Data Protection Policy Introduction



Download 116.75 Kb.
Date20.10.2016
Size116.75 Kb.
#5987

St Brigid’s NS


Data Protection Policy

Introduction: This policy was formulated by Staff and Board of Management of St Brigid’s NS.  The purpose of the policy is to identify the records required to be retained by the school and to ensure confidentiality and manageable procedures in relation to access to such records. Data will be stored securely, so that confidential information is protected in compliance with relevant legislation. This policy sets out the manner in which personal data and sensitive personal data will be protected by the school. This policy was also formulated as a result of the proposed Department POD system (Primary Online Database 2014)
This Data Protection Policy applies to the personal data held by the school and is protected by the Data Protection Acts 1988 and 2003. The policy applies to all school staff, the board of management, parents/guardians, students and others (including prospective or potential students and their parents/guardians, and applicants for staff positions within the school) insofar as the measures under the policy relate to them.

Rationale: In addition to its legal obligations under the broad remit of educational legislation, the school has a legal responsibility to comply with the Data Protection Acts. This policy explains what sort of data is collected, why it is collected, for how long it will be stored, and with whom it will be shared. As more and more data is generated electronically and as technological advances enable the easy distribution and retention of this data, the challenge of meeting the school’s legal responsibilities has increased.
Aims:

The school is a data controller of Personal Data relating to its past, present and future staff, students, parents/guardians and other members of the school community. As such, the school is obliged to comply with the principles of data protection set out in the Data Protection Acts 1988 and 2003 the school will endeavour to:




  • To ensure the school complies with legislative requirements;

  • Obtain and process personal data fairly:

  • Keep it only for one or more specified and explicit lawful purposes:

  • Process it only in ways compatible with the purposes for which it was given initially

  • Keep Personal Data safe and secure:

  • Keep personal data accurate, complete and up-to-date

  • Ensure that it is adequate, relevant and not excessive:

  • Retain it no longer than is necessary for the specified purpose or purposes for which it was given

  • Provide a copy of their personal data to any individual, on request:



Guidelines: The Principal assumes the function of data controller and supervises the application of the Data Protection Act within the school.  The data under the control of the Principal comes under the following headings.

Student records:
Information which may be sought and recorded at enrolment and may be collated and compiled during the course of the student’s time in the school.
These records may include:

  • name, address and contact details, PPS number

  • date and place of birth

  • names and addresses of parents/guardians and their contact details (including any special arrangements with regard to guardianship, custody or access)

  • religious belief

  • racial or ethnic origin

  • membership of the Traveller community, where relevant

  • whether they (or their parents) are medical card holders

  • whether English is the student’s first language and/or whether the student requires English language support

  • any relevant special conditions (e.g. special educational needs, health issues etc.) which may apply.

An extensive list of required data and the purpose of this information, as outlined by the POD, can be found in Appendix A

  • School report cards

  • Psychological Assessments

  • Assessment results carried out by professionals to assist teaching and learning (e.g. results of psychiatric reports; occupational therapy reports; speech and language assessments; etc. ).

  • Standardised Test Results

  • Attendance Records

  • Screening Tests such as M.I.S.T., N.R.I.T., Quest, Dyslexia Screening Tests etc.

  • Records of students who have been granted exemption from the study of Irish.

  • Teacher-designed tests.  Each class teacher designs her own test template

  • Diagnostic Tests Reports

  • Individual Education Plans, Individual Pupil Learning Plans and records of meetings with the stakeholders regarding these plans;

  • Learning Support/Resource Data such as records of permissions/refusals to allow children access to LS/RT services in the school

  • Portfolios of student work e.g. Projects/Art and achievements on diagnostic tests.

  • Photographs and recorded images of students (including at School events and noting achievements). See Acceptable Use Policy

  • Records of disciplinary issues/investigations and/or sanctions imposed

  • Records of any serious injuries/accidents etc. (Note: it is advisable to inform parents that a particular incident is being recorded)

  • Records of any reports the school (or its employees) have made in respect of the student to State departments and/or other agencies under mandatory reporting legislation and/or child safeguarding guidelines (subject to the DES Child Protection Procedures).

Location/security: Each class teacher retains the files for their class, in a locked filing cabinet and these files are passed along, at the end of the school year, to the next teacher.
Staff records:

As well as existing members of staff (and former members of staff), these records may also relate to applicants applying for positions within the school, trainee teachers and teachers under probation. These staff records may include:




  • Name, address and contact details, PPS number

  • Original records of application and appointment (including application forms, interview marking schemes and other documents relating to recruitment and selection such as references, Garda vetting outcomes and Medmark assessments)

  • Record of appointments to promotion posts

  • Details of approved absences (career breaks, parental leave, study leave, etc.)

