Data Protection: Staff as Data Processors
The University's Data Protection policy sets out the University's responsibilities under the DPA and encompasses the responsibilities of staff.
It is your responsibility to treat personal data confidentially. You must ensure that computer records are password protected and papers locked away when not in use. You must not disclose a student or staff member's personal data to any one without that person's consent, except in the instances mentioned below.
All members of staff must be aware of the data protection principles and must adhere to them whenever processing data. Importantly, you must not look at any more data than you need to, to carry out your work. Failure to follow the Data Protection policy can result in a breach of the DPA and may result in disciplinary proceedings within the University.
Members of staff - and particularly those dealing with students - will often receive enquiries from third parties asking for information. You should not give out information to anyone, or confirm any information given to you by the third party, except in the following instances:
- to state what qualification a student has received (this information is already in the public domain through the graduation programme and so can be confirmed)
- where a student or member of staff has given permission either by contacting the University directly to ask us to provide the information (e.g. for a reference), or where we have a copy of a statement signed by the student or the member of staff authorising someone to check on their details (e.g. when an employment agency is checking the validity of the student's or member of staff's application).
- where the information is required by law - possibly a request from a police officer, and
- where the vital interests of a student or member of staff are involved e.g. where a student or staff member is very ill and requires immediate medical treatment.
If you are ever uncertain whether to release the information requested, please contact the University's Data Protection Officer, Samantha Hill, on 023 9284 3642 to discuss the matter. However, any request made under the circumstances at c) and d) above should always be referred to the Data Protection Officer.
If you receive a request from a police officer, that request must be accompanied by a form that sets out the legislation under which the information is requested, why the information is needed and exactly what it is required for. Whilst it is the University's wish to be as helpful as possible in cases where a criminal offence is alleged to have occurred, only that information which is directly related to the enquiry should be released. Always refer a request for information from the police to the Data Protection Officer.
You will most probably receive requests from parents or relatives of students (generally) for information about their son/daughter/ partner or relative. Students' relatives do not have an automatic right to any information about a student. In cases where you are asked to provide information or contact details, offer instead to pass a message along to the student asking him/her to contact the person trying to contact them. This also applies to other students trying to contact their colleagues.
In the case of sponsored students, the sponsors do not have an immediate right to information about the student they have sponsored, unless that right has been agreed in a contract with the student. Therefore, ask to see copies of the sponsorship contract for details of prior agreement given by the student to pass on the information. If the University does not hold a copy of the prior agreement, you must contact the student concerned before passing any details to a sponsor.
Finally, students and members of staff are entitled to ask to see the information the University holds about them. This is called a Subject Access Request (SAR) and should be referred to the University's Data Protection Officer. For more details on making an SAR, please click here.
There are a number of classes of information which are classified as sensitive under the Data Protection Act - see sensitive personal data for further details - and which require a more careful approach when being processed. Such data might cover e.g. recording information about dietary needs, for religious or health reasons prior to taking students on a field trip. Where staff need to record this information they must ensure that students are made aware of the reasons / need to collect this data and understand that by providing the data, they have given the University permission to process that data.
Sensitive personal data must only be processed by those who need to do so as part of their work, unless it is in the vital interests of the student or staff member to disclose the sensitive personal data.
All information must be kept securely but sensitive information must be held in locked cabinets or be password protected with limited access to it.
There are different retention periods for the different types of personal data held about students and staff. Retention periods for student records are contained in the document Retention Policy; Student and Course Records. Staff records should be kept in accordance with the time periods set out in the Staff and Financial Records Retention Schedule.