The GDPR strengthens the rights that all of us have over our own data. We talked about one of the principle rights to tell clearly data subjects what the data controller intends to do with the data in the previous segment.
In addition to the right of transparency, the GDPR give people the following rights:
Right of access – the GDPR continues the existing right of people to request a copy of the data that the school holds. The principle changes are that data controllers can no longer charge a fee and they must provide a copy of the data within 30 days. Failure to provide a response to an access request is one of the most complained about issues to the ICO. It is essential that all School staff can recognise an access request and that the procedure set out in Schools GDPR is commenced as soon as the request is received.
Right to rectification – this right is for the data subject to have any inaccurate data corrected. Schools will always aim to have accurate personal data so while correcting data is not an issue, there still needs to be a written procedure to support it.
Right to erasure – this is known as the right to be forgotten. Schools process most of their data for a statutory purpose and this statutory purpose will often have greater strength than the right to erasure. Schools GDPR has included a process for how the request should be considered and either acted on or denied
Right to data portability – this is an extension of the right to access. Individuals have a right to request the transfer of electronic personal data to another data controller. Many Schools will already be using School Information Systems that permit pupil data to be transferred to a pupil’s new school.
For all these rights Schools GDPR have a template procedure and letters to be used, these will save you a lot of time.