  • Details of work record (qualifications, classes taught, etc)

  • Details of complaints and/or grievances, including consultations or competency discussions, action/ improvement/ evaluation plans and record of progress

  • Details of any accidents/injuries sustained on school property or in connection with the staff member carrying out their school duties

  • Records of any reports the school (or its employees) have made in respect of the staff member to State departments and/or other agencies under mandatory reporting legislation and/or child-safeguarding guidelines (subject to the DES Child Protection Procedures).


Board of management records:

These may include:



  • Name, address and contact details of each member of the board of management (including former members of the board of management)

  • Records in relation to appointments to the board

  • Minutes of board of management meetings and correspondence to the board which may include references to particular individuals.


Location/security: This information is stored by the principal in a locked filing cabinet.


Sensitive records:


  • child-safeguarding issues

  • reports to the HSE/An Garda Síochána

  • accidents/personal injuries involving school personnel/students

  • accidents occurring on school property, on School trips (ski trips, etc.) or in relation to school activities (sports matches etc)

  • allegations of bullying or harassment

  • disciplinary records, etc.

  • data on attendance (NEWB)

Location/security: Manually recorded notes/HSE reports will be kept by the DLP in relation to child protection. The class teacher will retain incidents of bullying until a formal report has been made (see Anti Bullying Policy)

Administrative Data:

  • Attendance Reports, Roll Book, Enrolment applications; baptismal certificate copy (where applicable); birth certificate copy

  • Accident Report Book detailing injury and treatment applied

  • Forms for the Administration of Medicines

  • Late arrivals record book

  • Records of books rented under book-rental scheme and books borrowed from school library

School website/Photos and images:

  • On enrolment to St Brigid’s NS, from September 2014, parents will be furnished with a copy of the schools Acceptable Use Policy. Parents will consent or decline their child’s photos/recordings to appear on the school website. Children will be identified by first name only and relevant class setting.

  • Images will only be passed to third parties for their use where this has been explicitly agreed in writing.

  • Images taken by pupils on mobile devices or cameras is prohibited.

  • Staff of St Brigid’s NS will ensure the correct usage of any recordings/images that may be taken.

  • Images and recordings will be stored on a central data store and removed once the images have been used for their purpose.


Creditors:

The school may hold some or all of the following information about creditors, required for routine management and administration of the school’s financial affairs




  • name

  • address

  • contact details

  • PPS number

  • tax details

  • bank details and

  • amount paid.

Location/security: This information is held in the school filing cabinet where access is gained by Administrative staff, School Treasurer and the school principal only.

Charity tax-back forms

The school may hold the following data in relation to donors who have made charitable donations to the School:

• name

• address



• telephone number

• PPS number

• tax rate

• signature and

• the gross amount of the donation.

Access to Records: The following will have access where relevant and appropriate to the data listed above where pupils are identified by name:


  • Parents/Guardians

  • Past Pupils over 18

  • Health Service Executive staff

  • National Educational Psychological Service

  • National Education Welfare Board

  • Occupational Therapists or Speech Therapists working with pupils

  • Designated School Personnel

  • Department of Education and Skills (where necessary)

  • First and Second level schools (once it has been confirmed by that school that the child has been enrolled)

  • With the exception of child protection-related data which is governed by “Childrens First Guidelines and Procedures 2011”, data on attendance, (governed by NEWB) and data regarding achievements in literacy and numeracy, (governed by National Strategy for literacy and numeracy), parental authorisation must be provided by parents in the event of data being transferred to outside agencies.  Outside agencies requesting access to records must do so in writing. 

  • Parents/Guardians of current pupils can make such a request either by phone or in writing. Past pupils and parents of past pupils seeking data must do so in writing.

The Annual School Report format and its communication to parents are outlined clearly in our schools Assessment and Record Keeping Policy.  A standardised school report form, provided by the National Council for Curriculum and Assessment is used. These are issued by post in June to all parents along with results of standardised testing of pupils from 1st to 6th classes.

Assessment records are transferred between schools when students transfer from primary to post primary school, these include end of year report cards and information on standardised tests.



