Data Protection Guidance: Confidentiality
1. The University holds a large amount of personal data about its students and should respect
students’ right to confidentiality. The University’s obligations regarding confidentiality are
shaped by the Data Protection Act, the Disability Discrimination Act and the Human Rights Act.
It is University policy not to disclose any personal data to third parties (including parents)
outside the University without consent of the individual, unless there is a legal obligation or in
exceptional circumstances.
2. Personal data, excluding sensitive data (see 3) can be transferred internally to relevant
employees of the University if there is an operational need to know. However, this does not
mean that all data regarding that individual should be transferred, only what is necessary for
operational needs.
3. The Data Protection Act 1998 recognises that some personal data is more sensitive and thus
enforces stricter conditions on the processing of Sensitive Personal Data. Sensitive Personal
data consists of information regarding racial or ethnic origin, political opinions, religious beliefs,
membership of trade unions, physical or mental health, sexual orientation, the commission or
alleged commission of any offence and proceedings for any offence committed or alleged to
have been committed.
4. When discussing sensitive personal data with a student it is important to discuss the issue of
confidentiality. Sensitive data should only be disclosed (within and outside of the University)
with the explicit consent of an individual. Although the Data Protection Act does not define
‘explicit consent’ it is advised that wherever possible the consent is written and in all cases a
record of the conversation is made. There are often good reasons why disclosing sensitive
information to colleagues is in the best interests of the student; however this is not reason to
disclose it, and it should only be released with the students consent.
5. Where a student refuses consent to release sensitive information, it is important to ensure that
the student is aware of the implications of their decision and that their decision is clearly
documented. In many cases before any disclosure is made it can be helpful to have a
hypothetical conversation with colleagues. Through the use of ‘what if…’ conversations you can
gain advice from colleagues on the best way to proceed without disclosing any personal
information of an individual.
6. In all cases any disclosure of sensitive data should only be shared on a need to know basis.
7. In some cases a student may wish to share something with you in absolute confidence, staff
should be wary of agreeing to this, and should explain the circumstances where this
commitment cannot by made, this would include situations where individuals may be at risk,
criminal offences etc.
8. The disclosure of sensitive personal data within references should be avoided.
9. There are separate rules regulating the use and disclosure of medical records by medical
professional and University services such as Counselling will adhere to their own confidentiality
policies. However, student files held may sometimes contain medical records such as doctors
notes, this information is sensitive and should be treated as confidential, suggested methods of
storage include storage in a file separate to the student file so that access is restricted to School
Administrators, inclusion in the student file in a sealed envelope.
10.
Some vocational courses such as teaching, medicine or radiography also have their own
professional practice guidelines in relation to confidentiality and fitness to practice where
applicable these should be followed.