Good data protection practices ensure that an organisation and the individuals within it can be trusted to collect, store and use personal data fairly, safely and lawfully.

Hillborough Infant and Nursery School is registered with the Information Commissioner's Office (ICO) as a Data Controller.  All organisations who process others’ personal data have to follow strict rules that are set by the:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018 (DPA)

Schools collect, store and use personal data about a variety of individuals. In this context, those individuals are known as data subjects.  Typically, a school’s data subjects will include:

• Pupils and former pupils;
• Parents and carers;
• Employees and non-employed staff;
• Governors and trustees;
• Local Authority personnel;
• Volunteers, visitors and applicants.

Please refer to our Privacy Notice and Data Protection policy below for further information on how we use pupil and parent and carers information.

If you would like to discuss anything in our privacy notice, please contact Ms Nileema Rahman, Business and Resources Manager on 01582 725764 or admin@hillboroughinfantschool.uk

Freedom of Information (FOI)

The Freedom of Information Act 2000 provides public access to information held by public authorities. The main principle behind freedom of information legislation is that people have a right to know about the activities of public authorities, unless there is a good reason for them not to.

This in two ways:

• Public authorities are obliged to publish certain information about their activities; and
• Members of the public are entitled to request information from public authorities.

In some cases, there will be a good reason why we should not make public some or all of the information requested.  Further information is available to read at: https://ico.org.uk/for-organisations/guide-to-freedom-of-information/refusing-a-request/

Please refer to our Freedom of Information policy below.

Subject Access Requests (SAR)

Individuals have the right to access and receive a copy of their personal data, and other supplementary information.  A request can be made on behalf of an individual for the information which they are entitled to ask for under Article 15 of the UK GDPR.  This is known as a Subject Access Request

When a parent or guardian makes a SAR on their child’s behalf, the following will be taken into account:

• Any court orders relating to parental access or responsibility that may apply;
• Any duty of confidence owed to the child or young person;
• Any consequences of allowing those with parental responsibility or those authorised to act on their behalf access to the child or young person’s information (this is particularly important if there have been allegations of abuse or ill-treatment);
• Any detriment to the child or young person if individuals with parental responsibility, or their authorised representatives, cannot access this information; and
• Any views the child or young person has on whether their parents, guardians or authorised representatives should have access to information about them.

In Scotland, a person aged 12 years or over is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown. This does not apply in England, Wales or Northern Ireland but would be a reasonable starting point.

At Hillborough Infant and Nursery School, upon receipt of a SAR we will aim to respond within one month following the verification of the requester's identity.  We may extend the time limit by a further two months if the request is complex or if we receive a number of requests from the same individual however we will inform the individual of this within one month and explain why the extension is necessary.

We may refuse to provide the information if an exemption or restriction applies, or if the request is manifestly unfounded or excessive.  When we refuse a request, we will:

• Respond within 1 month;
• Explain why we are refusing the request;
• Inform the individual that they have the right to complain to the Information Commissioner’s Office.

Please refer to ICO for further information: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/what-other-exemptions-are-there/

In most circumstances, we will not charge a fee to deal with a request and the information will be provided securely in an accessible, concise and intelligible format.

Please refer to our Subject Access Request policy below.

Data Protection Officer (DPO)

The UK GDPR requires all public authorities to appoint a Data Protection Officer (DPO). A DPO can be an existing employee or externally appointed however they must be an expert in data protection, adequately resourced, and report to the highest management level.

The role of a DPO:

• To assist an organisation monitor internal compliance, demonstrate compliance and are part of the enhanced focus on accountability;
• To inform and advise an organisation on data protection obligations,
• To provide advice regarding Data Protection Impact Assessments (DPIAs);
• To act as a contact point for data subjects and the Information Commissioner’s Office (ICO); 

The School’s Data Protection Officer is Zoe Bulmer who can be contacted on 01582 547703.