Storage:

  • When a child leaves the school or continues to second – level education, the information contained in his/her file will be placed in individual, sealed envelopes, and stored in the school for ten years from the date the child leaves the school. At that point, files will then be destroyed.

  • eg. A child leaving sixth class in 2004 will have his/her information retained in the school until 2014, when it will be destroyed.

  • All completed school roll books are stored in the school administration office indefinitely.  Access to these stored files is restricted to authorised personnel only. 

Family Circumstances:


  • If spouses are separated and one of them has obtained an order for custody but both of them remain guardians, then both of them are entitled to be involved in important decisions which affect the child.




  • Where one parent/guardian objects to the information in relation to their child being given to the other parent/guardian, the school should seek specific legal advice as to what steps to take.

  • In general St Brigid’s NS will converse with the sole guardian in such matters. Where access to records is requested, the school will ask for written notification.

Data protection regulations prohibit the supply of:




  • Health data to a patient in response to a request for access if that would be likely to cause serious harm to his or her physical or mental health.. In the case of health data, the information can only be released after the school has consulted with the appropriate health professional (usually the data subject’s GP).




  • Personal Data kept for or obtained in the course of carrying out social work by a Government department, local authority, the HSE, TUSLA, etc) is also restricted in some circumstances if that would be likely to cause serious harm to the health or emotional condition of the data subject concerned. If the social work data includes information supplied to the school by an individual (other than one of the school’s employees or agents) while carrying out social work, the school is not permitted to supply that information to the data subject without first consulting that individual who supplied the information.

The Data Protection Acts state that the following data is exempt from a data access request:




  • Section 5 of the Data Protection Act provides that the right of access does not apply in a number of Examples would include the need for state agencies (like An Garda Síochána) to investigate crime effectively and the need to protect the international relations of the State.




  • Estimates of liability: where the personal data consists of or is kept for the purpose of estimating the amount of the liability of the school on foot of a claim for damages or compensation and where releasing the estimate would be likely to prejudice the interests of the school in relation to the claim, the data may be withheld.




  • Legally privileged information: the general rule is that all documentation prepared in contemplation of litigation is legally privileged. So correspondence between the school and their solicitors in relation to a case against the school should not be disclosed to the claimant pursuant to a data access request.




  • Section 4 states that the right of access does not include a right to see personal data about another individual, without that other person’s consent.. However, if it is not possible to omit the particulars which identify a third party, then the affected data should not be released to the applicant.




  • Section 4 also states that where personal data consists of expressions of opinion about the data subject made by another person, the data subject has a right to receive that expression of opinion except where that expression of opinion was given in confidence and on the clear understanding that it would be treated as confidential.




  • The obligation to comply with an access request does not apply where it is impossible for the school to provide the data or where it involves a disproportionate effort.

When/if the school refuses to hand over some or all of the personal data they hold in relation to a data subject for the above the school must advise the data subject of this in writing, setting out reasons for the refusal, and notifying the data subject that he or she has the right to complain to the Office of the Data Protection Commissioner about the refusal.



Retention of Records: A comprehensive list of records that are stored in schools can be found in Appendix B, the timeframe for the retention of such records is clearly outlined.
Links to Other Policies

School policies need to be consistent with one another, within the framework of the overall School Plan. Relevant school policies already in place, being developed or reviewed, should be examined with reference to the data protection policy and any implications which it has for them should be addressed.


The following policies may be among those considered:

  • Child Protection Policy

  • Anti-Bullying Policy

  • Code of Behaviour

  • Admissions/Enrolment Policy

  • Substance Use Policy

  • ICT Acceptable Usage Policy.


Reviewing and Evaluating the Policy The policy should be reviewed and evaluated at certain pre-determined times and as necessary. On-going review and evaluation should take cognisance of changing information or guidelines (e.g.from the Data Protection Commissioner, Department of Education and Skills or the NEWB now known as TUSLA), legislation and feedback from parents/guardians, students, school staff and others. The policy should be revised as necessary in the light of such review and evaluation and within the framework of school planning
Date of Review of this Policy January 2019
Signed _____________________________________

Principal Teacher

Signed _____________________________________

Chairperson B.O.M.

Date _______________________________________

Details of arrangements in place to ensure compliance with the eight rules of data protection:

The policy should set down the arrangements in place to ensure that all Personal Data records held by the school are obtained, processed, used and retained in accordance with the following eight rules of data protection (based on the Data Protection Acts). Note: While these rules apply to all computer-held data and any new manual records created from July 2003, they only apply to existing manual records from October 2007.



