DATA ACCESS PROCEDURES POLICY

The Data Protection Acts, 1988 and 2003 provide for a right of access by an individual data subject to personal information held by St. Coen’s National School, Rathnew. The following procedure is provided to ensure compliance with the school’s obligations under the Acts and governs the manner in which requests for access to personal data will be managed by the school.

A data subject would be required to familiarize themselves with the procedure and to complete the Personal Data Access Request Form which will assist the school in processing the access request where personal information (or in the case of a parent/guardian making an access request on behalf of a student, personal information in relation to their child) as a data subject is processed and retained by the school.

It is important to note that only personal information relating to the individual (or in the case of a parent/guardian making an access request on behalf of a student, only personal information in relation to his/her/their child) will be supplied. No information will be supplied that relates to another individual.

Important note to students making access requests:

Where a student (aged under 18 years) makes an access request, the school may inform the student that:

1. Where they make an access request, their parents will be informed that they have done so; and
2. A complete copy of the access request materials being furnished to the data subject by the school will also be furnished to the student’s parent/guardian.

This is provided for in the school’s Data Protection Policy. The right of access under the Data Protection Acts is the right of the data subject. However, there may be some data held by the school which may be of a sensitive nature and the school will have regard to the following guidance issued by the Office of the Data Protection Commissioner in relation to releasing such data.

A student aged from twelve up to and including seventeen can be given access to their personal data, depending on the age of the student and the nature of the record, i.e. it is suggested that:

• If the information is ordinary, routine or non-controversial (e.g. a record of a test result) the student could readily be given access;
• If the information is of a sensitive nature, it would be prudent to seek parental/guardian consent before releasing the data to the student;
• If the information would be likely to be harmful to the individual concerned, parental/guardian consent should be sought before releasing the data to the student.

In the case of students under the age of twelve, an access request may be made by their parent or guardian on the student’s behalf. However, the school must note that the right of access is a right of the data subject themselves (i.e. it is the right of the student). Therefore, access documentation should be addressed to the child at his/her address which is registered with the school as being his/her home address. It should not be addressed or sent to the parent who made the request. For further information, see “Important Note to Parents Making Access Requests on Behalf of their Child” below.

Important note to parents making access requests on behalf of their child:

Where a parent/guardian makes an access request on behalf of their child (a student aged under 18 years), the right of access is a right of the data subject (i.e. it is the student’s right). In such a case, the access materials will be sent to the child, not to the parent who requested them. This means that the access request documentation will be sent to the address at which the child is registered on the school’s records and will be addressed to the child. The documentation will not be sent to or addressed to the parent/guardian who made the request. Where a parent/guardian is unhappy with this arrangement, the parent/guardian is invited to make an application to court under section 11 of the Guardianship of Infants Act 1964. This provision enables the court (on application by a guardian) to make a direction on any question affecting the welfare of the child. Where a court issues an order stating that a school should make certain information available to a parent/guardian, a copy of the order should be given to the school by the parent/guardian and the school can release the data on foot of the court order.

Individuals making an access request:

On making an access request, any individual (subject to the restrictions in Notes A and B below) about whom the school keeps Personal Data, is entitled to:

• a copy of the data which is kept about him/her (unless one of the exemptions or prohibitions under the Data Protection Acts apply, in which case the individual will be notified of this and informed of their right to make a complaint to the Data Protection Commissioner);
• know the purpose/s for processing his/her data;
• know the identity (or the categories) of those to whom the data is disclosed;
• know the source of the data, unless it is contrary to public interest;
• where the processing is by automated means (e.g. credit scoring in financial institutions where a computer program makes the “decision” as to whether a loan should be made to an individual based on his/her credit rating) know the logic involved in automated decisions.

Data access requirements:

To make an access request, you as a data subject must:

1. Apply in writing requesting access to your data under Section 4 of the Data Protection Acts or, alternatively, request an Access Request Form which will greatly assist the school in processing your access request more quickly.

In the case of this school, correspondence should be addressed to the Chairperson of the Board of Management.

2. You will be provided with a form which will assist the school in locating all relevant information that is held subject to the exceptions and prohibitions outlined in Appendix A. The school reserves the right to request official proof of identity (e.g. photographic identification such as a passport or driver’s licence) where there is any doubt on the issue of identification.

3.On receipt of the access request form, a co-ordinator will be appointed to check the validity of your access request and to check that sufficient information to locate the data requested has been supplied (particularly if CCTV footage/images are to be searched).

In the case of this school, the co-ordinator is the Chairperson of the Board of Management.

It may be necessary for the co-ordinator to contact you in the event that further details are required with a view to processing your access request.

