Student Matters

Alumni

When processing personal data the alumni office must adhere to the data protection principles, and also take account of the fact that data subjects can request that their personal data are not processed for direct marketing purposes.

The alumni office should ensure that:

• Students are informed when their personal data is being collected that it will be used for alumni purposes and that the institution will wish to maintain contact with them after they finish their course of study.
• Students and alumni are able to opt out of the collection and processing of their personal data for such purposes.
• Students and alumni are able to request that where personal data is collected and processed for alumni contact purposes, the data is not subsequently used for direct marketing purposes.
• The mailing of University magazines and the solicitation of funds for charitable purposes may not constitute "direct Marketing." However, if the University magazine contains advertising inserts, this may be considered the direct marketing of products and services for which an opt-out clause should be included.

Disclosure of Results

As personal data, examination results should not be disclosed to third parties without the data subjects consent. Disclosure of results should be confined to a traditional local and limited nature. Students should be made aware of where, and how, they may expect to see their results posted; and still retain the right to object to the use of their data in such a way. *See forthcoming Academic Regulations.

Examination Scripts/Marks

Examination scripts are exempt from data subject access because they are statements from the students, not data about them. Hence a student could not use the Act to obtain a copy of an exam script they had produced. However, examiners comments on the context of scripts can be disclosed, whether recorded on the script or held separately. This applies to external as well as internal examiners, and is true even of material marked "blind" (because codes must exist somewhere that allow the identity of the student to be determined). Students have the right of access to data consisting of the marks given, and any comments on which they were based. In addition Departments should be aware that Minutes of examination meetings could also be disclosed under the Act, where they mention individual students by name or candidate number. *See forthcoming Academic Regulations.

Records Management Programme

The Data Protection Act (1998) and Freedom of Information Act (2000) highlight the importance of an effective Records Management Programme for the retrieval of information. We have an extensive Records Retention Schedule and Records Retention Policy in place, which staff should familiarise themselves with. These documents are available via the following link:

/services/secretariate/rco/home.cfm

References

References given by the University
Confidential references given by members of the University are exempted from subject access requests where those references relate to:

• Appointment of the data subject to any office
• education, training or employment of the data subject
• provision by the data subject of any service

Avoid telephone or verbal references. Wherever possible, provide a written reference.

The University can use discretion in refusing to release confidential references written on their behalf if requested to do so in or as part of, a subject access request.

References received by the University
Confidential references received by the University are not exempt from the right of access, but consideration must be given to the data privacy rights of the referee. Information contained in, or relating to, a confidential reference can be withheld in response to a subject access request, if the release of this information would identify an individual referee unless:

• the identity of the referee can be protected by anonymising the information;
• the referee has given their consent, or;
• it is reasonable in all the circumstances to release the information without consent.

In cases where a confidential reference discloses the identity of an organisation, but not an identifiable individual, as referee, disclosure will not breach data privacy rights and the subject access request should be facilitated.

The University may not refuse to disclose references received in confidence from third parties without providing reasons.

In addition People have access to references about themselves under a Subject Access Request. If you refuse, as the "holder" but not the writer then the data subject can approach the Information Commissioners Office who can then issue an enforcement notice It should therefore be noted that anything a referee writes MAY be shown to the data subject.

References Internal to the University
Internal references are subject to the same criteria as an external confidential reference received from a third party. Generally speaking writers of references should ensure that statements are accurate, that facts are differentiated from opinions (which should be based on verifiable information), that the writer should only make statements that he or she is qualified to make etc.

Third Party Requests
Where staff receive requests from third parties for references in respect of students or ex-students care needs to be taken in the provision of accurate information and in ensuring that the student or ex-student has consented to the release of personal data. Staff must therefore ensure that details of any academic record are confirmed with the Department of Academic Administration, and that they have confirmation of the students consent to the release of such data. Failure to do so contravenes the Act and may lead to disciplinary action. Staff may refer requests for such information to the Records & Compliance Officer.

Research

Data collected fairly and lawfully for one piece of research can ONLY be used for other research if it has been completely ANONYMISED. It is essential that the final results of the research do not identify the individual. Researchers should be aware that the processing of any information relating to an identifiable living individual constitutes personal data processing and is subject to the provisions of the Data Protection Act (1998). The Data Protection Act allows for this situation by granting an exemption from the fifth data protection principle. The exemption allows personal research data to be retained indefinitely, but only as long as

• the data is not processed to support measures or decisions taken at some future time with respect to particular individuals, and
• the data is not processed in such a way that substantial damage or distress is, or is likely to be, caused to any data Subject.

This exemption is only applicable to research, and cannot be used to provide information about a particular individual. Personal data used for research purposes are exempt from the subject access provisions, of the Data Protection Act (1998), provided that the individual is not identifiable from the results.

Returning Student Coursework

Procedures should be put in place for students collecting completed coursework. Students should not have access to other students coursework. Staff should ask for the student id and return their coursework to them individually. By adapting this practice it ensures that students personal information is kept confidential and no unnecessary distress is caused to the individual by exposure to personal information i.e. Date of birth or coursework result.

Third Party Processors

If the University employs another party to deal with information about individuals, for example to prepare the Universitys payroll, conduct a questionnaire or print labels, the University must have a written contract in place with the other party. The contract must stipulate that the third party may act only on the Universitys instructions, and must provide for appropriate security measures to prevent unauthorised disclosure. The external organisation should be registered with the Information Commissioner in relation to Data Protection.

Academic Research - Questionnaires/Surveys

Staff undertaking academic research or projects who wish to distribute Questionnaires or ask staff to partake in Questionnaires or surveys should be aware that use of University held personnel records for such purposes contravenes Principle Two of the Data Protection Act. Such use of data is not covered by the University's data processing Registration with the Information Commissioner.

Alternative means of distribution should be used, such as leaving the questionnaires in key areas.