  1. Obtain and process Personal Data fairly

The school will ensure that data subjects (staff, students, parents, board of management members, etc.) are aware, at the time the personal data is being collected, of the following information:



  • the name of the school (the “data controller”)

  • the purpose of collecting the data

  • the persons or categories of persons to whom the data may be disclosed

  • whether replies to questions asked are obligatory and the consequences of not providing replies to those questions

  • the existence of the right of access to their Personal Data

  • the right to rectify or delete their data if inaccurate, excessive or processed unfairly

  • any other information which is necessary so that processing may be fair and to ensure the data subject has all the information that is necessary so as to be aware as to how their data will be processed.

This can be achieved by adopting appropriate data protection notices at the appropriate time. An example of such a notice which may be used on student enrolment forms is set out in the ETB Student Enrolment Form. While an express signature of indication of consent from the parent/guardian (or the student where he/she is over 18 years) is not necessarily always required, it is strongly recommended that a school obtains this consent in every case where possible. Schools should also note that consent must be free, informed and capable of being withdrawn at any time, without the individual suffering a penalty or detriment.
This Data Protection Policy should clearly explain to parents/students that the Freedom of Information Act, 1997 does not apply to schools. However, if a school has furnished information to a body covered by the Freedom of Information Act (such as the Department of Education and Skills, etc.), these records could be disclosed if a request is made to that body.

In the case of Sensitive Personal Data, explicitly given consent is required unless consent may be implied to be given, for example where it is necessary:




  • urgently to prevent injury or other damage to the health of a person or to prevent serious loss or damage to property

  • for the purpose of obtaining legal advice or in the course of legal proceedings in which the person doing the processing is a party or witness

  • required by or under any enactment or by a rule of law or court order.

However, in all cases, schools are strongly advised to obtain consent and not rely on implied consent. The minimum age at which consent can be legitimately obtained for processing and disclosure of personal data is not defined in the Data Protection Acts. However, the Data Protection Commissioner recommends the following model as a general rule for processing data:




  • A student aged eighteen years or older (so long as they do not suffer from a disability or medical condition that would impair their ability to understand the implications of their giving consent) may give consent themselves.




  • If a student (aged 18 and over) has some disability or medical condition that would impair their ability to understand the implications of their giving consent, then parental/guardian consent should be sought.




  • A student aged from twelve up to and including seventeen should give consent themselves and, in addition, consent should also be obtained from the student’s parent or guardian. Consent may not be considered to be in place for processing of personal data for students in this age unless it is given by both the student and a parent/guardian. See www.dataprotection.ie/docs/Biometrics_in_Schools,_Colleges_and_other_educational_Inst/209.htm .




  • In the case of students under the age of twelve, consent of a parent or guardian will suffice.




  • In all cases where an school/ETB is asked to assist a student in obtaining their Garda vetting clearance (e.g. for the student to participate in work experience placement which requires that the student be Garda vetted), the school/ETB must obtain the explicit written consent of the student and their parent/guardian as part of the Garda Vetting application and must obtain the explicit, written consent of the student and their parent/guardian for the Garda vetting outcome report being transferred to the prospective work experience employer.

Schools should note that different rules apply when it comes to students under 18 years accessing their personal data. See Data Access Requests Procedures and Age of Consent for Access Requests for further information and guidance.



  1. Keep it only for one or more specified, explicit and lawful purposes

To help comply with this obligation, schools should ask themselves:

  • Do the persons whose data is collected know the reason/s why it is collected and kept?

  • Is the purpose for which the data is collected and kept a lawful one?

  • Is school management aware of the different sets of data which are kept and the specific purpose of each?

  1. Use and disclose it only in ways compatible with these purposes

  • Is data used only in ways consistent with the purpose/s for which it was obtained?



  • Is data disclosed only in ways consistent with that purpose?



  • Is there a procedure in place, which is in accordance with the Data Protection Acts, to facilitate the transfer of information to another school when a student transfers?


Note: Under Section 20 of the Education (Welfare) Act, 2000, each school principal must maintain a register with the names of all children attending that school. When a child is transferring from the School, the principal must notify the principal of the new school of any problems relating to school attendance of the child and any other matters relating to the child’s educational progress that he or she considers appropriate.