4. The co-ordinator will log the date of receipt of the valid request and keep a note of all steps taken to locate and collate the requested data.

5. The co-ordinator will ensure that all relevant manual files (held within a “relevant filing system”) and computers are checked for the data in respect of which the access request is made.

6. The co-ordinator will ensure that the information is supplied promptly and within the advised timeframes in items 7, 8 and 9 as appropriate.

7. Where a request is made under Section 3 of the Data Protection Acts, the following information will be supplied: (i) what the school holds by way of personal information about you (or in the case of a request under section 3 made by a parent/guardian of a student aged under 18 years, then the personal information held about that student) and (ii) a description of the data together with details of the purposes for which his/her data is being kept will be provided. Actual copies of your personal files (or the personal files relating to the student) will not be supplied. No personal data can be supplied relating to another individual. A response to your request will be provided within 21 days of receipt of the access request form and no fee will apply.

8. Where a request is made under Section 4 of the Data Protection Acts, the following information will be supplied within 40 days and an administration fee of €6.35 will apply. The individual is entitled to a copy of all personal data, i.e.:

• A copy of the data which is kept about him/her (unless one of the exemptions or prohibitions under the Data Protection Acts applies, in which case the individual will be notified of this and informed of his/her right to make a complaint to the Data Protection Commissioner);
• Be advised of the purpose/s for processing his/her data;
• Be advised of the identity (or the categories) of those to whom the data is disclosed;
• Be advised of the source of the data, unless it is contrary to public interest;
• where the processing is by automated means (e.g. credit scoring in financial institutions where a computer program makes the “decision” as to whether a loan should be made to an individual based on his/her credit rating), know the logic involved in automated decisions.

9. Before supplying the information requested to you as data subject (or where the access request is made on behalf of a student aged under 18 years, information relating to the student), the co-ordinator will check each item of data to establish:

• If any of the exemptions or restrictions set out under the Data Protection Acts apply, which would result in that item of data not being released; or
• where the data is “health data”, whether the obligation to consult with the data subject’s medical practitioner applies; or
• where the data is “social work data”, whether the prohibition on release applies.

10. If data relating to a third party is involved, it will not be disclosed without the consent of that third party or alternatively the data will be anonymised in order to conceal the identity of the third party. Where it is not possible to anonymise the data to ensure that the third party is not identified, then that item of data may not be released.

11. Where a school may be unsure as to what information to disclose, the school reserves the right to seek legal advice.

12. The co-ordinator will ensure that the information is provided in an intelligible form (e.g. codes explained) or will provide an explanation.

13. Number the documents supplied.

14. Have the response “signed-off” by an appropriate person.

In the case of this school, the appropriate person is the Chairperson of the Board of Management.

15. The school will respond to your access request within the advised timeframes contingent on the type of request made.

16. The school reserves the right to supply personal information to an individual in an electronic format e.g. on tape, USB, CD etc.

17. Where a subsequent or similar access request is made after the first request has been complied with, the school has discretion as to what constitutes a reasonable interval between access requests and this will be assessed on a case-by case basis.

18. Where you as an individual data subject may seek to rectify incorrect information maintained by the school, please notify the school and a form will be supplied to you for this purpose. You should however note that the right to rectify or delete personal data is not absolute. You have the right to make a complaint to the Data Protection Commissioner about a refusal. Where the school declines to rectify or delete the personal data as you have instructed, the school may propose to supplement your personal record, pursuant to section 6(1)(b) Data Protection Acts.

19. In circumstances where your access request is refused, the school will write to you explaining the reasons for the refusal and the administration fee, if provided, will be returned. In such circumstances, you have the right to make a complaint to the Office of the Data Protection Commissioner www.dataprotection.ie. Similarly, the administration access fee will be refunded to you if the school has to rectify, supplement or erase your personal data.

20. Where requests are made for CCTV footage, an application must be made in writing and the timeframe for response is within 40 days. All necessary information such as the date, time and location of the recording should be given to the school to assist the school in dealing with your request. Where the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data. In providing a copy of personal data, the school may provide the materials in the form of a still/series of still pictures, a tape, disk, USB, with relevant images. Other people's images will be obscured before the data is released. If other people’s images cannot be obscured, then the images/recordings may not be released.

There are a number of exceptions to the general rule of right of access, including those specified in Notes A and B in Appendix A. (See below)

This procedure is regularly reviewed in line with the school’s commitment to its responsibilities under data protection.

This policy was ratified by the Board of Management on: 25/2/2021.

