Access Keys:

Holly Hill Church School, Birmingham

Data Protection & GDPR

The ‘General Data Protection Regulation’ (GDPR) outlines how we can use personal data relating to you and your child and keep it safe. It also strengthens your rights over this personal data.

This area of our website informs you about how we are compliant with The Data Protection Act (2018).

How we process, use and store personal data

We follow GDPR guidelines in ensuring all your data is safe. Our Data protection Policy can be found below or in our policies area of the website.

Privacy Notices

Under data protection law, individuals have a right to be informed about how the school uses any personal data that we hold about them. We comply with this right by providing ‘privacy notices’ to individuals where we are processing their personal data:  

  • Pupils (via their parent / carer) on joining our school.
  • Staff during recruitment and on starting work at Holly Hill. 
  • Visitors to the school

Data Protection Impact Assessments are available below, which detail particular software we use at Holly Hill, and how we are ensuring we follow the Data protection guidelines, in keeping data safe. These have been updated in line with new Covid-19 restrictions. 

Freedom of information

Publication scheme

All public authorities, including schools, are required under the Freedom of Information Act to adopt a publication scheme that has been approved by the Information Commissioner.

There is currently one approved model publication scheme, which has been produced by the Information Commissioner’s Office (ICO).

Schools must adopt the ICO’s model scheme and make it publicly available.

View the ICO's model publication scheme

Our published guide to information

Schools should publish a guide to information alongside the publication scheme.

The guide should specify:

  • the documents available
  • the format of the documents
  • any charges made for the information


Subject access requests (SARS)

Individuals have the right to access the personal data and supplementary information we hold about them. This allows them to be aware of, and verify the lawfulness of, you processing this data. 

This right applies to everyone whose personal data our school holds, including staff, governors, volunteers, parents, carers and pupils. 

The law

Under the General Data Protection Regulation (GDPR), we:

  • must provide the information free of charge
  • must comply within 1 month
  • should provide the information in a commonly used electronic format, if the request was made electronically

Who deals with subject access requests?

The school’s Data Protection Officer will deal with all subject access requests received. This is based on advice from the Information Commissioner’s Office’s guidance.

How we will respond to subject access requests

On receiving a request, our Data Protection Officer will contact the individual via phone to confirm the request was made. We will then verify the identity of the person making a request using ‘reasonable means’. Generally, this means we will ask for two forms of identification.

In most cases, we will provide the information within 1 month, and free of change. If the request is complex or numerous, we can comply within 3 months, but we will inform the individual of this within 1 month and explain why the extension is necessary.

If the request is made electronically, we will provide the information in a commonly used electronic format.

We recognise that school holidays are counted in the response time and if we receive a request in the school holidays, we will still respond within the same time frame.

Unfounded or excessive requests

If the request is unfounded or excessive, we will either:

  • charge a reasonable fee for you to comply, based on the administrative cost of providing the information
  • refuse to respond
  • comply within 3 months, rather than the usual deadline of 1 month; however, we will always inform the individual of this and will explain why

Usually, ‘unfounded' or 'excessive’ means that the request is repetitive, or asks for further copies of the same information.

Refusing a request

When we refuse a request, we will:

  • respond to them within 1 month
  • explain why we are refusing the request
  • inform the individual that they have the right to complain to the Information Commissioner's Office