  • Incoming student transfer information – ‘The Education Passport’

Minister Quinn in June 2012 announced: ‘I believe that the sharing of information between primary and second-level schools is a common-sense approach that will benefit both students and teachers. This “education passport” will mean that the child’s end-of-year report card, including results from the standardised tests taken in sixth class, will be available to the second level school’.
It is important that assessment information is transferred between schools when students transfer from primary to post-primary school. Each post-primary principal is responsible for informing the principal of each primary school of the names of students for whom enrolment in his or her post-primary school has been confirmed.

Upon receipt of this information, the principal of each primary school is required to send, by the end of the first week of September at the latest, a copy of the end-of-year report card (including the information from standardised tests at sixth class in primary school) to the post-primary school to which a student is transferring. Reporting templates have been developed for this purpose by the NCCA.




  • Under Section 28 of the Act, schools may supply Personal Data, or information extracted from such data, to other schools or another prescribed body if they are satisfied that it will be used in recording the student’s educational history, monitoring the student’s educational progress or developing the student’s full educational potential. The bodies which have been prescribed (and so can share information) under Section 28 are:

  • The Minister for Education and Skills (which includes the Inspectorate and the National Educational Psychological Service (NEPS)

  • The National Council for Special Education (NCSE)

  • The National Educational Welfare Board (NEWB) (now known as TUSLA)

  • Each school recognised in accordance with section 10 of the Education Act, 1998

  • Each place designated by the Minister under section 10 of the Education Act, 1998 to be a centre for education.



  • In what circumstances will Personal Data be disclosed to third parties, including the Department of Education and Skills, the NEWB now known as TUSLA, Gardaí, in legal proceedings, HSE personnel, etc.?



Note that government guidelines required that when a data transfer with a third party is required (including to/from Government departments) a written agreement should be put in place between both parties in advance of any data transfer (See Sample Data Protection Statement for inclusion on relevant forms when personal information is being requested).. Such an agreement should define:-


  • The information that is required by the third party (the purposes for which the information can be used should also be defined if the recipient party is carrying out processing on behalf of the organisation)

  • Named contacts in each organisation responsible for the data

  • The frequency of the proposed transfers

  • An explanation of the requirement for the information/data transfer

  • The transfer method that will be used (e.g. secure FTP, secure email, etc.)

  • The encryption method that will be used (see further under Section 4 (“Keep it safe and secure”) below)

  • The acknowledgement procedures on receipt of the data

  • The length of time the information will be retained by the third party

  • Confirmation from the third party that the information will be handled to the same level of controls

  • Confirmation as to the point at which the third party will take over responsibility for protecting the data (e.g. on confirmed receipt of the data)

  • The method of secure disposal of the transfer media and the timeline for disposal

  • The method for highlighting breaches in the transfer process

  • For data controller to data controller transfers (as opposed to a data controller to a data processor transfer), it needs to be clear that only necessary data is transferred to meet the purposes

  • Business procedures need to be in place to ensure that all such transfers are legal, justifiable and that only necessary data is transferred to meet the purposes

  • Particular attention should be focused on data made available to third party data processors under contract for testing purposes. Real/actual data should not be used for this purpose

  • Where personal data is processed on behalf of the school by third parties (data processors), are data processing agreements/service-level agreements in place? And do these comply with the law? See Content of the Service Agreement for further information and guidance.

  1. Keep it safe and secure

Appropriate security measures must be taken against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.

  • Is access to the information (including authority to add/amend/delete records) restricted to authorised staff on a “need to know” basis?

  • Who has access to what information based on this “need to know” policy?

  • Are computer systems password protected, encrypted and protected by up-to-date anti-virus and firewall software?

  • Is information on computer screens and manual files kept out of view of callers to the school/office?

  • Are back-up procedures in operation for computer held data, including off-site back-up?

  • Are all reasonable measures taken to ensure that staff are made aware of the security measures and comply with them?

  • Are all waste papers, printouts etc. disposed of carefully?

  • Are steps taken to ensure that no unauthorised person can access data from computers which are no longer in use or subject to change of use?

  • Is there a designated person responsible for security?

  • Are there periodic reviews of the measures and practices in place?

  • Are premises secure when unoccupied?

  • Is there a contract in place with any data processor which imposes an equivalent security obligation on the data processor?

  • Do our staff know what to do if something goes wrong?

  • Do we have a Personal Data Security Breach Code of Practice in place?

  • Are all our staff fully trained in relation to the Personal Data Security Breach Code of Practice?

  • Are all our data processors aware of our Personal Data Security Breach Code of Practice?