Signed:
Mary Murphy
Chairperson BOM
Date: 25/2/2021

Lee Kavanagh
Principal/Secretary BOM
Date: 25/2/2021

APPENDIX A

Note A: Access requests by students:

• A student aged from twelve up to and including seventeen can be given access to their personal data, depending on the age of the student and the nature of the record, i.e. it is suggested that;
• If the information is ordinary, routine or non-controversial (e.g. a record of a test result) the student could readily be given access;
• If the information is of a sensitive nature, it would be prudent to seek parental/guardian consent in writing before releasing the data to the student. Where the parent/guardian does not give their consent to releasing the data to the student, legal advice should be sought;
• If the information would be likely to be harmful to the individual concerned, parental/guardian consent should be sought before releasing the data to the student.
• In the case of students under the age of twelve, an access request may be made by their parent or guardian on the student’s behalf. The consent of the child need not be obtained. However, the school must note that the right of access is a right of the data subject themselves (i.e. it is the right of the student). Therefore, access documentation should be addressed to the child at his/her address which is registered with the school as being his/her home address. It should not be addressed or sent to the parent who made the request. For further information, see “Important Note to Parents Making Access Requests on Behalf of their Child” below.
• In any of the circumstances outlined above, if the data contains health data and disclosure would be likely to cause serious harm to the physical or mental health of the individual concerned, the school is obliged to withhold the data until they have consulted with the data subject’s medical practitioner and (in the case of a student under 18 or a student with special educational needs whose disability or medical condition would impair his or her ability to understand the information), parental/guardian consent should also be sought.
• In some cases, (i.e. where the information is “health data”), it is advised that the data be supplied by the medical practitioner.
• In any of the circumstances outlined above, if the data contains social work data and disclosure would be likely to cause serious harm to the physical or mental health of the individual, the school/ETB is not permitted to release the data to the individual.

Note B: Exceptions to note:

Data protection regulations prohibit the supply of:

• Health data to a patient in response to a request for access if that would be likely to cause serious harm to his or her physical or mental health. This is to protect the individual from hearing anything about himself or herself which would be likely to cause serious harm to their physical or mental health or emotional well-being. In the case of health data, the information can only be released after the school has consulted with the appropriate health professional (usually the data subject’s GP).
• Personal Data obtained in the course of carrying on social work (“social work data”) (personal data kept for or obtained in the course of carrying out social work by a Government department, local authority, Tusla etc.) is also restricted in some circumstances if that would be likely to cause serious harm to the health or emotional condition of the data subject concerned. In the case of social work data, the information cannot be supplied at all if the school believes it would be likely to cause serious harm to the physical or mental health or emotional condition of the data subject. If the social work data includes information supplied to the school by an individual (other than one of the school’s employees or agents) while carrying out social work, the school is not permitted to supply that information to the data subject without first consulting that individual who supplied the information.

The Data Protection Acts state that the following data is exempt from a data access request:

1. Section 5 of the Data Protection Act provides that the right of access does not apply in a number of cases in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society on the other hand. Examples would include the need for state agencies (like An Garda Síochána) to investigate crime effectively and the need to protect the international relations of the State.
2. Estimates of liability: where the personal data consists of or is kept for the purpose of estimating the amount of the liability of the school on foot of a claim for damages or compensation and where releasing the estimate would be likely to prejudice the interests of the school in relation to the claim, the data may be withheld.
3. Legally privileged information: the general rule is that all documentation prepared in contemplation of litigation is legally privileged. So correspondence between the school and their solicitors in relation to a case against the school should not be disclosed to the claimant pursuant to a data access request.
4. Section 4 states that the right of access does not include a right to see personal data about another individual, without that other person’s consent. This is necessary to protect the privacy rights of the other person. If it is reasonable for the school to conclude that redacting or omitting the particulars identifying the third party would both conceal the identity of the third party and enable the data to be disclosed (subject to the redactions), then the data could be disclosed with such redactions. However, if it is not possible to redact or omit the particulars which identify a third party, then the affected data should not be released to the applicant.
5. Section 4 also states that where personal data consists of expressions of opinion about the data subject made by another person, the data subject has a right to receive that expression of opinion except where that expression of opinion was given in confidence, and on the clear understanding that it would be treated as confidential.
6. The obligation to comply with an access request does not apply where it is impossible for the school to provide the data or where it involves a disproportionate effort.

Where a school refuses to hand over some or all of the personal data they hold in relation to a data subject (on the basis of any of the exemptions or prohibitions set out above), the school must advise the data subject of this in writing, setting out reasons for the refusal and notifying the data subject that he or she has the right to complain to the Office of the Data Protection Commissioner about the refusal.

A Data Access Request Form is available for download below: