Information Rights Policy
INDIVIDUALS’ RIGHTS EXPLAINED
- The school has an obligation to process personal data lawfully, fairly and transparently to those individuals whose data is being processed. The school communicates this through privacy notices
-
The school provides individuals with information including; the purposes for processing of personal data, the retention periods for that personal data, and those with whom it will be shared
-
Privacy information is provided to individuals at the point of collection, communicating to the individual in clear terms the reasons for processing
-
The school regularly reviews how personal data is being processed and will update individuals should the processing change
-
The school will make individuals aware before a new processing activity is to start
-
The information on the processing of personal data will be:
-
Concise, transparent, intelligible and easily accessible
-
Written in clear and plain language, especially if aimed at children
-
Free of charge
-
Right of access (Subject Access Request - SAR)
-
All individuals, including teaching staff, administration staff, parents and students are entitled to obtain:
-
Confirmation that their data is being processed
-
Access to their personal information; and
-
Other supplementary information (in line with relevant privacy notices)
-
-
When requested, the school will provide information requested via a subject access request without undue delay and at the latest within one month of receipt of the request
-
The school can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary
Right to rectification
-
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete
-
When notified, the school will respond to the request within one calendar month
-
In certain circumstances the school can refuse a request for rectification
-
This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d))
Right to erasure (Right to be forgotten)
Individuals have the right to have their personal data erased if:
-
The personal data is no longer necessary for the purpose it was originally collected or processed
-
If the school is relying on consent as the lawful basis for holding the data, and the individual withdraws their consent
-
If the school is relying on legitimate interests as the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue the processing;
-
If the school is processing your personal data for direct marketing purposes and the individual objects to that processing
-
If the school has processed your personal data unlawfully
-
The right is not absolute and only applies in certain circumstances
-
When notified the school will respond to the request within one calendar month
Right to restrict processing
-
Individuals have a right to ‘block’ or suppress processing
-
When processing is restricted, the school is permitted to store the personal data, but not process it further
-
An individual can make a request for restriction verbally or in writing
-
When notified the school will respond to the request within one calendar month
-
This is not an absolute right and only applies in certain circumstances
-
This right has close links to the right to rectification (Article 16) and the right to object (Article 21)
Right to data portability
-
Allows individuals to obtain and reuse their personal information for their own purpose across different services
-
It allows individuals to move, copy or transfer personal data from one IT environment to another
-
The information must be provided free of charge
-
When notified the school will respond to the request within one calendar month
Right to object
-
Gives individuals the right to object to the processing of their personal data in certain circumstances
-
Individuals have an absolute right to stop their data being used for direct marketing
-
An individual can make an objection verbally or in writing
-
When notified the school have one calendar month to respond
Rights in relation to automated decision making and profiling
-
The school must identify, as part of the data mapping, whether any processing falls under Article 22
-
If Article 22 is identified the school must carry out a Data Protection Impact Assessment (DPIA), ideally this should be completed prior to any automated decision making or profiling is undertaken
-
Individuals must be informed of how they can access, review and edit any accuracy issues
YOUR RIGHTS AND HOW TO APPLY THEM
You can submit a request to obtain information in accordance with your rights by emailing: gdpr@las.ch
The GDPR explicitly enables the school to require data subjects to provide proof of identity before initiating the request. This helps to limit the risk that a third party could gain unlawful access to your personal data.
The school will validate the data subject's identity using the information held by the school. If there are any reasonable doubts as to the identity of the data subject, the school can request additional information necessary to confirm your identity.
The school is not obliged to seek out additional information from external sources in order to validate your identity. If the school can demonstrate that it is not in a position to identify the data subject then the school is exempt from the application of the rights of data subjects (Article 15-22).
For example, if the requester is unable to provide evidence of their identity/parental responsibility but believes that a third party holds information which will validate the request, the school is not obliged to contact the third party and as such is exempt from complying with the requesters Subject Access Rights as detailed in Article 15-22 of the GDPR.
For periods outside normal school term times requests will be auto-forward to 9ine Consulting, who are authorised (and under contract) to act on the school’s behalf.
REQUESTS FROM CHILDREN
The school will consider all Information Rights requests from students.
Children have the same rights as adults over their personal data and can exercise their own rights as long as they are competent to do so. Where a child is not considered to be competent, an adult with parental responsibility may exercise the child’s data protection rights on their behalf.
Where a request is received from a child, the school will assess the request taking into consideration a number of variables that includes age, maturity, competence and other social or behavioural factors.
APPENDIX ONE
Data Subject Rights
The lawful basis for your processing can also affect which rights are available to individuals. The table below identifies the lawful basis where information rights do and do not apply.
Variation to the Rules
An individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies.
The remaining rights are not always absolute, and there are other rights which may be affected in other ways.
For example, your lawful basis may affect how provisions relating to automated decisions and profiling apply, and if you are relying on legitimate interests you will need more detail in your privacy notice to comply with the right to be informed.