  • Has our Personal Data Security Breach Code of Practice been incorporated into the data processing agreements/service-level agreements which we have in place with data processors? See Content of the Service Agreement for further information and guidance.

  1. Keep it accurate, complete and up-to-date

  • Are clerical and computer procedures adequate to ensure high levels of data accuracy?

  • Are appropriate procedures in place, including periodic review and audit, to ensure that each data item is kept up-to-date?

  • Is the school/ETB obtaining their up-to-date information from the appropriate source in the context of the particular family arrangements of that student. Schools/ETBs should be aware of the particular constitutionally protected status of the family based on marriage under Irish law.




  1. Ensure that it is adequate, relevant and not excessive

  • Is the information held adequate in relation to the purpose/s for which it is kept?

  • Is the information held relevant in relation to the purpose/s for which it is kept?

  • Is the information held not excessive in relation to the purpose/s for which it is kept?

  1. Retain it for no longer than is necessary for the purpose or purposes

  • Is a defined policy in place for the retention periods for all items of Personal Data kept?

  • Are there management, clerical and computer procedures in place to implement such a policy?

  • Is there a safe disposal/safe destruction policy in place for data which is being purged?

In general, Personal Data should not be kept for any longer than is necessary to fulfil the function for which it was first recorded. Retention times cannot be rigidly prescribed to cover every possible situation and schools need to exercise their individual judgement in this regard in relation to each category of record held. Guidance on the length of time for which personal data should be retained can be accessed by clicking onto the following link Records Retention schedule. However, the following particular requirements should be met:




  • Schools are advised by the Department of Education and Skills that school registers and roll books are required to be kept indefinitely within the school.



  • Pay, taxation and related school personnel service records should be retained indefinitely within the school, as advised by DES.




  • Where litigation may potentially arise in the future (e.g. in relation to accidents/personal injuries involving school personnel/students or accidents occurring on school property, or in relation to school duties or school activities) or where child-safeguarding issues have arisen in relation to a particular student or a particular member of staff (including volunteers), the relevant records should be retained indefinitely or until the possibility of litigation ceases, which may be very many years after the event first occurred. In such cases, schools will need to obtain specific legal advice.

Note: The statute of limitations is a complicated legal issue and varies from case to case. In general, the limitation period does not begin to run until the person concerned acquires knowledge of the facts giving rise to the claim but the statute of limitations period may be different in every case. In the case of minors who are not suffering under a mental disability or medical condition that would impair their capacity to give their consent, the limitation period does not begin to run until they reach their 18th birthday or later if the date of knowledge post-dates their 18th birthday. In the case of minors with special educational needs, it can be said that the statute of limitations may never expire, and therefore the school may be exposed to litigation many decades after the student has left the school. In the case of any person who has suffered from abuse, in general, the statute of limitations does not begin to run until the person has ceased to be under the “dominion” of that abuse, and determining this is a complex legal issue. There are cases which have come before the courts many decades after the alleged abuse and where the claimant has been successful notwithstanding the passage of time and where they have taken their claim long after the “normal” statute of limitations period has expired.

In line with the above, it is suggested that the day-to-day ordinary information on student files (such as class work, examination results, report cards) might, as a general rule, be retained for a period of seven years after the student has completed the Senior Cycle and/or reached the age of 18 whichever is the later (ie, 6 years in which to take a claim, plus 1 year for proceedings to be served on the school). However, some records may need to be retained indefinitely, such as those which relate to more sensitive or controversial matters such as:


  • child-safeguarding issues

  • reports to the HSE/An Garda Síochána

  • accidents/personal injuries involving school personnel/students

  • accidents occurring on school property, on School trips (ski trips, etc.) or in relation to school activities (sports matches etc)

  • allegations of bullying or harassment

  • disciplinary records, etc.

These records may include data which give additional information and background in relation to particular incidents, including:




  • incident report logs

  • correspondence to statutory bodies

  • notes of meetings

  • correspondence with parents

  • classroom notes

  • playground notes and

  • teacher notes.

Schools should formulate a schedule of retention periods for personal data they hold from the template Records Retention Schedule. This should be incorporated into the school’s Data Protection Policy.

  1. Give a copy of their Personal Data to that individual on request

On making an access request any individual (subject to the restrictions in Notes A and B below) about whom a school keeps Personal Data, is entitled to:

  • a copy of the data which is kept about him/her (unless one of the exemptions or prohibitions under the Acts applies in which case the individual will be notified of this and informed of their right to make a complaint to the Data Protection Commissioner)

  • know the purpose/s for processing their data

  • know the identity or categories of those to whom the data is disclosed

  • know the source of the data, unless it is contrary to the public interest

  • where the processing is by automated means (e.g. credit scoring in financial institutions where a computer programme makes the “decision” as to whether a loan should be made to an individual based on their credit rating), to know the logic involved in automated decisions.


