Citizens Rights


Transparency and Information

Articles 12-14 of the GDPR

There are new requirements to publish more information in Privacy Notices - these include the contact details of your Data Protection Officer; the purpose and lawful basis for processing personal data; how long you keep the data for; who you share personal data with and so on.  

Access to Personal Data

Article 15 of the GDPR

Otherwise known as a Subject Access Request- this enhanced right entitles pupils, parents/guardians and employees to receive a copy of the information the school holds on them for free and within one month. Maintained schools have additional duties under The Education (Pupil Information) (England) Regulations 2005 and must provide education files to parents/guardians within 15 pupil days.

Rectification and Erasure

Articles 16 and 17 of the GDPR

Individuals are entitled to have inaccurate personal data rectified or incomplete information completed and  have their personal data deleted in cases where the data is no longer needed or if the individual withdraws consent. This right does not require a school to delete data upon request, if the school is complying with a legal obligation in holding it, for example if the school is required under statute to collect and retain the data for a certain length of time.

Object to Direct Marketing

Article 21 of the GDPR

By default, individuals have the right not to receive direct marketing, which means that schools will have to gain explicit 'opt-in' consent before sending out marketing material. This will be relevant where schools target individuals for fundraising; advertise their school prospectus or send out advertising literature for other organisations.