detection and prevention: Roselyn House School / The RHISE Service do not have to disclose any personal data being processed for the purposes of preventing or detecting crime; apprehending or prosecuting offenders; or assessing or collecting any tax or duty.

Confidential references: Roselyn House School / The RHISE Service do not have to disclose any confidential references given to third parties for the purpose of actual or prospective:

• education, training or employment of the individual;
• appointment of the individual to any office; or
• provision by the individual of any service

This exemption does not apply to confidential references that Roselyn House School / The RHISE Service receive from third parties. However, in this situation, granting access to the reference may disclose the personal data of another individual (i.e. the person giving the reference), which means that Roselyn House School / The RHISE Service must consider the rules regarding disclosure of third-party data set out above before disclosing the reference.

Legal professional privilege: Roselyn House School / The RHISE Service do not have to disclose any personal data which are subject to legal professional privilege.

Management forecasting: Roselyn House School / The RHISE Service do not have to disclose any personal data processed for the purposes of management forecasting or management planning to assist us in the conduct of any business or any other activity.

Negotiations: Roselyn House School / The RHISE Service do not have to disclose any personal data consisting of records of intentions in relation to any negotiations with the individual where doing so would be likely to prejudice those negotiations.

Refusing to respond to a request

Roselyn House School / The RHISE Service can refuse to comply with a request if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

If a request is found to be manifestly unfounded or excessive the school can:

• request a "reasonable fee" to deal with the request; or
• refuse to deal with the request.

In either case Roselyn House School / The RHISE Service need to justify the decision and inform the requestor about the decision.

The reasonable fee should be based on the administrative costs of complying with the request. If deciding to charge a fee Roselyn House School / The RHISE Service should contact the individual promptly and inform them. Roselyn House School / The RHISE Service do not need to comply with the request until the fee has been received.

Record keeping

A record of all subject access requests shall be kept by the School Business Manager. The record shall include the date the SAR was received, the name of the requester, what data was sent to the requester and the date of the response.

Appendix A

ROSELYN HOUSR SCHOOL / THE RHISE SERVICE

Subject Access Request Form

The Data Protection Act 2018 provides you, the data subject, with a right to receive a copy of the data/information we hold about you or to authorise someone to act on your behalf.  Please complete this form if you wish to make a request for your data. Your request will normally be processed within one calendar month upon receipt of a fully completed form and proof of identity.

Proof of identity: We require proof of your identity before we can disclose personal data. Proof of your identity should include a copy of a document such as your birth certificate, passport, driving licence, official letter addressed to you at your address e.g. bank statement, recent utilities bill or council tax bill. The document should include your name, date of birth and current address. If you have changed your name, please supply relevant documents evidencing the change.   

Section 1

Please fill in the details of the data subject (i.e. the person whose data you are requesting). If you are not the data subject and you are applying on behalf of someone else, please fill in the details of the data subject below and not your own.      

Section 2   

Please complete this section of the form with your details if you are acting on behalf of someone else (i.e. the data subject). 

If you are NOT the data subject, but an agent appointed on their behalf, you will need to provide evidence of your identity as well as that of the data subject and proof of your right to act on their behalf.   

Section 3

Please describe as detailed as possible what data you request access to (time period/ categories of data/ information relating to a specific case/ paper records/ electronic records).

Please send your completed form and proof of identity by email to:

rachel@roselynhouseschool.co.uk

November 2021