To make an access request, an individual must:

  • apply in writing to the principal of the school using the Subject Access Request Form: see Data Access Procedures for Schools.

  • give any details which might be needed to help identify him/her and locate all the information the school may keep about him/her

  • pay an access fee if the school wishes to charge one. The school need not do so, but if it does it cannot exceed the prescribed amount of €6.35.

There are a number of exceptions to the general rule of Right of Access, including those specified in Notes A and B below.
Handling access requests: prompt questions

  1. Is a named person responsible for handling access requests?




  1. Are there procedures in place to provide applicants with access to Personal Data about themselves in accordance with the Data Protection Acts as detailed above?




  1. Have criteria been set down on what is sufficient to prove identity in order to access Personal Data?




  1. Is there a procedure in place to record any special arrangements regarding who is entitled to information relating to the child (e.g. where the grandparent is guardian of the child) or when in relation to the outcome of any legal proceedings which may limit the right of one or both parents to access information about their child? Note: If spouses are separated and one of them has obtained an order for custody but both of them remain guardians, then both of them are entitled to be involved in important decisions which affect the child. Schools should note that the Supreme Court has ruled that a non-custodial spouse would expect to be given information about their child. It may only be in exceptional circumstances that information about a child would not be given to a parent/guardian. Where one parent/guardian objects to the information in relation to their child being given to the other parent/guardian, the school should seek specific legal advice as to what steps to take.




  1. Are clear co-ordinated procedures in place to ensure that all relevant manual files and computers are checked for the data in respect of which the access request is made?




  1. Is there a procedure in place to rectify or erase any inaccurate, unfairly collected or excessive information, as identified by the individual on whom the data is kept, within 40 days of the request being made (subject to the proviso that the right of rectification or erasure is not absolute and may not be appropriate in all cases)?




  1. Is information supplied promptly and within 40 days of receiving the request or, in respect of examinations data, within 60 days of receiving the request or 60 days of first publication of the results (whichever is the later)?




  1. Is the information provided in a form which is clear to the ordinary person?




  1. Is the individual informed within 40 days of the request if no information is held on them?




  1. Is the fee charged (if any) refunded to the individual if the request is not complied with or if it is necessary to rectify, supplement or erase the Personal Data concerned?


Note A: Access requests by students

Access Requests by Students: Age of Consent for Access Requests

In relation to access requests made by a student, the Office of the Data Protection Commissioner has recommended that the following guidance be followed as a general rule:

- A student aged eighteen years or older (and not suffering under any medical disability or medical condition which may impair his or her capacity to give consent) may give consent themselves.
- If a student aged eighteen years or older has some disability or medical condition which may impair his or her ability to understand the information, then parental/guardian consent will be sought by the school before releasing the data to the student.
- A student aged from twelve up to and including seventeen can be given access to their personal data, depending on the age of the student and the nature of the record, i.e. it is suggested that:


  • If the information is ordinary, routine or non-controversial (e.g. a record of a test result) the student could readily be given access




  • If the information is of a sensitive nature, it would be prudent to seek parental/guardian consent in writing before releasing the data to the student. Where the parent/guardian does not give their consent to releasing the data to the student, legal advice should be sought




  • If the information would be likely to be harmful to the individual concerned, parental/guardian consent should be sought before releasing the data to the student.

- In the case of students under the age of twelve, an access request may be made by their parent or guardian on the student’s behalf. The consent of the child need not be obtained. However, the school/ETB must note that the right of access is a right of the data subject themselves (i.e. it is the right of the student). Therefore, access documentation should be addressed to the child/student at his/her address which is registered with the school as being his/her home address. It should not be addressed or sent to the parent who made the request. This may present particular difficulties in the case of separated parents. For further guidance and information in relation to parent/guardian access requests, please see Parental Access Requests below.


Copy to Parents where Students Make Access Request

Where an access request is made by a student under 18 years, the school/ETB may choose to have a provision in the school’s Data Protection Policy informing the student that:




  1. Where they make an access request, their parents will be informed that they have done so




  1. A complete copy of the access request materials being furnished to the data subject by the school/ETB will also be furnished to the student’s parent/guardian.

This is in recognition of the constitutionally protected position of the family based on marriage under Irish law. If the school chooses to include such a provision in the Data Protection Policy, it would be prudent to include reference to same in the Subject Access Procedures for School form, reminding students that this will be done.


Parental Access Requests

A parent/guardian may make an access request asking for their child’s data. The school/ETB has to remember at all times that the right of access is a right of the data subject (i.e. it is the student’s right) and therefore the parent/guardian is making the request on behalf of the child. In such a case, the access materials should be sent to the child, not to the parent who requested them. This means that the documentation should be sent to the address at which the child is registered on the school’s records, and should be addressed to the child. The documentation should not be sent to or addressed to the parent/guardian who made the request.


Where parents are separated/estranged, it can be difficult for one parent to accept that they may have less involvement in their child’s life. They may feel that they do not have all the information in relation to their child’s life in school. Accordingly, the parent may see a Section 4 access request as an opportunity to “look into the life of the child”. As access materials are sent to the child themselves (not to the parent who made the request), the non-custodial parent may feel frustrated by the lack of information. In such circumstances, the school/ETB may invite the parent to make an application under Section 11 Guardianship of Infants Act 1964 which enables the court (on application by a guardian) to make a direction on any question affecting the welfare of the child. Where a court issues an order stating that a school should make certain information available to a parent, the school can release the data on foot of the court order.
Note B: Exceptions to note:

Data protection regulations prohibit the supply of:




  • Health data to a patient in response to a request for access if that would be likely to cause serious harm to his or her physical or mental health. This is to protect the individual from hearing anything about himself or herself which would be likely to cause serious harm to their physical or mental health or emotional wellbeing. In the case of health data, the information can only be released after the school/ETB has consulted with the appropriate health professional (usually the data subject’s GP).




  • Personal Data obtained in the course of carrying on social work (“social work data”) (personal data kept for or obtained in the course of carrying out social work by a Government department, local authority, the HSE, TUSLA, etc) is also restricted in some circumstances if that would be likely to cause serious harm to the health or emotional condition of the data subject concerned. In the case of social work data, the information cannot be supplied at all if the school/ETB believes it would be likely to cause serious harm to the physical or mental health or emotional condition of the data subject. If the social work data includes information supplied to the school/ETB by an individual (other than one of the school’s/ETB’s employees or agents) while carrying out social work, the school/ETB is not permitted to supply that information to the data subject without first consulting that individual who supplied the information.

The Data Protection Acts state that the following data is exempt from a data access request:




  1. Section 5 of the Data Protection Act provides that the right of access does not apply in a number of cases in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society on the other hand. Examples would include the need for state agencies (like An Garda Síochána) to investigate crime effectively and the need to protect the international relations of the State.




  1. Estimates of liability: where the personal data consists of or is kept for the purpose of estimating the amount of the liability of the school/ETB on foot of a claim for damages or compensation and where releasing the estimate would be likely to prejudice the interests of the school/ETB in relation to the claim, the data may be withheld.




  1. Legally privileged information: the general rule is that all documentation prepared in contemplation of litigation is legally privileged. So correspondence between the school/ETB and their solicitors in relation to a case against the school/ETB should not be disclosed to the claimant pursuant to a data access request.




  1. Section 4 states that the right of access does not include a right to see personal data about another individual, without that other person’s consent. This is necessary to protect the privacy rights of the other person. If it is reasonable for the school/ETB to conclude that redacting or omitting the particulars identifying the third party would both conceal the identity of the third party and enable the data to be disclosed (subject to the redactions), then the data could be disclosed with such redactions. However, if it is not possible to redact or omit the particulars which identify a third party, then the affected data should not be released to the applicant.




  1. Section 4 also states that where personal data consists of expressions of opinion about the data subject made by another person, the data subject has a right to receive that expression of opinion except where that expression of opinion was given in confidence and on the clear understanding that it would be treated as confidential.




  1. The obligation to comply with an access request does not apply where it is impossible for the school/ETB to provide the data or where it involves a disproportionate effort.

Where a school/ETB refuses to hand over some or all of the personal data they hold in relation to a data subject (on the basis of any of the exemptions or prohibitions set out above), the school/ETB must advise the data subject of this in writing, setting out reasons for the refusal, and notifying the data subject that he or she has the right to complain to the Office of the Data Protection Commissioner about the refusal. For further information, see What if a school/ETB refuses an access request?



January 2015


Download 116.75 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page