Canterbury Christ Church University Data Protection Guidelines for Schools These guidelines are aimed at staff working in Schools, and apply to all staff, whether academics, administrators, secretarial or support staff and temporary workers, who regularly handle personal information relating to students. The Data Protection Act 1998 (‘the Act’) covers all personal data, so it is important for all members of staff to be aware of the requirements of the Act and the obligations placed on them. Information Held It is likely Schools hold standard information such as students' names and contact details, information about class attendance, and marks or grades achieved. It is also likely sensitive information such as medical notes, information relating to medical conditions or disabilities will be held; this information constitutes sensitive personal data. All data must be stored and used in accordance with the Act. This means the information must be accurate, kept up-to-date and held securely. School Student Files 1. Content Information held in student files is potentially disclosable to the student concerned. This includes comments about the standard of the student's work or behaviour. When writing and filing notes, reports or comments staff must be aware that the information may be disclosed, and do not write or record any comments that cannot be justified or are potentially insulting or defamatory. 2. Accuracy Files need keeping up-to-date. Changes to addresses or other contact details, along with details of the students study need changing both on paper files and on any database held, including QLS. It is an obligation on Schools to undertake such checks of the central database required by the Academic Registrar. 3. Relevance Schools should only retain relevant and necessary information on student files. Files need weeding regularly to ensure the removing of duplicated materials and irrelevant documents; this should be undertaken periodically. 4. Retention Periods Guidelines for Schools July 2015 Page 1 When a student leaves the University, including completions and withdrawals, the School should close the student file, and indicate on the file that it is closed. Student files may systematically and thoroughly weeded to remove all records that are of no further use. Schools should retain the weeded student files for no more than the retention period set by the department. 5. Security Student files need holding securely, for example, in a locked office or filing cabinet or in an office that is continuously manned. Files should not be left open on desks or in areas where visitors or other students can view them. Information held on computer should be password-protected and screens sited so that they cannot be seen by passers-by. Where a memory stick is used to transport data, it should be encrypted and so password protected. Handling Enquiries for personal information Wherever possible, be open with students in relation to information held about them. If a student wishes to make a formal subject access request under Act, you should refer them to the University Data Protection Officer. If you are asked to disclose information about a student to someone else, either within or outside the University, you must not do so without the student's consent, except in a few situations. Even parents, spouses, friends, partners or sponsors are not entitled to information without the student's consent. However, information can be legitimately disclosed to third parties for purposes connected with a student's studies and to meet statutory requirements, e.g. HEFCE, Council Tax Offices, auditors and Research Councils, provided the University is satisfied about the enquirer's identity and the legitimacy of the request. In case of doubt, it is advisable to check with the Data Protection Officer or your line manager. From time to time, the University receives requests for information from bodies such as the police. The University endeavours to co-operate with such requests, but steps need taking to ensure requests are genuine and legitimate. The police have a standard form they should use in connection with any requests for personal information. The Data Protection Officer is able to provide advice, and it is prudent to make contact before any personal information is disclosed in response to such a request. There may also be occasions where personal information needs disclosing in an emergency, e.g. where a student or staff member has been injured or taken ill. In such a situation, if necessary, personal information can be disclosed without consent. For example, if a student collapses and is unconscious it would be permissible to inform medical staff that the student suffers from diabetes. There is no difficulty supplying personal information about students to other staff members of the University who legitimately require the information to carry out their normal duties. Project and Research Supervisors Academics involved in supervising students whose work uses personal information should ensure the students are aware of the requirements of the Data Protection Act. In particular, the consent of the subjects of the research needs obtaining, and all personal information received needs holding confidentially and securely. Results need anonymising, and should not identify individual participants in the research. Guidelines for Schools July 2015 Page 2 Academic Research Staff, and, where relevant, students, undertaking research using personal information collected from third parties will be covered by the University’s Data Protection Notification. However, the data protection principles still apply. In carrying out research, it is important to make the subjects of the research fully aware of the proposed use of their personal information. Wherever possible, it is advisable to anonymise research data before use. Results should also be anonymised and no information should be published that would allow participants to be identified. Researchers are required to keep all personal information secure and ensure access is restricted only to those staff or students directly involved in the research. For further information, see Data Protection in Research. Examination Marks Students are not entitled to see their examination scripts or assessed coursework after submission. A student who makes a request, under the Act, may see details of any comments made by the examiner, including any Board of Examiners minute relating to the student. All examiners need to be aware of this. Examination marks are published according the Registry schedule, and the Act cannot be used to obtain access to marks any earlier than their publication date. It is the University’s practice not to publish examination results on notice boards, but to inform students personally of those results. However, student results may be published in the programmes for degree ceremonies, subject to the student providing consent. For further information, see the Assessment Procedures Manual. Academic References The Act includes specific rules about references. The writer of a reference may stipulate it is confidential and need not show it to the individual about whom it is written. However, once the reference is received, the subject of the reference may apply to the recipient for a copy. The recipient will have to balance any issues of confidentiality and any refusal of consent by the referee against the rights of the subject of the reference. In many cases, the reference will be made available. Therefore, anyone preparing a reference should bear in mind that the person who is the subject of it might see it. Writers of references should ensure that their references are accurate and any opinions expressed based on factual evidence. These principles also apply to internal references, reports and assessments for promotion and re-grading. The University takes the view it is good practice for personal references to be of an ‘open’ nature. Specific advice on confidential references is provided by the Director of Personnel (concerning members of staff) and by the Director of Student Services (concerning students). It is essential to take full account of this advice. For further details see University Policy Statement and Guidelines for Providing References for Students. Home Working Guidelines for Schools July 2015 Page 3 When working away from the University either at home or at another location, it is important to maintain the security of personal information. Special care needs taking when transporting personal information, for example, paper files, floppy disks and data sticks should be carried securely, and not left unattended in any public place. Where a data stick is used, it should be encrypted so that it is password protected. Personal information should not be transferred to home computers unless appropriate security, such as password protection, is in place. File Keeping and Personal or Private Files Generally, documents that may need to be referred to carry out normal School business should be kept centrally on a single file. The case for a member of staff such as a personal tutor holding separate files can only be justified if it is in the interests of the student, e.g. where the information is particularly sensitive. Private files should not be kept, as it is important for efficient record keeping that files are kept in the appropriate place in the department office to ensure proper practice and to avoid duplication or fragmentation. The subject access provisions apply to "private" files in the same way as to any other records and if a student or member of staff requests access to information held about them this will cover all records held and not just the main School file. If it has been necessary for a tutor to maintain an additional or separate file of material relating to an individual student, or group of students, for the duration of a programme of study, it is important such files are thoroughly weeded after the student or students leave. Any material needed for the completion of student references needs combining with the relevant central School student file. Storing selected work-related student records containing personal data at home does not exempt them from the subject's right of access to those records. Guidelines for Schools July 2015 Page 4