Data Protection (GDPR) & Subject Access Requests
Data Protection Policy (GDPR) June 2023
Privacy Notices
GDPR
Please be aware that we have several privacy notices in operation, depending on the nature of your connection with the school. The privacy notices currently in operation are:
Privacy Notice - Parents & Carers
Privacy Notice - Pupil
Privacy Notice - Employees
Privacy Notice - Governors and Other Volunteers
Subject Access Requests
Under the GDPR, anyone whose personal data we are processing has a right to make a ‘subject access request’ to gain access to information our trust holds about them. This includes:
Confirmation that their personal data is being processed.
Access to a copy of the data.
The purposes of the data processing.
The categories of personal data concerned.
Who the data has been, or will be, shared with.
How long the data will be stored for, or if this isn’t possible, the criteria used to determine this period.
The source of the data, if not the individual.
Whether any automated decision-making is being applied to their data, and what the significance and consequences of this might be for the individual.
Subject access requests can be made by contacting any member of staff, but it is helpful if they are made to the relevant school office or the DPO on dpo.odst@oxford.anglican.org
They can be made in person, verbally, in writing, and by email. The following information will be required:
Name of individual
Relationship of the requester to the individual, if appropriate
Correspondence address
Contact number and email address
Details about the information requested
Children and Subject Access Requests
A child’s personal data always belongs to them rather than the child's parents or carers.
For a parent or carer to make a subject access request, with respect to their child, the child must either be unable to understand their rights and the implications of a subject access request or have given their consent.
The UK’s Information Commissioner’s Office generally regards children aged 12 and above to be mature enough to understand their rights and the implications of a subject access request. However, we will always consider this on a case-by-case basis.
Responding to Subject Access Requests
When responding to requests, we:
May ask the individual to provide 2 forms of identification, if necessary.
May contact the individual via phone to confirm the request was made.
Will respond without delay and within 1 month of receipt of the request.
Will provide the information free of charge.
May tell the individual we will comply within 3 months of receipt of the request, where a request is complex or numerous. We will inform the individual of this within 1 month and explain why the extension is necessary.
We will not reveal the following information in response to Subject Access Requests:
Information that might cause serious harm to the physical or mental health of the subject or another individual.
Information that would reveal that the child is at risk of abuse, where disclosure of that information would not be in the child’s best interests.
Information contained in adoption and parental order records.
Certain information given to a court in proceedings concerning the child.
Any references that have been provided or received in confidence.
If the request is considered unfounded or excessive, we may refuse to act on it, or charge a reasonable fee which takes into account administrative costs.
A request will be considered to be unfounded or excessive if it is repetitive or asks for further copies of the same information.
When we refuse a request, we will tell the individual why, and tell them they have the right to complain to the ICO.
The Department for Education, in its GDPR Toolkit for Schools, recognises that it may be difficult for schools to respond during the summer holidays. We are happy to help people access their information in a timely manner and will endeavour to respond within requisite timescales.