St Patrick’s GDPR

The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK with effect from 25th May 2018. The GDPR sets out requirements for how organisations will need to handle personal data from 25th May 2018.

Schools have a legal duty to comply with the GDPR.

GDPR does not prevent, or limit, the sharing of information for the purposes of keeping children safe. Lawful and secure information sharing between schools, Children’s Social Care, and other local agencies, is essential for keeping children safe and ensuring they get the support they need. A great deal of the personal data processed by schools falls under the legal basis ‘in the public interest’. As it is in the public interest that schools are operated successfully, the need to obtain specific consent from parents will not be required in the majority of cases within schools.

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified by the data.

Data subjects have a right to access data. One way they can do this is through a Subject Access Request (SAR), which can be a request to see part or all of the data a school holds about their child. A Subject Access Request (SAR) must be received in writing.

You are entitled to submit subject access requests all year round, but please bear in mind that it may be necessary for us to extend the response period when requests are submitted over the summer holidays. This is in accordance with article 12(3) of the GDPR, and will be the case where the request is complex – for example, where we need multiple staff to collect the data.