This is largely because interested parties, such as parents and staff, are more aware of their information law rights.
This position is set to continue when the General Data Protection Regulation (GDPR) applies, from 25 May 2018. Individuals will have additional and stronger rights and it will be able to bring a claim more easily for infringement of their school rights.
When serious incidents occur, agencies and regulators such as the National College for Teaching and Leadership and the Charity Commission may request information from you. Before sharing information, you should make sure that there is a legal basis for doing so and that excessive information is not shared. While it is important that you co-operate with outside agencies, if this is not handled correctly there is a risk that the individual whose information is shared may complain that you have breached his or her data protection rights.
Individuals have the right to a copy of the information which your school holds about them, subject to various limited exemptions. This is known as making a subject access request (SAR) and this right will remain under the GDPR. We often see parents and staff making a SAR when they have a grievance. Their objective is to find information which would be damaging to your school. These requests become particularly complicated when medical and safeguarding information is involved.
Individuals can complain to the Information Commissioner's Office (ICO) about your school's handling of their SAR at no personal cost to them. Even if the ICO do not take any enforcement action against your school, liaising with the ICO following a complaint can be time consuming and resource intensive.
Schools often get caught in the middle of family breakups. Parents sometimes make a SAR to try to obtain information on their former partner, which they hope to use in court proceedings. This type of request places you in a difficult position. Parents may also claim that their data protection rights have been breached if your school shares their information with their former partner where there is no legal basis for doing so.
The police and local authorities may ask your school for information connected to their investigations. This may or may not be connected to incidents at your school. For example, if a local authority considers that the parent of a pupil is committing benefit fraud, it may ask you to supply information about the payment of school fees.
There is no obligation to provide the information unless a court order has been obtained. That being said, in our experience most schools are keen to co-operate with the authorities. There is an exemption under data protection legislation which allows you to disclose personal data if not disclosing the information is likely to prejudice tasks such as the prevention or detection of crime. The application of this exemption is complicated and we recommend that you seek legal advice. If information is disclosed where the exemption does not apply, this is likely to constitute a breach of the individual's rights which might lead to a complaint or legal claim.